summaryrefslogtreecommitdiffstats
path: root/Lib/http
Commit message (Collapse)AuthorAgeFilesLines
* gh-76007: Deprecate `__version__` attribute in `http.server` (#142658)Hugo van Kemenade2025-12-131-4/+11
| | | | Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
* gh-119451: Fix a potential denial of service in http.client (GH-119454)Serhiy Storchaka2025-12-011-4/+24
| | | | | | | | Reading the whole body of the HTTP response could cause OOM if the Content-Length value is too large even if the server does not send a large amount of data. Now the HTTP client reads large data by chunks, therefore the amount of consumed memory is proportional to the amount of sent data.
* gh-139434: Update selected RFC 2822 references to RFC 5322 (#139435)Filip Łajszczak2025-11-041-2/+2
| | | | | | | | | | | | | | | | Update selected RFC 2822 references to RFC 5322 RFC 2822 was obsoleted by RFC 5322 in 2008. This updates references to use the current standard in documentation, docstrings, and comments. It preserves RFC 2822 references in legacy API components to maintain their historical context. RFC 822 → RFC 2822 → RFC 5322 progression is explained where relevant. In some places specific sections of RFC are referenced where it seems helpful. Scout rule was applied in some places and RFC mentions format was normalized in doc strings and comments.
* gh-57665: Remove 'response_class' from getresponse docstring. (#140707)R. David Murray2025-10-311-2/+1
| | | | | | | | | Remove 'response_class' from getresponse docstring. This variable is not documented as part of the API in the standard library documentation; it should be considered as an implementation detail and as such should not be included in the doc string. Closes #57665.
* gh-70765: avoid waiting for HTTP headers when parsing HTTP/0.9 requests ↵Bénédikt Tran2025-10-051-0/+7
| | | | (#139514)
* gh-92936: allow double quote in cookie values (#113663)Nick Burns2025-08-081-1/+1
| | | | | | * allow double quote in cookie values * Update Lib/test/test_http_cookies.py Co-authored-by: Senthil Kumaran <senthil@python.org>
* gh-131724: Add a new max_response_headers param to HTTP/HTTPSConnection ↵Alexander Urieles2025-07-201-15/+25
| | | | | | (GH-136814) Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Petr Viktorin <encukou@gmail.com>
* gh-127319: Disable port reuse on HTTP, XMLRPC, and logging TCP servers ↵Jeremy Cline2025-06-151-1/+1
| | | | | | | | | | | (GH-135405) Prior to issue #120485 these servers did not allow port reuse, which makes sense as the behavior of port reuse is surprising if you're not expecting it. It's unclear to me why these services were switched to allow port reuse, but I believe the desired behavior (unless subclasses opt in) is to not allow port reuse. See also: https://bugzilla.redhat.com/show_bug.cgi?id=2323170
* gh-134168: fix `http.server` CLI support for IPv6 and `--directory` when ↵ggqlq2025-05-241-4/+11
| | | | serving over HTTPS (#134169)
* gh-131178: Add tests for `http.server` command-line interface (#132540)ggqlq2025-05-191-2/+6
|
* gh-133889: Only show the path of the URL in the SimpleHTTPRequestHandler ↵Serhiy Storchaka2025-05-181-2/+5
| | | | | | page (GH-134135) The query and fragment are ambiguous and not used.
* gh-133810: remove `http.server.CGIHTTPRequestHandler` and `--cgi` flag (#133811)Bénédikt Tran2025-05-172-354/+7
| | | The CGI HTTP request handler has been deprecated since Python 3.13.
* gh-134098: Fix handling %-encoded trailing slash in SimpleHTTPRequestHandler ↵Serhiy Storchaka2025-05-171-4/+4
| | | | (GH-134099)
* gh-130645: Add color to stdlib argparse CLIs (gh-133380)Hugo van Kemenade2025-05-051-1/+1
|
* gh-130631: Make join_header_words() more similar to the original Perl ↵Serhiy Storchaka2025-04-091-5/+6
| | | | | | | | | | version (GH-130632) * Always quote strings with non-ASCII characters. * Allow some non-separator and non-control characters (like "." or "-") be unquoted. * Always quote strings that end with "\n". * Use the fullmatch() method for clarity and optimization.
* Docs: Replace dead hyperlink for CGI environment variables (#132137)Srinivas Reddy Thatiparthy (తాటిపర్తి శ్రీనివాస్ రెడ్డి)2025-04-061-1/+1
|
* gh-85162: Add `HTTPSServer` to `http.server` to serve files over HTTPS ↵Semyon Moroz2025-04-051-6/+82
| | | | | | | (#129607) The `http.server` module now supports serving over HTTPS using the `http.server.HTTPSServer` class. This functionality is also exposed by the command-line interface (`python -m http.server`) through the `--tls-cert`, `--tls-key` and `--tls-password-file` options.
* gh-128982: Revert "#128982: Substitute regular expression in ↵Petr Viktorin2025-02-261-1/+1
| | | | | | | | | http.cookiejar.join_header_words for an efficient alternative (GH-128983)" and add tests (GH-130584) * Revert "gh-128982: Substitute regular expression in `http.cookiejar.join_header_words` for an efficient alternative (GH-128983)" This reverts commit 56e190068177855266f32a7efa329d145b279f94. * Add tests
* gh-128982: Substitute regular expression in ↵Bénédikt Tran2025-02-261-1/+1
| | | | | | | `http.cookiejar.join_header_words` for an efficient alternative (GH-128983) The function does not anymore rely on a regular expression to find alphanumeric characters and underscores.
* gh-129408: http: Fix typo 'RFF' to RFC' in documentation (#129411)Samuel GIFFARD2025-01-281-1/+1
|
* gh-112064: Fix incorrect handling of negative read sizes in ↵Yury Manushkin2025-01-281-1/+3
| | | | | | | | `HTTPResponse.read()` (#128270) The parameter `amt` of `HTTPResponse.read()`, which could be a negative integer, has not been handled before and led to waiting for the connection to close for `keep-alive connections`. Now, this has been fixed, and passing negative values to `HTTPResponse().read()` works the same as passing `None` value.
* gh-112713 : Add support for 'partitioned' attribute in http.cookies (GH-112714)Giles Copp2025-01-241-1/+2
| | | | | | | * Add support for 'partitioned' attribute in http.cookies Co-authored-by: Giles Copp <gilesc@dropbox.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
* gh-127089: Add missing description for codes in `http.HTTPStatus` (#127100)donBarbos2024-12-271-15/+26
| | | | Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
* Remove incorrect imports rationale comment in `http.server` (#128278)Moshe Kaplan2024-12-261-1/+1
| | | Remove reference to gethostbyaddr(), because it's not actually used within this code.
* gh-123401: Fix http.cookies module to support obsolete RFC 850 date format ↵Nano2024-12-111-2/+4
| | | | | | | (#123405) Co-authored-by: Wulian <1055917385@qq.com> Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> Co-authored-by: Victor Stinner <vstinner@python.org>
* gh-126156: Improve performance of creating `Morsel` objects (#126157)J. Nick Koston2024-10-311-2/+3
| | | Replaces the manually constructed loop with a call to `dict.update`
* gh-123430: Add dark mode support to pages generated by http.server (#123475)Yorik Hansen2024-09-031-0/+6
| | | | | | Co-authored-by: Peter Bierma <zintensitydev@gmail.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Victor Stinner <vstinner@python.org>
* gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with ↵Serhiy Storchaka2024-08-171-26/+8
| | | | | | backslashes (GH-123075) This fixes CVE-2024-7592.
* gh-121905: Consistently use "floating-point" instead of "floating point" ↵Serhiy Storchaka2024-07-191-1/+1
| | | | (GH-121907)
* gh-120485: Add an override of `allow_reuse_port` on classes subclassing ↵Idan Kapustian2024-06-161-1/+2
| | | | | `socketserver.TCPServer` (GH-120488) Co-authored-by: Vinay Sajip <vinay_sajip@yahoo.co.uk>
* Remove almost all unpaired backticks in docstrings (#119231)Geoffrey Thomas2024-05-222-6/+6
| | | | | | | | | | | | | | | | | | As reported in #117847 and #115366, an unpaired backtick in a docstring tends to confuse e.g. Sphinx running on subclasses of standard library objects, and the typographic style of using a backtick as an opening quote is no longer in favor. Convert almost all uses of the form The variable `foo' should do xyz to The variable 'foo' should do xyz and also fix up miscellaneous other unpaired backticks (extraneous / missing characters). No functional change is intended here other than in human-readable docstrings.
* gh-66543: Add mimetypes.guess_file_type() (GH-117258)Serhiy Storchaka2024-05-061-1/+1
|
* gh-102247: http: support rfc9110 status codes (GH-117611)Michiel W. Beijen2024-04-131-9/+11
| | | | | | | | | | | | | | | | | | | | rfc9110 obsoletes the earlier rfc 7231. This document also includes some status codes that were previously only used for WebDAV and assigns more generic names to these status codes. ref: https://www.rfc-editor.org/rfc/rfc9110.html#name-changes-from-rfc-7231 - http.HTTPStatus.CONTENT_TOO_LARGE (413, previously REQUEST_ENTITY_TOO_LARGE) - http.HTTPStatus.URI_TOO_LONG (414, previously REQUEST_URI_TOO_LONG) - http.HTTPStatus.RANGE_NOT_SATISFYABLE (416, previously REQUEST_RANGE_NOT_SATISFYABLE) - http.HTTPStatus.UNPROCESSABLE_CONTENT (422, previously UNPROCESSABLE_ENTITY) The new constants are added to http.HTTPStatus and the old constant names are preserved for backwards compatibility. References in documentation to the obsoleted rfc 7231 are updated
* gh-100985: Consistently wrap IPv6 IP address during CONNECT (GH-100986)Derek Higgins2024-02-171-5/+10
| | | | | | Update _get_hostport to always remove square brackets from IPv6 addresses. Then add them if needed in "CONNECT .." and "Host: ".
* gh-113199: Make read1() and readline() of HTTPResponse close IO after ↵Illia Volochii2023-12-181-0/+4
| | | | reading all data (GH-113200)
* gh-73561: Omit interface scope from IPv6 when used as Host header (#93324)Michael2023-11-191-2/+10
| | | | | | | Omit the `@interface_scope` from an IPv6 address when used as Host header by `http.client`. --------- Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google LLC]
* gh-109096: Deprecate `http.server.CGIHTTPRequestHandler` (#109387)Gregory P. Smith2023-09-151-6/+12
| | | | | Deprecate `http.server.CGIHTTPRequestHandler`. Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* gh-105626: Change the default return value of ↵Nikita Sobolev2023-07-141-3/+2
| | | | `HTTPConnection.get_proxy_response_headers` (#105628)
* gh-104924: Fix `read()able` in `http.client` log messages (gh-104926)Oleg Iarygin2023-05-261-2/+2
|
* gh-69152: add method get_proxy_response_headers to HTTPConnection class ↵Alexey Namyotkin2023-05-161-8/+29
| | | | | | | | | | (#104248) Add http.client.HTTPConnection method get_proxy_response_headers() - this is a followup to https://github.com/python/cpython/pull/26152 which added it as a non-public attribute. This way we don't pre-compute a headers dictionary that most users will never access. The new method is properly public and documented and triggers full proxy header parsing into a dict only when actually called. --------- Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* gh-103204: `http.server` - Enforce that HTTP version numbers must consist ↵Ben Kallus2023-05-121-0/+4
| | | | | | | | | | only of digits (#103205) Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long. --------- Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* gh-69152: Add _proxy_response_headers attribute to HTTPConnection (#26152)Alexey Namyotkin2023-05-051-11/+7
| | | | | | | Add _proxy_response_headers attribute to HTTPConnection (#26152) --------- Co-authored-by: Senthil Kumaran <senthil@python.org>
* gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler ↵Ethan Furman2023-05-031-1/+1
| | | | | | | | | | (#104067) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) --------- Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* GH-103472: close response in HTTPConnection._tunnel (#103473)Thomas Grainger2023-05-021-15/+18
| | | | | | | | Avoid a potential `ResourceWarning` in `http.client.HTTPConnection` by closing the proxy / tunnel's CONNECT response explicitly. --------- Co-authored-by: Gregory P. Smith <greg@krypto.org>
* GH-103857: Deprecate utcnow and utcfromtimestamp (#103858)Paul Ganssle2023-04-271-4/+4
| | | | | Using `datetime.datetime.utcnow()` and `datetime.datetime.utcfromtimestamp()` will now raise a `DeprecationWarning`. We also have removed our internal uses of these functions and documented the change.
* gh-66897: Upgrade HTTP CONNECT to protocol HTTP/1.1 (#8305)Michael Handler2023-04-051-6/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * bpo-22708: Upgrade HTTP CONNECT to protocol HTTP/1.1 (GH-NNNN) Use protocol HTTP/1.1 when sending HTTP CONNECT tunnelling requests; generate Host: headers if one is not already provided (required by HTTP/1.1), convert IDN domains to punycode in HTTP CONNECT requests. * Refactor tests to pass under -bb (fix ByteWarnings); missed some lines >80. * Use consistent 'tunnelling' spelling in Lib/http/client.py * Lib/test/test_httplib: Remove remnant of obsoleted test. * Use dict.copy() not copy.copy() * fix version changed * Update Lib/http/client.py Co-authored-by: bgehman <bgehman@users.noreply.github.com> * Switch to for/else: syntax, as suggested * Don't use for: else: * Sure, fine, w/e * Oops * 1nm to the left --------- Co-authored-by: Éric <merwok@netwok.org> Co-authored-by: bgehman <bgehman@users.noreply.github.com> Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
* gh-103112: Add http.client.HTTPResponse.read docstring and fix pydoc output ↵Bernhard Wagner2023-03-291-0/+1
| | | | | | | (#103113) Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu> Co-authored-by: Éric <merwok@netwok.org>
* gh-91219: http - use subclassing to override index_pages attribute (GH-100731)Ethan Furman2023-01-031-4/+2
| | | Remove previously added parameter to `__init__`, and recommend subclassing to modify the `index_pages` attribute instead.
* gh-100519: simplification to `eff_request_host` in cookiejar.py (#99588)Glyph2022-12-251-1/+1
| | | | | `IPV4_RE` includes a `.`, and the `.find(".") == -1` included here is already testing to make sure there's no dot, so this part of the expression is tautological. Instead use more modern `in` syntax to make it clear what the check is doing here. The simplified implementation more clearly matches the wording in RFC 2965. Co-authored-by: hauntsaninja <hauntsaninja@gmail.com>
* gh-100474: Fix handling of dirs named index.html in http.server (GH-100475)James Frost2022-12-241-1/+1
| | | | | | | If you had a directory called index.html or index.htm within a directory, it would cause http.server to return a 404 Not Found error instead of the directory listing. This came about due to not checking that the index was a regular file. I have also added a test case for this situation. Automerge-Triggered-By: GH:merwok
generated by cgit v0.12 at 2026-01-15 20:30:54 (GMT)