summaryrefslogtreecommitdiffstats
path: root/Lib/http
Commit message (Collapse)AuthorAgeFilesLines
* bpo-39603: Prevent header injection in http methods (GH-18485)Miss Islington (bot)2020-07-181-0/+15
| | | | | | reject control chars in http method in http.client.putrequest to prevent http header injection (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
* bpo-39481: PEP 585 for a variety of modules (GH-19423)Batuhan Taşkaya2020-04-101-0/+3
| | | | | | | | | | - concurrent.futures - ctypes - http.cookies - multiprocessing - queue - tempfile - unittest.case - urllib.parse
* bpo-40094: CGIHTTPRequestHandler logs exit code (GH-19285)Victor Stinner2020-04-021-2/+3
| | | | | | | CGIHTTPRequestHandler of http.server now logs the CGI script exit code, rather than the CGI script exit status of os.waitpid(). For example, if the script is killed by signal 11, it now logs: "CGI script exit code -11."
* bpo-39507: Add HTTP status 418 "I'm a Teapot" (GH-18291)Ross2020-03-151-0/+3
|
* bpo-38576: Disallow control characters in hostnames in http.client (GH-18995)Ashwin Ramaswami2020-03-141-0/+10
| | | | Add host validation for control characters for more CVE-2019-18348 protection.
* bpo-39509: Update HTTP status code to follow IANA (GH-18294)Dong-hee Na2020-03-141-0/+4
| | | Add status codes 103 EARLY_HINTS and 425 TOO_EARLY.
* bpo-35292: Avoid calling mimetypes.init when http.server is imported (GH-17822)An Long2020-01-081-13/+10
|
* bpo-38907: Suppress any exception when attempting to set V6ONLY. (GH-17864)Jason R. Coombs2020-01-061-1/+5
| | | Fixes error attempting to bind to IPv4 address.
* bpo-38907: In http.server script, restore binding to IPv4 on Windows. (GH-17851)Jason R. Coombs2020-01-061-1/+13
|
* bpo-38804: Fix REDoS in http.cookiejar (GH-17157)bcaller2019-11-221-6/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
* bpo-38863: Improve is_cgi() in http.server (GH-17312)Siwon Kang2019-11-221-2/+4
| | | | | | | | | | | | | | | | | | | is_cgi() function of http.server library does not currently handle a cgi script if one of the cgi_directories is located at the sub-directory of given path. Since is_cgi() in CGIHTTPRequestHandler class separates given path into (dir, rest) based on the first seen '/', multi-level directories like /sub/dir/cgi-bin/hello.py is divided into head=/sub, rest=dir/cgi-bin/hello.py then check whether '/sub' exists in cgi_directories = [..., '/sub/dir/cgi-bin']. This patch makes the is_cgi() keep expanding dir part to the next '/' then checking if that expanded path exists in the cgi_directories. Signed-off-by: Siwon Kang <kkangshawn@gmail.com> https://bugs.python.org/issue38863
* bpo-38216, bpo-36274: Allow subclasses to separately override validation and ↵Jason R. Coombs2019-09-281-9/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | encoding behavior (GH-16448) * bpo-38216: Allow bypassing input validation * bpo-36274: Also allow the URL encoding to be overridden. * bpo-38216, bpo-36274: Add tests demonstrating a hook for overriding validation, test demonstrating override encoding, and a test to capture expectation of the interface for the URL. * Call with skip_host to avoid tripping on the host checking in the URL. * Remove obsolete comment. * Make _prepare_path_encoding its own attr. This makes overriding just that simpler. Also, don't use the := operator to make backporting easier. * Add a news entry. * _prepare_path_encoding -> _encode_prepared_path() * Once again separate the path validation and request encoding, drastically simplifying the behavior. Drop the guarantee that all processing happens in _prepare_path.
* bpo-12144: Handle cookies with expires attribute in CookieJar.make_cookies ↵Xtreak2019-09-131-2/+1
| | | | | | | | | | | | | | (GH-13921) Handle time comparison for cookies with `expires` attribute when `CookieJar.make_cookies` is called. Co-authored-by: Demian Brecht <demianbrecht@gmail.com> https://bugs.python.org/issue12144 Automerge-Triggered-By: @asvetlov
* bpo-35640: Allow passing PathLike arguments to SimpleHTTPRequestHandler ↵Géry Ogam2019-09-111-1/+1
| | | | (GH-11398)
* bpo-26589: Add http status code 451 (GH-15413)Raymond Hettinger2019-08-231-0/+5
|
* Correct description of HTTP status code 308. (GH-15078)Florian Wendelborn2019-08-031-1/+1
| | | Permanent redirect was explained as a temporary redirect.
* bpo-37440: Enable TLS 1.3 post-handshake auth in http.client (GH-14448)Christian Heimes2019-07-011-0/+7
| | | | | | Post-handshake authentication is required for conditional client cert authentication with TLS 1.3. https://bugs.python.org/issue37440
* bpo-36793: Remove unneeded __str__ definitions. (GH-13081)Serhiy Storchaka2019-05-061-2/+1
| | | | Classes that define __str__ the same as __repr__ can just inherit it from object.
* bpo-30458: Use InvalidURL instead of ValueError. (GH-13044)Gregory P. Smith2019-05-011-1/+1
| | | Use http.client.InvalidURL instead of ValueError as the new error case's exception.
* bpo-30458: Disallow control chars in http URLs. (GH-12755)Gregory P. Smith2019-05-011-0/+14
| | | Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
* bpo-36050: optimize HTTPResponse.read() (GH-12698)Inada Naoki2019-04-061-32/+10
| | | | * No need to chunking for now. * No need to partial read caused by EINTR for now.
* bpo-36522: Print all values for headers with multiple values. (GH-12681)Matt Houglum2019-04-041-2/+2
|
* bpo-35647: Fix path check in cookiejar (#11436)Xtreak2019-03-101-5/+9
| | | | | | | | | | | | * Refactor cookie path check as per RFC 6265 * Add tests for prefix match of path * Add news entry * Fix set_ok_path and refactor tests * Use slice for last letter
* bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258)Xtreak2019-03-101-2/+11
| | | Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
* bpo-36043: FileCookieJar supports os.PathLike (GH-11945)Stéphane Wirtel2019-03-011-4/+2
| | | https://bugs.python.org/issue36043
* bpo-24209: In http.server script, rely on getaddrinfo to bind to preferred ↵Jason R. Coombs2019-02-071-10/+20
| | | | | | | address based on the bind parameter. (#11767) In http.server script, rely on getaddrinfo to bind to preferred address based on the bind parameter. As a result, now IPv6 is used as the default (including IPv4 on dual-stack systems). Enhanced tests.
* bpo-34711: Return HTTPStatus.NOT_FOUND if path.endswith('/') and not a ↵Michael Felt2018-12-261-0/+8
| | | | | | | | | | directory (GH-9687) AIX allows a trailing slash on local file system paths, which isn't what we want in http.server. Accordingly, check explicitly for this case in the server code, rather than relying on the OS raising an exception. Patch by Michael Felt.
* Adds IPv6 support when invoking http.server directly. (GH-10595)Lisa Roach2018-11-261-0/+3
|
* bpo-34911: Added support for secure websocket cookies (GH-9734)Paul Bailey2018-10-081-1/+3
|
* bpo-33365: print the header values beside the keys (GH-6611)Marco Strigl2018-06-191-1/+1
| | | | | with debuglevel=1 only the header keys got printed. With this change the header values get printed as well and the single header entries get '\n' as a separator.
* bpo-33663: Convert content length to string before putting to header (GH-7754)ValeriyaSinevich2018-06-181-1/+1
|
* bpo-31639: Change ThreadedHTTPServer to ThreadingHTTPServer class name (GH-7195)Géry Ogam2018-05-291-3/+3
|
* bpo-991266: Fix quoting of Comment attribute of SimpleCookie (GH-6555)Berker Peksag2018-04-221-0/+2
|
* Removed a confusing line from a docstring in http.cookies (GH-6482)Alex Gaynor2018-04-151-2/+1
| | | There's no reason a cookie should _ever_ contain pickled data. That's just asking for a critical security vulnerability. Back in Python2 there were helpers for doing that, but they're no more in Python3. Now coded_value is used when the value needs to be encoded for any reason.
* bpo-29613: Added support for SameSite cookies (GH-6413)Alex Gaynor2018-04-071-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * bpo-29613: Added support for SameSite cookies Implemented as per draft https://tools.ietf.org/html/draft-west-first-party-cookies-07 * Documented SameSite And suggestions by members. * Missing space :( * Updated News and contributors * Added version changed details. * Fix in documentation * fix in documentation * Clubbed test cases for same attribute into single. * Updates * Style nits + expand tests * review feedback
* bpo-31639: Use threads in http.server module. (GH-5018)Julien Palard2018-03-231-2/+7
|
* bpo-31399: Let OpenSSL verify hostname and IP address (#3462)Christian Heimes2018-01-271-8/+2
| | | | | | | | | | | | | | | bpo-31399: Let OpenSSL verify hostname and IP The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses. * Remove match_hostname calls * Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host() * Add documentation for OpenSSL 1.0.2 requirement * Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform. * Add hostname_checks_common_name Signed-off-by: Christian Heimes <christian@python.org>
* bpo-32297: Few misspellings found in Python source code comments. (#4803)Mike2017-12-141-1/+1
| | | | | | | | * Fix multiple typos in code comments * Add spacing in comments (test_logging.py, test_math.py) * Fix spaces at the beginning of comments in test_logging.py
* bpo-31945: Configurable blocksize in HTTP(S)Connection (#4279)Nir Soffer2017-11-061-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | blocksize was hardcoded to 8192, preventing efficient upload when using file-like body. Add blocksize argument to __init__, so users can configure the blocksize to fit their needs. I tested this uploading data from /dev/zero to a web server dropping the received data, to test the overhead of the HTTPConnection.send() with a file-like object. Here is an example 10g upload with the default buffer size (8192): $ time ~/src/cpython/release/python upload-httplib.py 10 https://localhost:8000/ Uploaded 10.00g in 17.53 seconds (584.00m/s) real 0m17.574s user 0m8.887s sys 0m5.971s Same with 512k blocksize: $ time ~/src/cpython/release/python upload-httplib.py 10 https://localhost:8000/ Uploaded 10.00g in 6.60 seconds (1551.15m/s) real 0m6.641s user 0m3.426s sys 0m2.162s In real world usage the difference will be smaller, depending on the local and remote storage and the network. See https://github.com/nirs/http-bench for more info.
* bpo-30553: Add status code 421 to http.HTTPStatus (GH-2589)Vitor Pereira2017-10-261-0/+3
|
* bpo-31462: Remove trailing whitespaces. (#3564)Serhiy Storchaka2017-09-141-2/+2
|
* bpo-31370: Remove support for threads-less builds (#3385)Antoine Pitrou2017-09-071-4/+1
| | | | | | * Remove Setup.config * Always define WITH_THREAD for compatibility.
* bpo-28707: Add the directory parameter to ↵Stéphane Wirtel2017-05-241-2/+13
| | | | | | | | http.server.SimpleHTTPRequestHandler and http.server module (#1776) * bpo-28707: call the constructor of SimpleHTTPRequestHandler in the test with a mock object * bpo-28707: Add the directory parameter to http.server.SimpleHTTPRequestHandler and http.server module
* Remove duplicate line in Lib/http/client.py (#1665)remitamine2017-05-191-1/+0
|
* bpo-30166: Import command-line parsing modules only when needed. (#1293)Serhiy Storchaka2017-05-041-1/+2
|
* bpo-30144: Import collections ABC from collections.abc rather than ↵Serhiy Storchaka2017-04-241-2/+2
| | | | collections. (#1263)
* bpo-29654 : Support If-Modified-Since HTTP header (browser cache) (#298)Pierre Quentel2017-04-021-4/+35
| | | | Return 304 response if file was not modified.
* Issue #29192: Removed deprecated features in the http.cookies module.Serhiy Storchaka2017-01-131-29/+1
|
* Remove unused imports.Serhiy Storchaka2016-12-161-1/+0
|
* Issue #28548: Parse HTTP request version even if too many words receivedMartin Panter2016-11-191-15/+18
|