summaryrefslogtreecommitdiffstats
path: root/Lib/http
Commit message (Collapse)AuthorAgeFilesLines
* gh-127089: Add missing description for codes in `http.HTTPStatus` (#127100)donBarbos2024-12-271-15/+26
| | | | Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
* Remove incorrect imports rationale comment in `http.server` (#128278)Moshe Kaplan2024-12-261-1/+1
| | | Remove reference to gethostbyaddr(), because it's not actually used within this code.
* gh-123401: Fix http.cookies module to support obsolete RFC 850 date format ↵Nano2024-12-111-2/+4
| | | | | | | (#123405) Co-authored-by: Wulian <1055917385@qq.com> Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> Co-authored-by: Victor Stinner <vstinner@python.org>
* gh-126156: Improve performance of creating `Morsel` objects (#126157)J. Nick Koston2024-10-311-2/+3
| | | Replaces the manually constructed loop with a call to `dict.update`
* gh-123430: Add dark mode support to pages generated by http.server (#123475)Yorik Hansen2024-09-031-0/+6
| | | | | | Co-authored-by: Peter Bierma <zintensitydev@gmail.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Victor Stinner <vstinner@python.org>
* gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with ↵Serhiy Storchaka2024-08-171-26/+8
| | | | | | backslashes (GH-123075) This fixes CVE-2024-7592.
* gh-121905: Consistently use "floating-point" instead of "floating point" ↵Serhiy Storchaka2024-07-191-1/+1
| | | | (GH-121907)
* gh-120485: Add an override of `allow_reuse_port` on classes subclassing ↵Idan Kapustian2024-06-161-1/+2
| | | | | `socketserver.TCPServer` (GH-120488) Co-authored-by: Vinay Sajip <vinay_sajip@yahoo.co.uk>
* Remove almost all unpaired backticks in docstrings (#119231)Geoffrey Thomas2024-05-222-6/+6
| | | | | | | | | | | | | | | | | | As reported in #117847 and #115366, an unpaired backtick in a docstring tends to confuse e.g. Sphinx running on subclasses of standard library objects, and the typographic style of using a backtick as an opening quote is no longer in favor. Convert almost all uses of the form The variable `foo' should do xyz to The variable 'foo' should do xyz and also fix up miscellaneous other unpaired backticks (extraneous / missing characters). No functional change is intended here other than in human-readable docstrings.
* gh-66543: Add mimetypes.guess_file_type() (GH-117258)Serhiy Storchaka2024-05-061-1/+1
|
* gh-102247: http: support rfc9110 status codes (GH-117611)Michiel W. Beijen2024-04-131-9/+11
| | | | | | | | | | | | | | | | | | | | rfc9110 obsoletes the earlier rfc 7231. This document also includes some status codes that were previously only used for WebDAV and assigns more generic names to these status codes. ref: https://www.rfc-editor.org/rfc/rfc9110.html#name-changes-from-rfc-7231 - http.HTTPStatus.CONTENT_TOO_LARGE (413, previously REQUEST_ENTITY_TOO_LARGE) - http.HTTPStatus.URI_TOO_LONG (414, previously REQUEST_URI_TOO_LONG) - http.HTTPStatus.RANGE_NOT_SATISFYABLE (416, previously REQUEST_RANGE_NOT_SATISFYABLE) - http.HTTPStatus.UNPROCESSABLE_CONTENT (422, previously UNPROCESSABLE_ENTITY) The new constants are added to http.HTTPStatus and the old constant names are preserved for backwards compatibility. References in documentation to the obsoleted rfc 7231 are updated
* gh-100985: Consistently wrap IPv6 IP address during CONNECT (GH-100986)Derek Higgins2024-02-171-5/+10
| | | | | | Update _get_hostport to always remove square brackets from IPv6 addresses. Then add them if needed in "CONNECT .." and "Host: ".
* gh-113199: Make read1() and readline() of HTTPResponse close IO after ↵Illia Volochii2023-12-181-0/+4
| | | | reading all data (GH-113200)
* gh-73561: Omit interface scope from IPv6 when used as Host header (#93324)Michael2023-11-191-2/+10
| | | | | | | Omit the `@interface_scope` from an IPv6 address when used as Host header by `http.client`. --------- Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google LLC]
* gh-109096: Deprecate `http.server.CGIHTTPRequestHandler` (#109387)Gregory P. Smith2023-09-151-6/+12
| | | | | Deprecate `http.server.CGIHTTPRequestHandler`. Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* gh-105626: Change the default return value of ↵Nikita Sobolev2023-07-141-3/+2
| | | | `HTTPConnection.get_proxy_response_headers` (#105628)
* gh-104924: Fix `read()able` in `http.client` log messages (gh-104926)Oleg Iarygin2023-05-261-2/+2
|
* gh-69152: add method get_proxy_response_headers to HTTPConnection class ↵Alexey Namyotkin2023-05-161-8/+29
| | | | | | | | | | (#104248) Add http.client.HTTPConnection method get_proxy_response_headers() - this is a followup to https://github.com/python/cpython/pull/26152 which added it as a non-public attribute. This way we don't pre-compute a headers dictionary that most users will never access. The new method is properly public and documented and triggers full proxy header parsing into a dict only when actually called. --------- Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* gh-103204: `http.server` - Enforce that HTTP version numbers must consist ↵Ben Kallus2023-05-121-0/+4
| | | | | | | | | | only of digits (#103205) Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long. --------- Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* gh-69152: Add _proxy_response_headers attribute to HTTPConnection (#26152)Alexey Namyotkin2023-05-051-11/+7
| | | | | | | Add _proxy_response_headers attribute to HTTPConnection (#26152) --------- Co-authored-by: Senthil Kumaran <senthil@python.org>
* gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler ↵Ethan Furman2023-05-031-1/+1
| | | | | | | | | | (#104067) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) --------- Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* GH-103472: close response in HTTPConnection._tunnel (#103473)Thomas Grainger2023-05-021-15/+18
| | | | | | | | Avoid a potential `ResourceWarning` in `http.client.HTTPConnection` by closing the proxy / tunnel's CONNECT response explicitly. --------- Co-authored-by: Gregory P. Smith <greg@krypto.org>
* GH-103857: Deprecate utcnow and utcfromtimestamp (#103858)Paul Ganssle2023-04-271-4/+4
| | | | | Using `datetime.datetime.utcnow()` and `datetime.datetime.utcfromtimestamp()` will now raise a `DeprecationWarning`. We also have removed our internal uses of these functions and documented the change.
* gh-66897: Upgrade HTTP CONNECT to protocol HTTP/1.1 (#8305)Michael Handler2023-04-051-6/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * bpo-22708: Upgrade HTTP CONNECT to protocol HTTP/1.1 (GH-NNNN) Use protocol HTTP/1.1 when sending HTTP CONNECT tunnelling requests; generate Host: headers if one is not already provided (required by HTTP/1.1), convert IDN domains to punycode in HTTP CONNECT requests. * Refactor tests to pass under -bb (fix ByteWarnings); missed some lines >80. * Use consistent 'tunnelling' spelling in Lib/http/client.py * Lib/test/test_httplib: Remove remnant of obsoleted test. * Use dict.copy() not copy.copy() * fix version changed * Update Lib/http/client.py Co-authored-by: bgehman <bgehman@users.noreply.github.com> * Switch to for/else: syntax, as suggested * Don't use for: else: * Sure, fine, w/e * Oops * 1nm to the left --------- Co-authored-by: Éric <merwok@netwok.org> Co-authored-by: bgehman <bgehman@users.noreply.github.com> Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
* gh-103112: Add http.client.HTTPResponse.read docstring and fix pydoc output ↵Bernhard Wagner2023-03-291-0/+1
| | | | | | | (#103113) Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu> Co-authored-by: Éric <merwok@netwok.org>
* gh-91219: http - use subclassing to override index_pages attribute (GH-100731)Ethan Furman2023-01-031-4/+2
| | | Remove previously added parameter to `__init__`, and recommend subclassing to modify the `index_pages` attribute instead.
* gh-100519: simplification to `eff_request_host` in cookiejar.py (#99588)Glyph2022-12-251-1/+1
| | | | | `IPV4_RE` includes a `.`, and the `.find(".") == -1` included here is already testing to make sure there's no dot, so this part of the expression is tautological. Instead use more modern `in` syntax to make it clear what the check is doing here. The simplified implementation more clearly matches the wording in RFC 2965. Co-authored-by: hauntsaninja <hauntsaninja@gmail.com>
* gh-100474: Fix handling of dirs named index.html in http.server (GH-100475)James Frost2022-12-241-1/+1
| | | | | | | If you had a directory called index.html or index.htm within a directory, it would cause http.server to return a 404 Not Found error instead of the directory listing. This came about due to not checking that the index was a regular file. I have also added a test case for this situation. Automerge-Triggered-By: GH:merwok
* gh-99576: Fix cookiejar file that was not truncated for some classes (GH-99616)Nikita Sobolev2022-12-201-2/+8
| | | Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* gh-100001: Also escape \s in http.server log messages. (#100038)Gregory P. Smith2022-12-051-0/+1
| | | | | | | Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a \xHH is ambiguious as to if it is a hex replacement we put in or the characters r"\x" came through in the original request line.
* gh-100001: Omit control characters in http.server stderr logs. (#100002)Gregory P. Smith2022-12-051-1/+10
| | | Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
* bpo-45975: Simplify some while-loops with walrus operator (GH-29347)Nick Drozd2022-11-262-20/+5
|
* gh-94172: Remove keyfile, certfile and check_hostname parameters (#94173)Victor Stinner2022-11-031-22/+3
| | | | | | | | | | | | Remove the keyfile, certfile and check_hostname parameters, deprecated since Python 3.6, in modules: ftplib, http.client, imaplib, poplib and smtplib. Use the context parameter (ssl_context in imaplib) instead. Parameters following the removed parameters become keyword-only parameters. ftplib: Remove the FTP_TLS.ssl_version class attribute: use the context parameter instead.
* Document that MozillaCookieJar works for curl's cookie files (#91852)Boris Verkhovskiy2022-10-031-1/+1
| | | MozillaCookieJar works for curl's cookies
* gh-95149: Enhance `http.HTTPStatus` with properties that indicate the HTTP ↵Alexandru Mărășteanu2022-08-301-0/+20
| | | | status category (GH-95453)
* Run Tools/scripts/reindent.py (#94225)Victor Stinner2022-06-261-1/+1
| | | | | Reindent files which were not properly formatted (PEP 8: 4 spaces). Remove also some trailing spaces.
* gh-94172: urllib.request avoids deprecated check_hostname (#94193)Victor Stinner2022-06-241-15/+17
| | | | | | | | | | | The urllib.request no longer uses the deprecated check_hostname parameter of the http.client module. Add private http.client._create_https_context() helper to http.client, used by urllib.request. Remove the now redundant check on check_hostname and verify_mode in http.client: the SSLContext.check_hostname setter already implements the check.
* gh-91219: Add an index_pages default list and parameter to ↵Myron Walker2022-06-231-2/+5
| | | | | | | | SimpleHTTPRequestHandler (GH-31985) * Add an index_pages default list to SimpleHTTPRequestHandler and an optional constructor parameter that allows the default indexes pages list to be overridden. This makes it easy to set a new index page name without having to override send_head.
* gh-87389: Fix an open redirection vulnerability in http.server. (#93879)Gregory P. Smith2022-06-211-0/+7
| | | | | | | | Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google].
* gh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar.save() ↵Pascal Wittmann2022-06-071-2/+2
| | | | | | | | | | | | | | | | | | | (GH-93463) Note: This change is not effective on Microsoft Windows. Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue #79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place.
* gh-91996: Add an HTTPMethod StrEnum to http (GH-91997)cibofo2022-05-051-2/+31
| | | | | | | * Add HTTPMethod enum to http Create a StrEnum for the 9 common HTTP methods. Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
* bpo-46285: Add command-line option -p/--protocol to module http.server (#30999)Géry Ogam2022-05-021-7/+12
| | | | Co-authored-by: Éric <merwok@netwok.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* bpo-42066: CookieJar cookies should not be sorted (GH-22745)Iman Kermani2022-04-211-7/+2
|
* bpo-46075: Store localhost cookies in CookieJar (#30108)Nick2022-04-191-2/+3
| | | Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* closes bpo-46736: SimpleHTTPRequestHandler now uses HTML5. (GH-31533)Dong-hee Na2022-02-231-12/+10
| | | Co-authored-by: Oleg Iarygin <dralife@yandex.ru>
* bpo-46436: Fix command-line option -d/--directory in module http.server ↵Géry Ogam2022-02-031-13/+14
| | | | | | | | (GH-30701) Fix command-line option -d/--directory in http.server main function that was ignored when combined with --cgi. Automerge-Triggered-By: GH:merwok
* bpo-46565: `del` loop vars that are leaking into module namespaces (GH-30993)Nikita Sobolev2022-02-031-2/+1
|
* bpo-28953: Use `raise from` when raising new IncompleteRead (GH-29861)1809092021-12-071-2/+2
| | | Automerge-Triggered-By: GH:asvetlov
* bpo-45328: Avoid failure in OSs without TCP_NODELAY support (GH-28646)rtobar2021-10-061-1/+7
| | | | | Operating systems without support for TCP_NODELAY will raise an OSError when trying to set the socket option, but the show can still go on.
* Fix typos in multiple files (GH-26689)Binbin2021-06-131-1/+1
| | | Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
generated by cgit v0.12 at 2025-03-28 02:05:46 (GMT)