| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
It wasn't actually detecting the regression due to the assertion being too lenient.
(cherry picked from commit e60ab843cbb016fb6ff8b4f418641ac05a9b2fcc)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
| |
Continue (GH-25916) (#25933)
Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d)
Co-authored-by: Gen Xu <xgbarry@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 68526fe258da8c01196fd7cf48e8e5f1280bf8fd)
Co-authored-by: Angelin BOOZ <9497359+lem2clide@users.noreply.github.com>
|
| |
|
|
|
|
| |
reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
|
| |
|
|
|
|
| |
Add host validation for control characters for more CVE-2019-18348 protection.
(cherry picked from commit 9165addc22d05e776a54319a8531ebd0b2fe01ef)
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
encoding behavior (GH-16448)
* bpo-38216: Allow bypassing input validation
* bpo-36274: Also allow the URL encoding to be overridden.
* bpo-38216, bpo-36274: Add tests demonstrating a hook for overriding validation, test demonstrating override encoding, and a test to capture expectation of the interface for the URL.
* Call with skip_host to avoid tripping on the host checking in the URL.
* Remove obsolete comment.
* Make _prepare_path_encoding its own attr.
This makes overriding just that simpler.
Also, don't use the := operator to make backporting easier.
* Add a news entry.
* _prepare_path_encoding -> _encode_prepared_path()
* Once again separate the path validation and request encoding, drastically simplifying the behavior. Drop the guarantee that all processing happens in _prepare_path.
(cherry picked from commit 7774d7831e8809795c64ce27f7df52674581d298)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
|
| |
|
|
|
| |
(cherry picked from commit 8f080b09953a2d862de5c74edf414a54ea3dbea5)
Co-authored-by: Raymond Hettinger <rhettinger@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
(GH-15188)
(cherry picked from commit aa542c2)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-14448) (GH-14495)
Post-handshake authentication is required for conditional client cert authentication with TLS 1.3.
https://bugs.python.org/issue37440
(cherry picked from commit d1bd6e79da1ee56dc1b902d804216ffd267399db)
Co-authored-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue37440
|
| |
|
|
|
|
|
|
| |
Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
by default. This causes our test suite run with external networking
resources enabled to skip these tests when they encounter such a failure.
Fixing the network servers is a separate issue.
|
| | |
|
| | |
|
| |
|
|
|
| |
with debuglevel=1 only the header keys got printed. With
this change the header values get printed as well and the single
header entries get '\n' as a separator.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
blocksize was hardcoded to 8192, preventing efficient upload when using
file-like body. Add blocksize argument to __init__, so users can
configure the blocksize to fit their needs.
I tested this uploading data from /dev/zero to a web server dropping the
received data, to test the overhead of the HTTPConnection.send() with a
file-like object.
Here is an example 10g upload with the default buffer size (8192):
$ time ~/src/cpython/release/python upload-httplib.py 10 https://localhost:8000/
Uploaded 10.00g in 17.53 seconds (584.00m/s)
real 0m17.574s
user 0m8.887s
sys 0m5.971s
Same with 512k blocksize:
$ time ~/src/cpython/release/python upload-httplib.py 10 https://localhost:8000/
Uploaded 10.00g in 6.60 seconds (1551.15m/s)
real 0m6.641s
user 0m3.426s
sys 0m2.162s
In real world usage the difference will be smaller, depending on the
local and remote storage and the network.
See https://github.com/nirs/http-bench for more info.
|
| | |
|
| |
|
|
|
|
| |
* Trivial cleanups following bpo-31370
* Also cleanup the "importlib._bootstrap_external" module
|
| |
|
|
|
|
| |
Replaces PROTOCOL_TLSv* and PROTOCOL_SSLv23 with PROTOCOL_TLS_CLIENT and
PROTOCOL_TLS_SERVER.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |\ |
|
| | |
| |
| |
| | |
Includes patch by Ville Skyttä.
|
| | |
| |
| |
| | |
Panter
|
| |\ \
| |/ |
|
| | |
| |
| |
| | |
Original patch by Martin Panter, new policy fixes by me.
|
| | |
| |
| |
| |
| |
| |
| | |
The previous attempt to determine the file’s Content-Length gave a false
positive for pipes on Windows.
Also, drop the special case for sending zero-length iterable bodies.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the body object is a file, its size is no longer determined with
fstat(), since that can report the wrong result (e.g. reading from a pipe).
Instead, determine the size using seek(), or fall back to chunked encoding
for unseekable files.
Also, change the logic for detecting text files to check for TextIOBase
inheritance, rather than inspecting the “mode” attribute, which may not
exist (e.g. BytesIO and StringIO). The Content-Length for text files is no
longer determined ahead of time, because the original logic could have been
wrong depending on the codec and newline translation settings.
Patch by Demian Brecht and Rolf Krahl, with a few tweaks by me.
|
| | | |
|
| |/
|
|
|
|
| |
The @reap_threads decorator made the test wait (for up to 1 s) until
background threads have finished. Calling join() with a timeout should be
equivalent.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* No longer attempts to close already freed socket file descriptor
* Use socket object to be compatible with Windows
* Do not use a timeout to avoid complication with non-blocking mode
* Use internal localhost server rather than depending on a third party
* Avoid trouble with buffered HTTP data by testing tunnelled CONNECT data
|
| | |
|
| |
|
|
| |
Based on patch by Guido van Rossum.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This changeset does two things: introduces a new RemoteDisconnected exception
(that subclasses ConnectionResetError and BadStatusLine) so that a remote
server disconnection can be detected by client code (and provides a better
error message for debugging purposes), and ensures that the client socket is
closed if a ConnectionError happens, so that the automatic re-connection code
can work if the application handles the error and continues on.
Tests are added that confirm that a connection is re-used or not re-used
as appropriate to the various combinations of protocol version and headers.
Patch by Martin Panter, reviewed by Demian Brecht. (Tweaked only slightly by
me.)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Some http servers will reject PUT, POST, and PATCH requests if they
do not have a Content-Length header.
Patch by James Rutherford, with additional cleaning up of the
'request' documentation by me.
|
| |\ \
| |/
| |
| | |
Original patch by Demian Brecht.
|
| | |
| |
| |
| | |
Original patch by Demian Brecht.
|
| |\ \
| |/ |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
with the constants in http.client.
Initial patch by Demian Brecht.
|
| |\ \
| |/
| |
| |
| |
| |
| | |
Also, document the LineTooLong exception since it can be raised by
the members of public API (e.g. http.client.HTTPResponse).
Patch by Martin Panter.
|
| | |
| |
| |
| |
| |
| |
| | |
Also, document the LineTooLong exception since it can be raised by
the members of public API (e.g. http.client.HTTPResponse).
Patch by Martin Panter.
|
| | |
| |
| |
| | |
Patch by Demian Brecht.
|
| |\ \
| |/ |
|
| | |
| |
| |
| | |
Patch by Cory Benfield.
|
| |\ \
| |/
| |
| |
| |
| |
| | |
Increase http.client.HTTPConnection test coverage.
Added a new tunnel test to verify setting of _tunnel_host, _tunnel_port,
_tunnel_headers attributes on HTTPConnection object.
|
| | |
| |
| |
| |
| | |
Added a new tunnel test to verify setting of _tunnel_host, _tunnel_port,
_tunnel_headers attributes on HTTPConnection object.
|
| | |
| |
| |
| | |
Patch by Demian Brecht.
|
| |\ \
| |/ |
|
| | | |
|
