Update dependency aiohttp to v3.10.11 [SECURITY] #59
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.8.6
->3.10.11
GitHub Vulnerability Alerts
CVE-2023-49082
Summary
Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.
Details
The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.
Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.
PoC
A minimal example can be found here:
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
Impact
If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).
Workaround
If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).
Patch: https://github.com/aio-libs/aiohttp/pull/7806/files
CVE-2023-49081
Summary
Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.
Details
The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).
For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the
version
parameter.Furthermore, the vulnerability only occurs when the
Connection
header is passed to theheaders
parameter.At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.
PoC
The POC below shows an example of providing an unvalidated array as a version:
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e
Impact
CRLF injection leading to Request Smuggling.
Workaround
If these specific conditions are met and you are unable to upgrade, then validate the user input to the
version
parameter to ensure it is astr
.Patch: https://github.com/aio-libs/aiohttp/pull/7835/files
CVE-2024-23829
Summary
Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.
Details
These problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:
The expression
HTTP/(\d).(\d)
lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result:HTTP/(\d)\.(\d)
).The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.
Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110
token
.PoC
GET / HTTP/1ö1
GET / HTTP/1.𝟙
GET/: HTTP/1.1
Content-Encoding?: chunked
Impact
Primarily concerns running an aiohttp server without llhttp:
Patch: https://github.com/aio-libs/aiohttp/pull/8074/files
CVE-2024-23334
Summary
Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.
Details
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
i.e. An application is only vulnerable with setup code like:
Impact
This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with
follow_symlinks
set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of thefollow_symlinks
parameter.Workaround
Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.
If using
follow_symlinks=True
outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.
Patch: https://github.com/aio-libs/aiohttp/pull/8079/files
CVE-2024-27306
Summary
A XSS vulnerability exists on index pages for static file handling.
Details
When using
web.static(..., show_index=True)
, the resulting index pages do not escape file names.If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.
Workaround
We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.
Other users can disable
show_index
if unable to upgrade.Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
CVE-2024-30251
Summary
An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.
Impact
An attacker can stop the application from serving requests after sending a single request.
For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in
_read_chunk_from_length()
):This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
aio-libs/aiohttp@cebe526
aio-libs/aiohttp@7eecdff
aio-libs/aiohttp@f21c6f2
CVE-2024-42367
Summary
Static routes which contain files with compressed variants (
.gz
or.br
extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.Details
The server protects static routes from path traversal outside the root directory when
follow_symlinks=False
(default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in theFileResponse
class, and symbolic links are then automatically followed when performingPath.stat()
andPath.open()
to send the file.Impact
Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.
Patch: https://github.com/aio-libs/aiohttp/pull/8653/files
CVE-2024-52304
Summary
The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or
AIOHTTP_NO_EXTENSIONS
is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.Patch: aio-libs/aiohttp@259edc3
Release Notes
aio-libs/aiohttp (aiohttp)
v3.10.11
Compare Source
====================
Bug fixes
Authentication provided by a redirect now takes precedence over provided
auth
when making requests with the client -- by :user:PLPeeters
.Related issues and pull requests on GitHub:
:issue:
9436
.Fixed :py:meth:
WebSocketResponse.close() <aiohttp.web.WebSocketResponse.close>
to discard non-close messages within its timeout window after sending close -- by :user:lenard-mosys
.Related issues and pull requests on GitHub:
:issue:
9506
.Fixed a deadlock that could occur while attempting to get a new connection slot after a timeout -- by :user:
bdraco
.The connector was not cancellation-safe.
Related issues and pull requests on GitHub:
:issue:
9670
, :issue:9671
.Fixed the WebSocket flow control calculation undercounting with multi-byte data -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9686
.Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9851
.Fixed system routes polluting the middleware cache -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9852
.Removals and backward incompatible breaking changes
Improved performance of the connector when a connection can be reused -- by :user:
bdraco
.If
BaseConnector.connect
has been subclassed and replaced with custom logic, theceil_timeout
must be added.Related issues and pull requests on GitHub:
:issue:
9600
.Miscellaneous internal changes
Improved performance of the client request lifecycle when there are no cookies -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9470
.Improved performance of sending client requests when the writer can finish synchronously -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9485
.Improved performance of serializing HTTP headers -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9603
.Passing
enable_cleanup_closed
to :py:class:aiohttp.TCPConnector
is now ignored on Python 3.12.7+ and 3.13.1+ since the underlying bug that caused asyncio to leak SSL connections has been fixed upstream -- by :user:bdraco
.Related issues and pull requests on GitHub:
:issue:
9726
, :issue:9736
.v3.10.10
Compare Source
====================
Bug fixes
Fixed error messages from :py:class:
~aiohttp.resolver.AsyncResolver
being swallowed -- by :user:bdraco
.Related issues and pull requests on GitHub:
:issue:
9451
, :issue:9455
.Features
Added :exc:
aiohttp.ClientConnectorDNSError
for differentiating DNS resolution errors from other connector errors -- by :user:mstojcevich
.Related issues and pull requests on GitHub:
:issue:
8455
.Miscellaneous internal changes
Simplified DNS resolution throttling code to reduce chance of race conditions -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9454
.v3.10.9
Compare Source
===================
Bug fixes
Fixed proxy headers being used in the
ConnectionKey
hash when a proxy was not being used -- by :user:bdraco
.If default headers are used, they are also used for proxy headers. This could have led to creating connections that were not needed when one was already available.
Related issues and pull requests on GitHub:
:issue:
9368
.Widened the type of the
trace_request_ctx
parameter of:meth:
ClientSession.request() <aiohttp.ClientSession.request>
and friends-- by :user:
layday
.Related issues and pull requests on GitHub:
:issue:
9397
.Removals and backward incompatible breaking changes
Fixed failure to try next host after single-host connection timeout -- by :user:
brettdh
.The default client :class:
aiohttp.ClientTimeout
params has changed to include asock_connect
timeout of 30 seconds so that this correct behavior happens by default.Related issues and pull requests on GitHub:
:issue:
7342
.Miscellaneous internal changes
Improved performance of resolving hosts with Python 3.12+ -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9342
.Reduced memory required for timer objects created during the client request lifecycle -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9406
.v3.10.8
Compare Source
===================
Bug fixes
Fixed cancellation leaking upwards on timeout -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9326
.v3.10.7
Compare Source
===================
Bug fixes
Fixed assembling the :class:
~yarl.URL
for web requests when the host contains a non-default port or IPv6 address -- by :user:bdraco
.Related issues and pull requests on GitHub:
:issue:
9309
.Miscellaneous internal changes
Improved performance of determining if a URL is absolute -- by :user:
bdraco
.The property :attr:
~yarl.URL.absolute
is more performant than the methodURL.is_absolute()
and preferred when newer versions of yarl are used.Related issues and pull requests on GitHub:
:issue:
9171
.Replaced code that can now be handled by
yarl
-- by :user:bdraco
.Related issues and pull requests on GitHub:
:issue:
9301
.v3.10.6
Compare Source
===================
Bug fixes
Added :exc:
aiohttp.ClientConnectionResetError
. Client code that previously threw :exc:ConnectionResetError
will now throw this -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
9137
.Fixed an unclosed transport
ResourceWarning
on web handlers -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8875
.Fixed resolve_host() 'Task was destroyed but is pending' errors -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8967
.Fixed handling of some file-like objects (e.g.
tarfile.extractfile()
) which raiseAttributeError
instead ofOSError
whenfileno
fails for streaming payload data -- by :user:ReallyReivax
.Related issues and pull requests on GitHub:
:issue:
6732
.Fixed web router not matching pre-encoded URLs (requires yarl 1.9.6+) -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8898
, :issue:9267
.Fixed an error when trying to add a route for multiple methods with a path containing a regex pattern -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8998
.Fixed
Response.text
when body is aPayload
-- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
6485
.Fixed compressed requests failing when no body was provided -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
9108
.Fixed client incorrectly reusing a connection when the previous message had not been fully sent -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8992
.Fixed race condition that could cause server to close connection incorrectly at keepalive timeout -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
9140
.Fixed Python parser chunked handling with multiple Transfer-Encoding values -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8823
.Fixed error handling after 100-continue so server sends 500 response instead of disconnecting -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8876
.Stopped adding a default Content-Type header when response has no content -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8858
.Added support for URL credentials with empty (zero-length) username, e.g.
https://:password@host
-- by :user:shuckc
Related issues and pull requests on GitHub:
:issue:
6494
.Stopped logging exceptions from
web.run_app()
that would be raised regardless -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
6807
.Implemented binding to IPv6 addresses in the pytest server fixture.
Related issues and pull requests on GitHub:
:issue:
4650
.Fixed the incorrect use of flags for
getnameinfo()
in the Resolver --by :user:GitNMLee
Link-Local IPv6 addresses can now be handled by the Resolver correctly.
Related issues and pull requests on GitHub:
:issue:
9032
.Fixed StreamResponse.prepared to return True after EOF is sent -- by :user:
arthurdarcet
.Related issues and pull requests on GitHub:
:issue:
5343
.Changed
make_mocked_request()
to use empty payload by default -- by :user:rahulnht
.Related issues and pull requests on GitHub:
:issue:
7167
.Used more precise type for
ClientResponseError.headers
, fixing some type errors when using them -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8768
.Changed behavior when returning an invalid response to send a 500 response -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8845
.Fixed response reading from closed session to throw an error immediately instead of timing out -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8878
.Fixed
CancelledError
from one cleanup context stopping other contexts from completing -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8908
.Fixed changing scheme/host in
Response.clone()
for absolute URLs -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8990
.Fixed
Site.name
when host is an empty string -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8929
.Updated Python parser to reject messages after a close message, matching C parser behaviour -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
9018
.Fixed creation of
SSLContext
inside of :py:class:aiohttp.TCPConnector
with multiple event loops in different threads -- by :user:bdraco
.Related issues and pull requests on GitHub:
:issue:
9029
.Fixed (on Python 3.11+) some edge cases where a task cancellation may get incorrectly suppressed -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
9030
.Fixed exception information getting lost on
HttpProcessingError
-- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
9052
.Fixed
If-None-Match
not using weak comparison -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
9063
.Fixed badly encoded charset crashing when getting response text instead of falling back to charset detector.
Related issues and pull requests on GitHub:
:issue:
9160
.Rejected
\n
inreason
values to avoid sending broken HTTP messages -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
9167
.Changed :py:meth:
ClientResponse.raise_for_status() <aiohttp.ClientResponse.raise_for_status>
to only release the connection when invoked outside anasync with
context -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
9239
.Features
Improved type on
params
to match the underlying type allowed byyarl
-- by :user:lpetre
.Related issues and pull requests on GitHub:
:issue:
8564
.Declared Python 3.13 supported -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8748
.Removals and backward incompatible breaking changes
Improved middleware performance -- by :user:
bdraco
.The
set_current_app
method was removed fromUrlMappingMatchInfo
because it is no longer used, and it was unlikely external caller would ever use it.Related issues and pull requests on GitHub:
:issue:
9200
.Increased minimum yarl version to 1.12.0 -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9267
.Improved documentation
Clarified that
GracefulExit
needs to be handled inAppRunner
andServerRunner
when usinghandle_signals=True
. -- by :user:Daste745
Related issues and pull requests on GitHub:
:issue:
4414
.Clarified that auth parameter in ClientSession will persist and be included with any request to any origin, even during redirects to different origins. -- by :user:
MaximZemskov
.Related issues and pull requests on GitHub:
:issue:
6764
.Clarified which timeout exceptions happen on which timeouts -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8968
.Updated
ClientSession
parameters to match current code -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8991
.Packaging updates and notes for downstreams
Fixed
test_client_session_timeout_zero
to not require internet access -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
9004
.Miscellaneous internal changes
Improved performance of making requests when there are no auto headers to skip -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8847
.Exported
aiohttp.TraceRequestHeadersSentParams
-- by :user:Hadock-is-ok
.Related issues and pull requests on GitHub:
:issue:
8947
.Avoided tracing overhead in the http writer when there are no active traces -- by user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9031
.Improved performance of reify Cython implementation -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9054
.Use :meth:
URL.extend_query() <yarl.URL.extend_query>
to extend query params (requires yarl 1.11.0+) -- by :user:bdraco
.If yarl is older than 1.11.0, the previous slower hand rolled version will be used.
Related issues and pull requests on GitHub:
:issue:
9068
.Improved performance of checking if a host is an IP Address -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9095
.Significantly improved performance of middlewares -- by :user:
bdraco
.The construction of the middleware wrappers is now cached and is built once per handler instead of on every request.
Related issues and pull requests on GitHub:
:issue:
9158
, :issue:9170
.Improved performance of web requests -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9168
, :issue:9169
, :issue:9172
, :issue:9174
, :issue:9175
, :issue:9241
.Improved performance of starting web requests when there is no response prepare hook -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9173
.Significantly improved performance of expiring cookies -- by :user:
bdraco
.Expiring cookies has been redesigned to use :mod:
heapq
instead of a linear search, to better scale.Related issues and pull requests on GitHub:
:issue:
9203
.Significantly sped up filtering cookies -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
9204
.v3.10.5
Compare Source
=========================
Bug fixes
Fixed :meth:
aiohttp.ClientResponse.json()
not settingstatus
when :exc:aiohttp.ContentTypeError
is raised -- by :user:bdraco
.Related issues and pull requests on GitHub:
:issue:
8742
.Miscellaneous internal changes
Improved performance of the WebSocket reader -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8736
, :issue:8747
.v3.10.4
Compare Source
v3.10.3
Compare Source
========================
Bug fixes
Fixed multipart reading when stream buffer splits the boundary over several read() calls -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8653
.Fixed :py:class:
aiohttp.TCPConnector
doing blocking I/O in the event loop to create theSSLContext
-- by :user:bdraco
.The blocking I/O would only happen once per verify mode. However, it could cause the event loop to block for a long time if the
SSLContext
creation is slow, which is more likely during startup when the disk cache is not yet present.Related issues and pull requests on GitHub:
:issue:
8672
.Miscellaneous internal changes
Improved performance of :py:meth:
~aiohttp.ClientWebSocketResponse.receive
and :py:meth:~aiohttp.web.WebSocketResponse.receive
when there is no timeout. -- by :user:bdraco
.The timeout context manager is now avoided when there is no timeout as it accounted for up to 50% of the time spent in the :py:meth:
~aiohttp.ClientWebSocketResponse.receive
and :py:meth:~aiohttp.web.WebSocketResponse.receive
methods.Related issues and pull requests on GitHub:
:issue:
8660
.Improved performance of starting request handlers with Python 3.12+ -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8661
.Improved performance of HTTP keep-alive checks -- by :user:
bdraco
.Previously, when processing a request for a keep-alive connection, the keep-alive check would happen every second; the check is now rescheduled if it fires too early instead.
Related issues and pull requests on GitHub:
:issue:
8662
.Improved performance of generating random WebSocket mask -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8667
.v3.10.2
Compare Source
===================
Bug fixes
Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:
steverep
.Related issues and pull requests on GitHub:
:issue:
8565
.Fixed request body not being read when ignoring an Upgrade request -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8597
.Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8611
.Fixed connecting to
npipe://
,tcp://
, andunix://
urls -- by :user:bdraco
.Related issues and pull requests on GitHub:
:issue:
8632
.Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:
bdraco
.There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.
Related issues and pull requests on GitHub:
:issue:
8641
.Fixed incorrectly following symlinks for compressed file variants -- by :user:
steverep
.Related issues and pull requests on GitHub:
:issue:
8652
.Removals and backward incompatible breaking changes
Removed
Request.wait_for_disconnection()
, which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8636
.Contributor-facing changes
Fixed monkey patches for
Path.stat()
andPath.is_dir()
for Python 3.13 compatibility -- by :user:steverep
.Related issues and pull requests on GitHub:
:issue:
8551
.Miscellaneous internal changes
Improved WebSocket performance when messages are sent or received frequently -- by :user:
bdraco
.The WebSocket heartbeat scheduling algorithm was improved to reduce the
asyncio
scheduling overhead by decreasing the number ofasyncio.TimerHandle
creations and cancellations.Related issues and pull requests on GitHub:
:issue:
8608
.Minor improvements to various type annotations -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8634
.v3.10.1
Compare Source
v3.10.0
Compare Source
v3.9.5
Compare Source
==================
Bug fixes
Fixed "Unclosed client session" when initialization of
:py:class:
~aiohttp.ClientSession
fails -- by :user:NewGlad
.Related issues and pull requests on GitHub:
:issue:
8253
.Fixed regression (from :pr:
8280
) with addingContent-Disposition
to theform-data
part after appending to writer -- by :user:
Dreamsorcerer
/:user:Olegt0rr
.Related issues and pull requests on GitHub:
:issue:
8332
.Added default
Content-Disposition
inmultipart/form-data
responses to avoid brokenform-data responses -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8335
.v3.9.4
Compare Source
==================
Bug fixes
The asynchronous internals now set the underlying causes
when assigning exceptions to the future objects
-- by :user:
webknjaz
.Related issues and pull requests on GitHub:
:issue:
8089
.Treated values of
Accept-Encoding
header as case-insensitive when checkingfor gzip files -- by :user:
steverep
.Related issues and pull requests on GitHub:
:issue:
8104
.Improved the DNS resolution performance on cache hit -- by :user:
bdraco
.This is achieved by avoiding an :mod:
asyncio
task creation in this case.Related issues and pull requests on GitHub:
:issue:
8163
.Changed the type annotations to allow
dict
on :meth:aiohttp.MultipartWriter.append
,:meth:
aiohttp.MultipartWriter.append_json
and:meth:
aiohttp.MultipartWriter.append_form
-- by :user:cakemanny
Related issues and pull requests on GitHub:
:issue:
7741
.Ensure websocket transport is closed when client does not close it
-- by :user:
bdraco
.The transport could remain open if the client did not close it. This
change ensures the transport is closed when the client does not close
it.
Related issues and pull requests on GitHub:
:issue:
8200
.Leave websocket transport open if receive times out or is cancelled
-- by :user:
bdraco
.This restores the behavior prior to the change in #7978.
Related issues and pull requests on GitHub:
:issue:
8251
.Fixed content not being read when an upgrade request was not supported with the pure Python implementation.
-- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8252
.Fixed a race condition with incoming connections during server shutdown -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8271
.Fixed
multipart/form-data
compliance with :rfc:7578
-- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8280
.Fixed blocking I/O in the event loop while processing files in a POST request
-- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8283
.Escaped filenames in static view -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8317
.Fixed the pure python parser to mark a connection as closing when a
response has no length -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8320
.Features
Upgraded llhttp to 9.2.1, and started rejecting obsolete line folding
in Python parser to match -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8146
, :issue:8292
.Deprecations (removal in next major release)
Deprecated
content_transfer_encoding
parameter in :py:meth:FormData.add_field() <aiohttp.FormData.add_field>
-- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8280
.Improved documentation
Added a note about canceling tasks to avoid delaying server shutdown -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8267
.Contributor-facing changes
The pull request template is now asking the contributors to
answer a question about the long-term maintenance challenges
they envision as a result of merging their patches
-- by :user:
webknjaz
.Related issues and pull requests on GitHub:
:issue:
8099
.Updated CI and documentation to use NPM clean install and upgrade
node to version 18 -- by :user:
steverep
.Related issues and pull requests on GitHub:
:issue:
8116
.A pytest fixture
hello_txt
was introduced to aidstatic file serving tests in
:file:
test_web_sendfile_functional.py
. It dynamicallyprovisions
hello.txt
file variants shared across thetests in the module.
-- by :user:
steverep
Related issues and pull requests on GitHub:
:issue:
8136
.Packaging updates and notes for downstreams
Added an
internal
pytest marker for tests which should be skippedby packagers (use
-m 'not internal'
to disable them) -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8299
.v3.9.3
Compare Source
==================
Bug fixes
Fixed backwards compatibility breakage (in 3.9.2) of
ssl
parameter when set outsideof
ClientSession
(e.g. directly inTCPConnector
) -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8097
, :issue:8098
.Miscellaneous internal changes
Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.
Related issues and pull requests on GitHub:
:issue:
3957
.v3.9.2
Compare Source
==================
Bug fixes
Fixed server-side websocket connection leak.
Related issues and pull requests on GitHub:
:issue:
7978
.Fixed
web.FileResponse
doing blocking I/O in the event loop.Related issues and pull requests on GitHub:
:issue:
8012
.Fixed double compress when compression enabled and compressed file exists in server file responses.
Related issues and pull requests on GitHub:
:issue:
8014
.Added runtime type check for
ClientSession
timeout
parameter.Related issues and pull requests on GitHub:
:issue:
8021
.Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:
pajod
.Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:
9110#section-5.6.2
and are not known to be of any legitimate use.Related issues and pull requests on GitHub:
:issue:
8074
.Improved validation of paths for static resources requests to the server -- by :user:
bdraco
.Related issues and pull requests on GitHub:
:issue:
8079
.Features
Added support for passing :py:data:
True
tossl
parameter inClientSession
whiledeprecating :py:data:
None
-- by :user:xiangyan99
.Related issues and pull requests on GitHub:
:issue:
7698
.Breaking changes
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:
pajod
.Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:
9110#section-5.6.2
and are not known to be of any legitimate use.Related issues and pull requests on GitHub:
:issue:
8074
.Improved documentation
Fixed examples of
fallback_charset_resolver
function in the :doc:client_advanced
document. -- by :user:henry0312
.Related issues and pull requests on GitHub:
:issue:
7995
.The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs -- by :user:
webknjaz
.Related issues and pull requests on GitHub:
:issue:
8067
.Packaging updates and notes for downstreams
The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:
webknjaz
.The new category tags are:
Related issues and pull requests on GitHub:
:issue:
8066
.Contributor-facing changes
Updated :ref:
contributing/Tests coverage <aiohttp-contributing>
section to show how we usecodecov
-- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
7916
.The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:
webknjaz
.The new category tags are:
Related issues and pull requests on GitHub:
:issue:
8066
.Miscellaneous internal changes
Replaced all
tmpdir
fixtures withtmp_path
in test suite.Related issues and pull requests on GitHub:
:issue:
3551
.v3.9.1
Compare Source
==================
Bugfixes
Fixed importing aiohttp under PyPy on Windows.
#​7848 <https://github.com/aio-libs/aiohttp/issues/7848>
_Fixed async concurrency safety in websocket compressor.
#​7865 <https://github.com/aio-libs/aiohttp/issues/7865>
_Fixed
ClientResponse.close()
releasing the connection instead of closing.#​7869 <https://github.com/aio-libs/aiohttp/issues/7869>
_Fixed a regression where connection may get closed during upgrade. -- by :user:
Dreamsorcerer
#​7879 <https://github.com/aio-libs/aiohttp/issues/7879>
_Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:
Dreamsorcerer
#​7895 <https://github.com/aio-libs/aiohttp/issues/7895>
_v3.9.0
Compare Source
==================
Features
Introduced
AppKey
for static typing support ofApplication
storage.See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config
#​5864 <https://github.com/aio-libs/aiohttp/issues/5864>
_Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
The period can be adjusted with the
shutdown_timeout
parameter. -- by :user:Dreamsorcerer
.See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown
#​7188 <https://github.com/aio-libs/aiohttp/issues/7188>
_Added
handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>
_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
This (optionally) reintroduces a feature removed in a previous release.
Recommended for those looking for an extra level of protection against denial-of-service attacks.
#​7056 <https://github.com/aio-libs/aiohttp/issues/7056>
_Added support for setting response header parameters
max_line_size
andmax_field_size
.#​2304 <https://github.com/aio-libs/aiohttp/issues/2304>
_Added
auto_decompress
parameter toClientSession.request
to overrideClientSession._auto_decompress
. -- by :user:Daste745
#​3751 <https://github.com/aio-libs/aiohttp/issues/3751>
_Changed
raise_for_status
to allow a coroutine.#​3892 <https://github.com/aio-libs/aiohttp/issues/3892>
_Added client brotli compression support (optional with runtime check).
#​5219 <https://github.com/aio-libs/aiohttp/issues/5219>
_Added
client_max_size
toBaseRequest.clone()
to allow overriding the request body size. -- :user:anesabml
.#​5704 <https://github.com/aio-libs/aiohttp/issues/5704>
_Added a middleware type alias
aiohttp.typedefs.Middleware
.#​5898 <https://github.com/aio-libs/aiohttp/issues/5898>
_Exported
HTTPMove
which can be used to catch any redirection requestthat has a location -- :user:
dreamsorcerer
.#​6594 <https://github.com/aio-libs/aiohttp/issues/6594>
_Changed the
path
parameter inweb.run_app()
to accept apathlib.Path
object.#​6839 <https://github.com/aio-libs/aiohttp/issues/6839>
_Performance: Skipped filtering
CookieJar
when the jar is empty or all cookies have expired.#​7819 <https://github.com/aio-libs/aiohttp/issues/7819>
_Performance: Only check origin if insecure scheme and there are origins to treat as secure, in
CookieJar.filter_cookies()
.#​7821 <https://github.com/aio-libs/aiohttp/issues/7821>
_Performance: Used timestamp instead of
datetime
to achieve faster cookie expiration inCookieJar
.#​7824 <https://github.com/aio-libs/aiohttp/issues/7824>
_Added support for passing a custom server name parameter to HTTPS connection.
#​7114 <https://github.com/aio-libs/aiohttp/issues/7114>
_Added support for using Basic Auth credentials from :file:
.netrc
file when making HTTP requests with the:py:class:
~aiohttp.ClientSession
trust_env
argument is set toTrue
. -- by :user:yuvipanda
.#​7131 <https://github.com/aio-libs/aiohttp/issues/7131>
_Turned access log into no-op when the logger is disabled.
#​7240 <https://github.com/aio-libs/aiohttp/issues/7240>
_Added typing information to
RawResponseMessage
. -- by :user:Gobot1234
#​7365 <https://github.com/aio-libs/aiohttp/issues/7365>
_Removed
async-timeout
for Python 3.11+ (replaced withasyncio.timeout()
on newer releases).#​7502 <https://github.com/aio-libs/aiohttp/issues/7502>
_Added support for
brotlicffi
as an alternative tobrotli
(fixing Brotli support on PyPy).#​7611 <https://github.com/aio-libs/aiohttp/issues/7611>
_Added
WebSocketResponse.get_extra_info()
to access a protocol transport's extra info.#​7078 <https://github.com/aio-libs/aiohttp/issues/7078>
_Allow
link
argument to be set to None/empty in HTTP 451 exception.#​7689 <https://github.com/aio-libs/aiohttp/issues/7689>
_Bugfixes
Implemented stripping the trailing dots from fully-qualified domain names in
Host
headers and TLS context when acting as an HTTP client.This allows the client to connect to URLs with FQDN host name like
https://example.com./
.-- by :user:
martin-sucha
.#​3636 <https://github.com/aio-libs/aiohttp/issues/3636>
_Fixed client timeout not working when incoming data is always available without waiting. -- by :user:
Dreamsorcerer
.#​5854 <https://github.com/aio-libs/aiohttp/issues/5854>
_Fixed
readuntil
to work with a delimiter of more than one character.#​6701 <https://github.com/aio-libs/aiohttp/issues/6701>
_Added
__repr__
toEmptyStreamReader
to avoidAttributeError
.#​6916 <https://github.com/aio-libs/aiohttp/issues/6916>
_Fixed bug when using
TCPConnector
withttl_dns_cache=0
.#​7014 <https://github.com/aio-libs/aiohttp/issues/7014>
_Fixed response returned from expect handler being thrown away. -- by :user:
Dreamsorcerer
#​7025 <https://github.com/aio-libs/aiohttp/issues/7025>
_Avoided raising
UnicodeDecodeError
in multipart and in HTTP headers parsing.#​7044 <https://github.com/aio-libs/aiohttp/issues/7044>
_Changed
sock_read
timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro
#​7149 <https://github.com/aio-libs/aiohttp/issues/7149>
_Fixed missing query in tracing method URLs when using
yarl
1.9+.#​7259 <https://github.com/aio-libs/aiohttp/issues/7259>
_Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a
DeprecationWarning
on Python 3.12.#​7302 <https://github.com/aio-libs/aiohttp/issues/7302>
_Fixed
EmptyStreamReader.iter_chunks()
never ending. -- by :user:mind1m
#​7616 <https://github.com/aio-libs/aiohttp/issues/7616>
_Fixed a rare
RuntimeError: await wasn't used with future
exception. -- by :user:stalkerg
#​7785 <https://github.com/aio-libs/aiohttp/issues/7785>
_Fixed issue with insufficient HTTP method and version validation.
#​7700 <https://github.com/aio-libs/aiohttp/issues/7700>
_Added check to validate that absolute URIs have schemes.
#​7712 <https://github.com/aio-libs/aiohttp/issues/7712>
_Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.
#​7715 <https://github.com/aio-libs/aiohttp/issues/7715>
_Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.
#​7719 <https://github.com/aio-libs/aiohttp/issues/7719>
_Fixed Python HTTP parser not treating 204/304/1xx as an empty body.
#​7755 <https://github.com/aio-libs/aiohttp/issues/7755>
_Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.
#​7756 <https://github.com/aio-libs/aiohttp/issues/7756>
_Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:
Dreamsorcerer
#​7764 <https://github.com/aio-libs/aiohttp/issues/7764>
_Edge Case Handling for ResponseParser for missing reason value.
#​7776 <https://github.com/aio-libs/aiohttp/issues/7776>
_Fixed
ClientWebSocketResponse.close_code
being erroneously set toNone
when there are concurrent async tasks receiving data and closing the connection.#​7306 <https://github.com/aio-libs/aiohttp/issues/7306>
_Added HTTP method validation.
#​6533 <https://github.com/aio-libs/aiohttp/issues/6533>
_Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:
Dreamsorcerer
#​7835 <https://github.com/aio-libs/aiohttp/issues/7835>
_Performance: Fixed increase in latency with small messages from websocket compression changes.
#​7797 <https://github.com/aio-libs/aiohttp/issues/7797>
_Improved Documentation
Fixed the
ClientResponse.release
's type in the doc. Changed fromcomethod
tomethod
.#​5836 <https://github.com/aio-libs/aiohttp/issues/5836>
_Added information on behavior of base_url parameter in
ClientSession
.#​6647 <https://github.com/aio-libs/aiohttp/issues/6647>
_Fixed
ClientResponseError
docs.#​6700 <https://github.com/aio-libs/aiohttp/issues/6700>
_Updated Redis code examples to follow the latest API.
#​6907 <https://github.com/aio-libs/aiohttp/issues/6907>
_Added a note about possibly needing to update headers when using
on_response_prepare
. -- by :user:Dreamsorcerer
#​7283 <https://github.com/aio-libs/aiohttp/issues/7283>
_Completed
trust_env
parameter description to honorwss_proxy
,ws_proxy
orno_proxy
env.#​7325 <https://github.com/aio-libs/aiohttp/issues/7325>
_Expanded SSL documentation with more examples (e.g. how to use certifi). -- by :user:
Dreamsorcerer
#​7334 <https://github.com/aio-libs/aiohttp/issues/7334>
_Fix, update, and improve client exceptions documentation.
#​7733 <https://github.com/aio-libs/aiohttp/issues/7733>
_Deprecations and Removals
Added
shutdown_timeout
parameter toBaseRunner
, whiledeprecating
shutdown_timeout
parameter fromBaseSite
. -- by :user:Dreamsorcerer
#​7718 <https://github.com/aio-libs/aiohttp/issues/7718>
_Dropped Python 3.6 support.
#​6378 <https://github.com/aio-libs/aiohttp/issues/6378>
_Dropped Python 3.7 support. -- by :user:
Dreamsorcerer
#​7336 <https://github.com/aio-libs/aiohttp/issues/7336>
_Removed support for abandoned
tokio
event loop. -- by :user:Dreamsorcerer
#​7281 <https://github.com/aio-libs/aiohttp/issues/7281>
_Misc
Made
print
argument inrun_app()
optional.#​3690 <https://github.com/aio-libs/aiohttp/issues/3690>
_Improved performance of
ceil_timeout
in some cases.#​6316 <https://github.com/aio-libs/aiohttp/issues/6316>
_Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:
Dreamsorcerer
#​6591 <https://github.com/aio-libs/aiohttp/issues/6591>
_Improved import time by replacing
http.server
withhttp.HTTPStatus
.#​6903 <https://github.com/aio-libs/aiohttp/issues/6903>
_Fixed annotation of
ssl
parameter to disallowTrue
. -- by :user:Dreamsorcerer
.#​7335 <https://github.com/aio-libs/aiohttp/issues/7335>
_Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.