Ben Darnell [Fri, 23 May 2025 01:05:58 +0000 (21:05 -0400)]
ci: Use Windows ARM builders
Now that native ARM builders are available for windows, we can use
them instead of cross-compiling. This improves parallelism in our build
and speeds things up a bit, plus we can test the windows-arm builds now.
Also stop producing x86_64 builds for macos, since they are redundant
with the universal2 builds (the x86_64 builds were useful with older
version of pip, but they've been fully supported for 5 years now).
Ben Darnell [Thu, 22 May 2025 14:59:48 +0000 (10:59 -0400)]
httputil: Fix support for non-latin1 filenames in multipart uploads
The change to be stricter about characters allowed in HTTP headers
inadvertently broke support for non-latin1 filenames in multipart
uploads (this was missed in testing because our i18n test case only
used characters in latin1). This commit adds a hacky workaround without
changing any APIs to make it safe for a 6.5.1 patch release; a more
robust solution will follow for future releases.
Ben Darnell [Thu, 8 May 2025 17:29:43 +0000 (13:29 -0400)]
httputil: Raise errors instead of logging in multipart/form-data parsing
We used to continue after logging an error, which allowed repeated
errors to spam the logs. The error raised here will still be logged,
but only once per request, consistent with other error handling in
Tornado.
Ben Darnell [Fri, 25 Apr 2025 19:31:13 +0000 (15:31 -0400)]
httputil: Reject header lines beginning with invalid whitespace
The obs-fold feature is defined only for tabs and spaces.
The str.isspace() method also accepts other whitespace characters.
These characters are not valid in HTTP headers and should be treated
as errors instead of triggering line folding.
Ben Darnell [Fri, 25 Apr 2025 18:08:18 +0000 (14:08 -0400)]
httputil: Process the Host header more strictly
- It is now an error to have multiple Host headers
- The Host header is now mandatory except in HTTP/1.0 mode
- Host headers containing characters that are disallowed by RFC 3986
are now rejected
Ben Darnell [Fri, 25 Apr 2025 15:53:44 +0000 (11:53 -0400)]
websocket: deprecate callback argument to websocket_connect
This was missed in the 6.0-era deprecation of callback arguments.
The on_message_callback remains because even in coroutine-oriented
code it is often more convenient to use a callback than to
loop on read_message.
Oliver Sanders [Tue, 22 Apr 2025 17:19:00 +0000 (18:19 +0100)]
websockets: fix ping_timeout (#3376)
* websockets: fix ping_timeout
* Closes #3258
* Closes #2905
* Closes #2655
* Fixes an issue with the calculation of ping timeout interval that
could cause connections to be erroneously timed out and closed
from the server end.
Ben Darnell [Wed, 19 Feb 2025 19:06:22 +0000 (14:06 -0500)]
httputil: Improve handling of trailing whitespace in headers
HTTPHeaders had undocumented assumptions about trailing whitespace,
leading to an unintentional regression in Tornado 6.4.1 in which
passing the arguments of an AsyncHTTPClient header_callback to
HTTPHeaders.parse_line would result in errors.
This commit moves newline parsing from parse to parse_line.
It also strips trailing whitespace from continuation lines (trailing
whitespace is not allowed in HTTP headers, but we didn't reject it
in continuation lines).
This commit also deprecates continuation lines and the legacy
handling of LF without CR.
Ben Darnell [Thu, 27 Mar 2025 20:30:08 +0000 (16:30 -0400)]
httputil: Make parse_request_start_line stricter
The method is now restricted to being valid token characters as defined
in RFC 9110, allowing us to correctly issue status code 400 or 405
as appropriate (this can make a difference with some caching proxies).
The request-target no longer allows control characters. This is less
strict than the RFC (which does not allow non-ascii characters),
but prioritizes backwards compatibility.
Ben Darnell [Thu, 27 Mar 2025 20:22:33 +0000 (16:22 -0400)]
httputil: Centralize regexes based directly on RFCs
This will make it easier to stay in strict conformance with the RFCs.
Note that this commit makes a few small semantic changes to response
start-line parsing: status codes must be exactly three digits, and
control characters are not allowed in reason phrases.
Ben Darnell [Fri, 28 Feb 2025 02:45:49 +0000 (21:45 -0500)]
ci: Add a cibuildwheel test run to test.yml
This lets us test the cibuildwheel workflow independently of the
infrequently-run build.yml. It also gives us an easy way to test
freethreading builds.
Ben Darnell [Thu, 20 Feb 2025 22:47:25 +0000 (17:47 -0500)]
Merge pull request #3461 from bdarnell/deprecations-314
Python 3.14 deprecates the asyncio event loop policy system, so make (most of) the necessary changes.
The deprecation of set_event_loop is extremely disruptive to AsyncTestCase, so I've asked if it can remain undeprecated in python/cpython#130322. The testing.py changes are temporary until this is resolved.
Ben Darnell [Thu, 20 Feb 2025 19:22:14 +0000 (14:22 -0500)]
testing: Suppress deprecation warnings in AsyncTestCase
This is a temporary measure to get CI passing while the fate of these
deprecation warnings is decided in
https://github.com/python/cpython/issues/130322
Ben Darnell [Wed, 19 Feb 2025 19:43:04 +0000 (14:43 -0500)]
asyncio_test: Remove obsolete cleanup logic
Per comments, we needed to set and restore the event loop policy
in Python 3.4, but it no longer seems to be necessary (and
raises DeprecationWarnings in Python 3.14).