Ben Darnell [Wed, 5 Jun 2024 20:50:37 +0000 (16:50 -0400)]
httputil: Only strip tabs and spaces from header values
The RFC specifies that only tabs and spaces should be stripped.
Removing additonal whitespace characters can lead to framing
errors with certain proxies.
Ben Darnell [Wed, 5 Jun 2024 20:50:11 +0000 (16:50 -0400)]
http1connection: Stricter handling of transfer-encoding
Unexpected transfer-encoding values were previously ignored and treated
as the HTTP/1.0 default of read-until-close. This can lead to framing
issues with certain proxies. We now treat any unexpected value as an
error.
Ben Darnell [Wed, 5 Jun 2024 19:43:45 +0000 (15:43 -0400)]
curl_httpclient,http1connection: Prohibit CR and LF in headers
libcurl does not check for CR and LF in headers, making this the
application's responsibility. However, Tornado's other HTTP interfaces
check for linefeeds so we should do the same here so that switching
between the simple and curl http clients does not introduce header
injection vulnerabilties.
http1connection previously checked only for LF in headers (alone or in a
CRLF pair). It now prohibits bare CR as well, following the requirement
in RFC 9112.
Ben Darnell [Tue, 4 Jun 2024 01:05:22 +0000 (21:05 -0400)]
ci: Update action versions for node deprecation
The changes to checkout and setup-python shouldn't have been major
version bumps. upload-artifact and download-artifact should have had
updated node versions on v3 so we don't have to adapt to incompatible
changes here. But anyway, here we are.
build.yml has updates from
https://github.com/pypa/cibuildwheel/blob/main/examples/github-deploy.yml
This commit also moves the pypi upload step to use OIDC instead of
a static token.
Ben Darnell [Mon, 3 Jun 2024 19:49:59 +0000 (15:49 -0400)]
testing: Replace _TestMethodWrapper with _callTestMethod
Overriding _callTestMethod (which was introduced in python 3.8) is a
less hacky way to detect tests that fail to use ``@gen_test`` where
needed. It's not documented, but since Python 3.11 has introduced a
similar check to the standard library we'll be able to remove it in the
near future.
The major impetus for this change is an incompatibility with
Pytest 8.2, which has made a change that tries to instantiate test
classes at discovery time without an existing method name.
Ben Darnell [Tue, 14 Nov 2023 03:02:32 +0000 (22:02 -0500)]
iostream_test: Test check_hostname functionality.
In #3337, the removal of ssl.match_hostname revealed that we did not
have any test coverage of hostname checking in tornado.iostream.
Since we were forced to remove the manual check that we had in place
for old versions of Python, we need a test to make sure that we didn't
inadvertently break hostname checking.
Ben Darnell [Wed, 11 Oct 2023 00:39:25 +0000 (20:39 -0400)]
test: Close the thread pool in run_on_executor test
If this executor was left around it would be GC'd at an unpredictable
time and would often be reported as a failure in other circlerefs tests.
(For unknown reasons this would occur most often in i686 (i.e. 32-bit)
linux builds).
Ben Darnell [Sat, 14 Oct 2023 02:39:41 +0000 (22:39 -0400)]
*: Lint on the newest version of python too.
We previously only typechecked on the oldest version of python we
supported, incorrectly assuming nothing we depended on would be
removed. Now we typecheck on the latest version of python.
Assume support for modern version of ssl and remove some pre-SNI
code paths which rely on functions that are now removed.
Ben Darnell [Sat, 14 Oct 2023 01:27:20 +0000 (21:27 -0400)]
docs: Update intersphinx references for python 3.12
Intersphinx links are currently an unpinned dependency, so when
a new version of python is released it's possible (although relatively
rare) for it to break our links. 3.12 removed a few members of
the ssl module.
Ben Darnell [Wed, 23 Aug 2023 01:27:05 +0000 (21:27 -0400)]
escape: Use the standard library where possible
Many of these functions were necessary in Python 2, but are now
redundant. We can simply use the standard library in many cases.
The only major change is in xhtml_unescape, where we now reject
invalid character references such as surrogates and control characters.
Update docs throughout to be more specific about differences from the
standard library. Also be more complete about the ``plus`` option to
the url escaping functions.
Ben Darnell [Tue, 22 Aug 2023 03:03:39 +0000 (23:03 -0400)]
ioloop,concurrent: Fix reference cycles
In a few places we were referring to a future via a closure instead
of using the reference passed as an argument to the callback. This
sometimes causes a reference cycle that can slow GC. This commit
adds a test which covers two of the cases (chain_future and the
concurrent.future branch of add_future) while the third was found by
inspecting other calls to add_done_callback for obvious instances of
this pattern.
This test has recently become flaky on windows CI, and before
investigating further, see if it's just because the CI machines are
overloaded and subprocesses are slower on windows.
Ben Darnell [Fri, 11 Aug 2023 01:41:40 +0000 (21:41 -0400)]
httpserver_test: Add ExpectLog to fix CI
The github security advisory feature lets you make private PRs but
it apparently doesn't support CI so this log failure wasn't caught
until after the PR was merged.
Ben Darnell [Wed, 9 Aug 2023 01:55:02 +0000 (21:55 -0400)]
http1connection: Make content-length parsing more strict
Content-length and chunk size parsing now strictly matches the RFCs.
We previously used the python int() function which accepted leading
plus signs and internal underscores, which are not allowed by the
HTTP RFCs (it also accepts minus signs, but these are less problematic
in this context since they'd result in errors elsewhere)
It is important to fix this because when combined with certain proxies,
the lax parsing could result in a request smuggling vulnerability (if
both Tornado and the proxy accepted an invalid content-length but
interpreted it differently). This is known to occur with old versions
of haproxy, although the current version of haproxy is unaffected.
Ben Darnell [Thu, 27 Jul 2023 00:15:12 +0000 (20:15 -0400)]
autoreload: Add --until-success flag
This flag terminates the autoreload loop after the first successful
run. This makes it possible to cleanly shut down a process that is using
"python -m tornado.autoreload" without printing a traceback.
build(deps): bump certifi from 2022.12.7 to 2023.7.22
Bumps [certifi](https://github.com/certifi/python-certifi) from 2022.12.7 to 2023.7.22.
- [Commits](https://github.com/certifi/python-certifi/compare/2022.12.07...2023.07.22)
Ben Darnell [Sun, 23 Jul 2023 02:10:18 +0000 (22:10 -0400)]
autoreload: Support directories in CLI wrapper
A previous commit added support for using autoreload within programs
that were started as directories; this commit supports them when
run with the -m tornado.autoreload wrapper.
This change may have side effects for file mode since we now use
runpy.run_path instead of executing the file by hand (I don't think
the run_path function existed when this code was originally written).
Ben Darnell [Fri, 14 Jul 2023 00:57:11 +0000 (20:57 -0400)]
autoreload: Support the ability to run a directory instead of a module
Running a directory has some but not all of the behavior of
running a module, including setting __spec__, so we must be careful
not to break things by assuming that __spec__ means module mode.
Ben Darnell [Sat, 8 Jul 2023 01:19:18 +0000 (21:19 -0400)]
asyncio: Remove atexit hook
This hook was added because of an only-in-CI issue, but we have since
improved our cleanup of the selector thread. As long as this passes
CI, I think we can remove the atexit hook.
Ben Darnell [Sat, 8 Jul 2023 00:04:27 +0000 (20:04 -0400)]
auth: Update facebook scope
The read_stream scope was replaced with user_posts; this change
was made to demos/facebook/facebook.py in #1674 but the corresponding
comment was not updated. The offline_access scope has also been removed
but seems irrelvant to this comment.
projects / thirdparty / tornado.git / log
