From 32f30c505bb54707a0a5209fc48a3a2c8fdbe10f Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Tue, 10 Aug 2021 11:09:32 -0700 Subject: [PATCH 01/22] httptools 0.3.0 This release has no functional changes, only packaging: Python 3.5 is EOL, so wheels are no longer built, and Python 3.10 has been added to the roster along with aarch64 wheels on Linux and universal2 wheels on macOS. Changes: * Use cibuildwheel to build release wheels (by @elprans in 2f57b6b7) --- httptools/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httptools/_version.py b/httptools/_version.py index a33433c..1878dfc 100644 --- a/httptools/_version.py +++ b/httptools/_version.py @@ -10,4 +10,4 @@ # supported platforms, publish the packages on PyPI, merge the PR # to the target branch, create a Git tag pointing to the commit. -__version__ = '0.2.0' +__version__ = '0.3.0' From 43eebf94e942a33aae47a9530c6ada60a7da2954 Mon Sep 17 00:00:00 2001 From: Wouter Kayser Date: Wed, 10 Nov 2021 18:10:18 +0100 Subject: [PATCH 02/22] Version bump for cibuildwheel (#74) This will now support musllinux wheel builds. --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b1ecfd4..7a35cef 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -113,7 +113,7 @@ jobs: with: platforms: arm64 - - uses: pypa/cibuildwheel@v2.1.1 + - uses: pypa/cibuildwheel@v2.2.2 env: CIBW_BUILD_VERBOSITY: 1 CIBW_BUILD: ${{ matrix.cibw_python }} From 4d5dddd3aa54a9aa3a33215c557c45f6a5bfc5e7 Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Tue, 22 Feb 2022 10:34:21 -0800 Subject: [PATCH 03/22] Bump http-parser to 2.9.4 and llhttp to 6.0.6 (#77) Fixes: #76 Closes: #67 --- tests/test_parser.py | 3 +++ vendor/http-parser | 2 +- vendor/llhttp | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/test_parser.py b/tests/test_parser.py index f4136d6..8cce866 100644 --- a/tests/test_parser.py +++ b/tests/test_parser.py @@ -101,6 +101,9 @@ def test_parser_response_1(self): self.assertFalse(m.on_chunk_header.called) self.assertFalse(m.on_chunk_complete.called) + def test_parser_response_1b(self): + p = httptools.HttpResponseParser(None) + with self.assertRaisesRegex( httptools.HttpParserError, 'Expected HTTP/'): diff --git a/vendor/http-parser b/vendor/http-parser index 0d0a24e..2343fd6 160000 --- a/vendor/http-parser +++ b/vendor/http-parser @@ -1 +1 @@ -Subproject commit 0d0a24e19eb5ba232d2ea8859aba2a7cc6c42bc4 +Subproject commit 2343fd6b5214b2ded2cdcf76de2bf60903bb90cd diff --git a/vendor/llhttp b/vendor/llhttp index 3523423..4bfeb62 160000 --- a/vendor/llhttp +++ b/vendor/llhttp @@ -1 +1 @@ -Subproject commit 3523423483a61179f47cc7ff0da012fb6f81ec1b +Subproject commit 4bfeb625ce4961bd539c95593529936503be7db4 From 9083630dd54c916d649f180b307ea5caca93588e Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Tue, 22 Feb 2022 10:40:28 -0800 Subject: [PATCH 04/22] workflows: Test on 3.10 final --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index efa9cd6..606bffb 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -14,7 +14,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - python-version: [3.5, 3.6, 3.7, 3.8, 3.9, 3.10.0-rc.1] + python-version: ["3.5", "3.6", "3.7", "3.8", "3.9", "3.10"] os: [windows-latest, ubuntu-latest, macos-latest] exclude: # Python 3.5 is unable to properly From bbc379179476f2cfe7d3aa7d4f544c4ee5957a4d Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Tue, 22 Feb 2022 10:41:30 -0800 Subject: [PATCH 05/22] httptools 0.4.0 Changes ======= * Bump bundled http-parser to 2.9.4 and llhttp to 6.0.6 fixes CVE-2021-22959 & CVE-2021-22960 (by @elprans in 4d5dddd3 for #77) --- httptools/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httptools/_version.py b/httptools/_version.py index 1878dfc..adce898 100644 --- a/httptools/_version.py +++ b/httptools/_version.py @@ -10,4 +10,4 @@ # supported platforms, publish the packages on PyPI, merge the PR # to the target branch, create a Git tag pointing to the commit. -__version__ = '0.3.0' +__version__ = '0.4.0' From 56d6a1635fce284c60ff7952510669c50adb1eef Mon Sep 17 00:00:00 2001 From: nlsj1985 <70347163+nlsj1985@users.noreply.github.com> Date: Tue, 13 Sep 2022 06:42:35 +0200 Subject: [PATCH 06/22] Update llhttp to version 6.0.9 (#83) pls note that CRLF delimited headers are required (per HTTP spec also) since the 6.0.7 security update of NodeJS / llhttp --- .gitmodules | 1 + tests/test_parser.py | 44 ++++++++++++++++++++++---------------------- vendor/llhttp | 2 +- 3 files changed, 24 insertions(+), 23 deletions(-) diff --git a/.gitmodules b/.gitmodules index 52392af..85c6ce7 100644 --- a/.gitmodules +++ b/.gitmodules @@ -4,3 +4,4 @@ [submodule "vendor/llhttp"] path = vendor/llhttp url = https://github.com/nodejs/llhttp.git + branch = release diff --git a/tests/test_parser.py b/tests/test_parser.py index 8cce866..a169a9a 100644 --- a/tests/test_parser.py +++ b/tests/test_parser.py @@ -16,7 +16,7 @@ Accept-Ranges: bytes Connection: close -''' +'''.replace(b'\n', b'\r\n') RESPONSE1_BODY = b''' @@ -29,31 +29,31 @@ ''' -CHUNKED_REQUEST1_1 = b'''POST /test.php?a=b+c HTTP/1.2 -User-Agent: Fooo -Host: bar -Transfer-Encoding: chunked +CHUNKED_REQUEST1_1 = b'''POST /test.php?a=b+c HTTP/1.1\r +User-Agent: Fooo\r +Host: bar\r +Transfer-Encoding: chunked\r 5\r\nhello\r\n6\r\n world\r\n''' CHUNKED_REQUEST1_2 = b'''0\r\nVary: *\r\nUser-Agent: spam\r\n\r\n''' -CHUNKED_REQUEST1_3 = b'''POST /test.php?a=b+c HTTP/1.2 -User-Agent: Fooo -Host: bar -Transfer-Encoding: chunked +CHUNKED_REQUEST1_3 = b'''POST /test.php?a=b+c HTTP/1.1\r +User-Agent: Fooo\r +Host: bar\r +Transfer-Encoding: chunked\r b\r\n+\xce\xcfM\xb5MI,I\x04\x00\r\n0\r\n\r\n''' -UPGRADE_REQUEST1 = b'''GET /demo HTTP/1.1 -Host: example.com -Connection: Upgrade -Sec-WebSocket-Key2: 12998 5 Y3 1 .P00 -Sec-WebSocket-Protocol: sample -Upgrade: WebSocket -Sec-WebSocket-Key1: 4 @1 46546xW%0l 1 5 -Origin: http://example.com +UPGRADE_REQUEST1 = b'''GET /demo HTTP/1.1\r +Host: example.com\r +Connection: Upgrade\r +Sec-WebSocket-Key2: 12998 5 Y3 1 .P00\r +Sec-WebSocket-Protocol: sample\r +Upgrade: WebSocket\r +Sec-WebSocket-Key1: 4 @1 46546xW%0l 1 5\r +Origin: http://example.com\r Hot diggity dogg''' @@ -233,7 +233,7 @@ def test_parser_request_chunked_1(self): m.on_message_begin.assert_called_once_with() m.on_url.assert_called_once_with(b'/test.php?a=b+c') - self.assertEqual(p.get_http_version(), '1.2') + self.assertEqual(p.get_http_version(), '1.1') m.on_header.assert_called_with(b'Transfer-Encoding', b'chunked') m.on_chunk_header.assert_called_with() @@ -316,7 +316,7 @@ def test_parser_request_chunked_3(self): self.assertEqual(p.get_method(), b'POST') m.on_url.assert_called_once_with(b'/test.php?a=b+c') - self.assertEqual(p.get_http_version(), '1.2') + self.assertEqual(p.get_http_version(), '1.1') m.on_header.assert_called_with(b'Transfer-Encoding', b'chunked') m.on_chunk_header.assert_called_with() @@ -439,17 +439,17 @@ class Error(Exception): def test_parser_request_2(self): p = httptools.HttpRequestParser(None) with self.assertRaises(httptools.HttpParserInvalidMethodError): - p.feed_data(b'SPAM /test.php?a=b+c HTTP/1.2') + p.feed_data(b'SPAM /test.php?a=b+c HTTP/1.1') def test_parser_request_3(self): p = httptools.HttpRequestParser(None) with self.assertRaises(httptools.HttpParserInvalidURLError): - p.feed_data(b'POST HTTP/1.2') + p.feed_data(b'POST HTTP/1.1') def test_parser_request_4(self): p = httptools.HttpRequestParser(None) with self.assertRaisesRegex(TypeError, 'a bytes-like object'): - p.feed_data('POST HTTP/1.2') + p.feed_data('POST HTTP/1.1') def test_parser_request_fragmented(self): m = mock.Mock() diff --git a/vendor/llhttp b/vendor/llhttp index 4bfeb62..6d954cb 160000 --- a/vendor/llhttp +++ b/vendor/llhttp @@ -1 +1 @@ -Subproject commit 4bfeb625ce4961bd539c95593529936503be7db4 +Subproject commit 6d954cbdc7f641f0a63a4427cf4d6be397f74ee8 From 509cd149e43c65493918055438c9f673c57ac060 Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Mon, 12 Sep 2022 21:53:00 -0700 Subject: [PATCH 07/22] Test and build against Python 3.11 (#84) --- .github/workflows/release.yml | 3 ++- .github/workflows/tests.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7a35cef..3041542 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -78,6 +78,7 @@ jobs: - "cp38-*" - "cp39-*" - "cp310-*" + - "cp311-*" exclude: - os: ubuntu-latest cibw_arch: universal2 @@ -113,7 +114,7 @@ jobs: with: platforms: arm64 - - uses: pypa/cibuildwheel@v2.2.2 + - uses: pypa/cibuildwheel@v2.9.0 env: CIBW_BUILD_VERBOSITY: 1 CIBW_BUILD: ${{ matrix.cibw_python }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 606bffb..b0b4e5c 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -14,7 +14,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - python-version: ["3.5", "3.6", "3.7", "3.8", "3.9", "3.10"] + python-version: ["3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11.0-rc.2"] os: [windows-latest, ubuntu-latest, macos-latest] exclude: # Python 3.5 is unable to properly From 7b1b43b4790558ff39a3dd81b72a3793091bcd49 Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Mon, 12 Sep 2022 21:55:45 -0700 Subject: [PATCH 08/22] httptools 0.5.0 Changes ======= * Bump bundled llhttp to 6.0.9 fixes CVE-2022-32213, CVE-2022-32214, CVE-2022-32215 (by @nlsj1985 in 56d6a163 for #83) * Test and build against Python 3.11 (by @elprans in 509cd149 for #84) --- httptools/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httptools/_version.py b/httptools/_version.py index adce898..2229837 100644 --- a/httptools/_version.py +++ b/httptools/_version.py @@ -10,4 +10,4 @@ # supported platforms, publish the packages on PyPI, merge the PR # to the target branch, create a Git tag pointing to the commit. -__version__ = '0.4.0' +__version__ = '0.5.0' From 6c6812a6968219026565cf5689216ec49f51452d Mon Sep 17 00:00:00 2001 From: Fantix King Date: Fri, 7 Jul 2023 05:51:29 +0900 Subject: [PATCH 09/22] Bump bundled llhttp to 8.1.1 (#91) Also drop Python 3.5/3.6 in CI/CD, however Python 3.5 is kept in setup.py --- .github/workflows/release.yml | 4 ---- .github/workflows/tests.yml | 8 +------- vendor/llhttp | 2 +- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3041542..bc02466 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,7 +73,6 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] cibw_arch: ["auto64", "aarch64", "universal2"] cibw_python: - - "cp36-*" - "cp37-*" - "cp38-*" - "cp39-*" @@ -84,9 +83,6 @@ jobs: cibw_arch: universal2 - os: macos-latest cibw_arch: aarch64 - - os: macos-latest - cibw_python: "cp36-*" - cibw_arch: universal2 - os: macos-latest cibw_python: "cp37-*" cibw_arch: universal2 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b0b4e5c..902f564 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -14,14 +14,8 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - python-version: ["3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11.0-rc.2"] + python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"] os: [windows-latest, ubuntu-latest, macos-latest] - exclude: - # Python 3.5 is unable to properly - # find the recent VS tooling - # https://bugs.python.org/issue30389 - - os: windows-latest - python-version: 3.5 env: PIP_DISABLE_PIP_VERSION_CHECK: 1 diff --git a/vendor/llhttp b/vendor/llhttp index 6d954cb..caed04d 160000 --- a/vendor/llhttp +++ b/vendor/llhttp @@ -1 +1 @@ -Subproject commit 6d954cbdc7f641f0a63a4427cf4d6be397f74ee8 +Subproject commit caed04d6c1251e54c642bddfc7d0330af234f0d3 From 1599df9ed2e73540c19467af52dad277bbc42592 Mon Sep 17 00:00:00 2001 From: Fantix King Date: Thu, 6 Jul 2023 17:26:29 -0400 Subject: [PATCH 10/22] httptools 0.6.0 Changes ======= * Bump bundled llhttp to 8.1.1 (by @fantix in 6c6812a for #91) --- httptools/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httptools/_version.py b/httptools/_version.py index 2229837..3116a2e 100644 --- a/httptools/_version.py +++ b/httptools/_version.py @@ -10,4 +10,4 @@ # supported platforms, publish the packages on PyPI, merge the PR # to the target branch, create a Git tag pointing to the commit. -__version__ = '0.5.0' +__version__ = '0.6.0' From 25f412bdb8e29ecb5d833c1f074358ef04428ccd Mon Sep 17 00:00:00 2001 From: Tip ten Brink <75669206+tiptenbrink@users.noreply.github.com> Date: Mon, 16 Oct 2023 18:58:27 +0200 Subject: [PATCH 11/22] Explicit Python 3.12 support and build wheels, change min version to 3.8 (#95) --- .github/workflows/release.yml | 2 +- .github/workflows/tests.yml | 2 +- setup.py | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bc02466..7f24971 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,11 +73,11 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] cibw_arch: ["auto64", "aarch64", "universal2"] cibw_python: - - "cp37-*" - "cp38-*" - "cp39-*" - "cp310-*" - "cp311-*" + - "cp312-*" exclude: - os: ubuntu-latest cibw_arch: universal2 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 902f564..b1030fc 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -14,7 +14,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"] + python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"] os: [windows-latest, ubuntu-latest, macos-latest] env: diff --git a/setup.py b/setup.py index af36dc8..129cc8b 100644 --- a/setup.py +++ b/setup.py @@ -1,8 +1,8 @@ import sys vi = sys.version_info -if vi < (3, 5): - raise RuntimeError('httptools require Python 3.5 or greater') +if vi < (3, 8): + raise RuntimeError('httptools require Python 3.8 or greater') else: import os.path import pathlib @@ -185,7 +185,7 @@ def build_extensions(self): 'Development Status :: 5 - Production/Stable', ], platforms=['macOS', 'POSIX', 'Windows'], - python_requires='>=3.5.0', + python_requires='>=3.8.0', zip_safe=False, author='Yury Selivanov', author_email='yury@magic.io', From b2fc5bdf535907f0ec173566973a43f3f3fb3871 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Mon, 16 Oct 2023 19:11:12 +0200 Subject: [PATCH 12/22] Do not install the *.c sources (#73) Co-authored-by: Fantix King --- setup.py | 1 + 1 file changed, 1 insertion(+) diff --git a/setup.py b/setup.py index 129cc8b..200e6f6 100644 --- a/setup.py +++ b/setup.py @@ -211,6 +211,7 @@ def build_extensions(self): ), ], include_package_data=True, + exclude_package_data={"": ["*.c", "*.h"]}, test_suite='tests.suite', setup_requires=setup_requires, extras_require={ From 51af36954b99780342c4d38612315e48120565c8 Mon Sep 17 00:00:00 2001 From: Fantix King Date: Tue, 17 Oct 2023 02:30:24 +0900 Subject: [PATCH 13/22] Update CI (#97) --- .github/workflows/release.yml | 28 ++++++++++++++-------------- .github/workflows/tests.yml | 6 +++--- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7f24971..75b05ca 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Validate release PR - uses: edgedb/action-release/validate-pr@master + uses: edgedb/action-release/validate-pr@bae6b9134e872166b43d218dd79397c851c41c9a id: checkver with: require_team: Release Managers @@ -37,7 +37,7 @@ jobs: mkdir -p dist/ echo "${VERSION}" > dist/VERSION - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: dist path: dist/ @@ -47,20 +47,20 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: fetch-depth: 50 submodules: true - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 - name: Build source distribution run: | python -m pip install -U setuptools wheel pip python setup.py sdist - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: dist path: dist/*.tar.* @@ -99,18 +99,18 @@ jobs: PIP_DISABLE_PIP_VERSION_CHECK: 1 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: fetch-depth: 50 submodules: true - name: Set up QEMU if: matrix.os == 'ubuntu-latest' && matrix.cibw_arch == 'aarch64' - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: platforms: arm64 - - uses: pypa/cibuildwheel@v2.9.0 + - uses: pypa/cibuildwheel@fff9ec32ed25a9c576750c91e06b410ed0c15db7 # v2.16.2 env: CIBW_BUILD_VERBOSITY: 1 CIBW_BUILD: ${{ matrix.cibw_python }} @@ -120,7 +120,7 @@ jobs: CIBW_TEST_COMMAND_WINDOWS: "python {project}\\tests\\__init__.py" CIBW_TEST_SKIP: "*universal2:arm64" - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: dist path: wheelhouse/*.whl @@ -130,12 +130,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: fetch-depth: 5 submodules: false - - uses: actions/download-artifact@v2 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: dist path: dist/ @@ -148,7 +148,7 @@ jobs: rm dist/VERSION - name: Merge and tag the PR - uses: edgedb/action-release/merge@master + uses: edgedb/action-release/merge@bae6b9134e872166b43d218dd79397c851c41c9a with: github_token: ${{ secrets.RELEASE_BOT_GITHUB_TOKEN }} ssh_key: ${{ secrets.RELEASE_BOT_SSH_KEY }} @@ -157,7 +157,7 @@ jobs: tag_name: v${{ steps.relver.outputs.version }} - name: Publish Github Release - uses: elprans/gh-action-create-release@master + uses: elprans/gh-action-create-release@5f9abb8f0677196a76ea77e64341fa8ca31dad4f env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -171,7 +171,7 @@ jobs: ls -al dist/ - name: Upload to PyPI - uses: pypa/gh-action-pypi-publish@master + uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e # v1.8.10 with: user: __token__ password: ${{ secrets.PYPI_TOKEN }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b1030fc..1c415c2 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -21,13 +21,13 @@ jobs: PIP_DISABLE_PIP_VERSION_CHECK: 1 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: fetch-depth: 50 submodules: true - name: Check if release PR. - uses: edgedb/action-release/validate-pr@master + uses: edgedb/action-release/validate-pr@bae6b9134e872166b43d218dd79397c851c41c9a id: release with: github_token: ${{ secrets.RELEASE_BOT_GITHUB_TOKEN }} @@ -37,7 +37,7 @@ jobs: __version__\s*=\s*(?:['"])([[:PEP440:]])(?:['"]) - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 if: steps.release.outputs.version == 0 with: python-version: ${{ matrix.python-version }} From de13727218c8e5855e6299ec2734f7c7b801d4a4 Mon Sep 17 00:00:00 2001 From: Fantix King Date: Mon, 16 Oct 2023 13:13:38 -0400 Subject: [PATCH 14/22] httptools 0.6.1 Changes ======= * Explicit Python 3.12 support and build wheels, change min version to 3.8 (#95) (by @tiptenbrink in 25f412bd for #95) * Do not install the *.c sources in wheels (#73) (by @hroncok in b2fc5bdf for #73) --- httptools/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httptools/_version.py b/httptools/_version.py index 3116a2e..51078cc 100644 --- a/httptools/_version.py +++ b/httptools/_version.py @@ -10,4 +10,4 @@ # supported platforms, publish the packages on PyPI, merge the PR # to the target branch, create a Git tag pointing to the commit. -__version__ = '0.6.0' +__version__ = '0.6.1' From ad9765b3f7908c47c28ac36311383180774fd969 Mon Sep 17 00:00:00 2001 From: James Hilliard Date: Mon, 14 Oct 2024 12:05:27 -0500 Subject: [PATCH 15/22] Fix build and run tests on Python 3.13 (#107) --------- Co-authored-by: Thomas A Caswell Co-authored-by: Fabien Bousquet Co-authored-by: Fantix King --- .github/workflows/release.yml | 47 +++++++++++++++++------------------ .github/workflows/tests.yml | 6 ++--- setup.py | 2 +- 3 files changed, 27 insertions(+), 28 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 75b05ca..036efc8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -37,9 +37,9 @@ jobs: mkdir -p dist/ echo "${VERSION}" > dist/VERSION - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: - name: dist + name: dist-version path: dist/ build-sdist: @@ -47,22 +47,22 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 50 submodules: true - name: Set up Python - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - name: Build source distribution run: | python -m pip install -U setuptools wheel pip python setup.py sdist - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: - name: dist + name: dist-sdist path: dist/*.tar.* build-wheels: @@ -73,19 +73,17 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] cibw_arch: ["auto64", "aarch64", "universal2"] cibw_python: - - "cp38-*" - - "cp39-*" - - "cp310-*" - - "cp311-*" - - "cp312-*" + - "cp38" + - "cp39" + - "cp310" + - "cp311" + - "cp312" + - "cp313" exclude: - os: ubuntu-latest cibw_arch: universal2 - os: macos-latest cibw_arch: aarch64 - - os: macos-latest - cibw_python: "cp37-*" - cibw_arch: universal2 - os: windows-latest cibw_arch: universal2 - os: windows-latest @@ -99,30 +97,30 @@ jobs: PIP_DISABLE_PIP_VERSION_CHECK: 1 steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 50 submodules: true - name: Set up QEMU if: matrix.os == 'ubuntu-latest' && matrix.cibw_arch == 'aarch64' - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 with: platforms: arm64 - - uses: pypa/cibuildwheel@fff9ec32ed25a9c576750c91e06b410ed0c15db7 # v2.16.2 + - uses: pypa/cibuildwheel@7940a4c0e76eb2030e473a5f864f291f63ee879b # v2.21.3 env: CIBW_BUILD_VERBOSITY: 1 - CIBW_BUILD: ${{ matrix.cibw_python }} + CIBW_BUILD: ${{ matrix.cibw_python }}-* CIBW_ARCHS: ${{ matrix.cibw_arch }} CIBW_TEST_EXTRAS: "test" CIBW_TEST_COMMAND: "python {project}/tests/__init__.py" CIBW_TEST_COMMAND_WINDOWS: "python {project}\\tests\\__init__.py" CIBW_TEST_SKIP: "*universal2:arm64" - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: - name: dist + name: dist-${{ matrix.os }}-${{ matrix.cibw_arch }}-${{ matrix.cibw_python }} path: wheelhouse/*.whl publish: @@ -130,14 +128,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 5 submodules: false - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: - name: dist + pattern: dist-* + merge-multiple: true path: dist/ - name: Extract Release Version @@ -171,7 +170,7 @@ jobs: ls -al dist/ - name: Upload to PyPI - uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e # v1.8.10 + uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3 with: user: __token__ password: ${{ secrets.PYPI_TOKEN }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1c415c2..7c85de3 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -14,14 +14,14 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"] + python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"] os: [windows-latest, ubuntu-latest, macos-latest] env: PIP_DISABLE_PIP_VERSION_CHECK: 1 steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 50 submodules: true @@ -37,7 +37,7 @@ jobs: __version__\s*=\s*(?:['"])([[:PEP440:]])(?:['"]) - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 if: steps.release.outputs.version == 0 with: python-version: ${{ matrix.python-version }} diff --git a/setup.py b/setup.py index 200e6f6..adca1f8 100644 --- a/setup.py +++ b/setup.py @@ -15,7 +15,7 @@ ROOT = pathlib.Path(__file__).parent -CYTHON_DEPENDENCY = 'Cython(>=0.29.24,<0.30.0)' +CYTHON_DEPENDENCY = 'Cython>=0.29.24' class httptools_build_ext(build_ext): From a2ed91d7c07bedd31d117fc2a3880305c81ecdfd Mon Sep 17 00:00:00 2001 From: Fantix King Date: Mon, 14 Oct 2024 13:09:55 -0400 Subject: [PATCH 16/22] httptools 0.6.2 Fixes ===== * Fix build and run tests on Python 3.13 (#107) (by @jameshilliard @tacaswell @fafanoulele @fantix in ad9765b3 for #98 #104) --- httptools/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httptools/_version.py b/httptools/_version.py index 51078cc..c1c278c 100644 --- a/httptools/_version.py +++ b/httptools/_version.py @@ -10,4 +10,4 @@ # supported platforms, publish the packages on PyPI, merge the PR # to the target branch, create a Git tag pointing to the commit. -__version__ = '0.6.1' +__version__ = '0.6.2' From 21a199d3d7a15bea7c9c96596b6bfa5c965167fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Date: Wed, 16 Oct 2024 19:28:36 +0200 Subject: [PATCH 17/22] Fix missing CR is some tests (#112) Some of the tests explicitly add "\r" to line endings but fail to do so in empty lines. This causes parsing failures in llhttp-9. Fix them to use CRLF consistently across all lines. --- tests/test_parser.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/test_parser.py b/tests/test_parser.py index a169a9a..7535e1f 100644 --- a/tests/test_parser.py +++ b/tests/test_parser.py @@ -33,7 +33,7 @@ User-Agent: Fooo\r Host: bar\r Transfer-Encoding: chunked\r - +\r 5\r\nhello\r\n6\r\n world\r\n''' CHUNKED_REQUEST1_2 = b'''0\r\nVary: *\r\nUser-Agent: spam\r\n\r\n''' @@ -42,7 +42,7 @@ User-Agent: Fooo\r Host: bar\r Transfer-Encoding: chunked\r - +\r b\r\n+\xce\xcfM\xb5MI,I\x04\x00\r\n0\r\n\r\n''' @@ -54,7 +54,7 @@ Upgrade: WebSocket\r Sec-WebSocket-Key1: 4 @1 46546xW%0l 1 5\r Origin: http://example.com\r - +\r Hot diggity dogg''' UPGRADE_RESPONSE1 = b'''HTTP/1.1 101 Switching Protocols From 560bd9eabf121de6eb2c7476e18becb02dcb8867 Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Wed, 16 Oct 2024 12:16:45 -0700 Subject: [PATCH 18/22] Bump bundled llhttp to 9.2.1 (#113) CVE-2024-27982 Expose leniency flags via the new `set_dangerous_leniencies` parser method if somebody needs to opt into the old vulnerable behavior. Fixes: #111 --- httptools/parser/cparser.pxd | 11 +++++++ httptools/parser/parser.pyx | 49 ++++++++++++++++++++++++++++- tests/test_parser.py | 61 +++++++++++++++++++++++++++++++++++- vendor/llhttp | 2 +- 4 files changed, 120 insertions(+), 3 deletions(-) diff --git a/httptools/parser/cparser.pxd b/httptools/parser/cparser.pxd index 617f0c1..3281864 100644 --- a/httptools/parser/cparser.pxd +++ b/httptools/parser/cparser.pxd @@ -154,3 +154,14 @@ cdef extern from "llhttp.h": const char* llhttp_method_name(llhttp_method_t method) void llhttp_set_error_reason(llhttp_t* parser, const char* reason); + + void llhttp_set_lenient_headers(llhttp_t* parser, bint enabled); + void llhttp_set_lenient_chunked_length(llhttp_t* parser, bint enabled); + void llhttp_set_lenient_keep_alive(llhttp_t* parser, bint enabled); + void llhttp_set_lenient_transfer_encoding(llhttp_t* parser, bint enabled); + void llhttp_set_lenient_version(llhttp_t* parser, bint enabled); + void llhttp_set_lenient_data_after_close(llhttp_t* parser, bint enabled); + void llhttp_set_lenient_optional_lf_after_cr(llhttp_t* parser, bint enabled); + void llhttp_set_lenient_optional_cr_before_lf(llhttp_t* parser, bint enabled); + void llhttp_set_lenient_optional_crlf_after_chunk(llhttp_t* parser, bint enabled); + void llhttp_set_lenient_spaces_after_chunk_size(llhttp_t* parser, bint enabled); diff --git a/httptools/parser/parser.pyx b/httptools/parser/parser.pyx index 6877aa1..2fa5026 100644 --- a/httptools/parser/parser.pyx +++ b/httptools/parser/parser.pyx @@ -1,6 +1,8 @@ #cython: language_level=3 from __future__ import print_function +from typing import Optional + from cpython.mem cimport PyMem_Malloc, PyMem_Free from cpython cimport PyObject_GetBuffer, PyBuffer_Release, PyBUF_SIMPLE, \ Py_buffer, PyBytes_AsString @@ -144,6 +146,51 @@ cdef class HttpParser: ### Public API ### + def set_dangerous_leniencies( + self, + lenient_headers: Optional[bool] = None, + lenient_chunked_length: Optional[bool] = None, + lenient_keep_alive: Optional[bool] = None, + lenient_transfer_encoding: Optional[bool] = None, + lenient_version: Optional[bool] = None, + lenient_data_after_close: Optional[bool] = None, + lenient_optional_lf_after_cr: Optional[bool] = None, + lenient_optional_cr_before_lf: Optional[bool] = None, + lenient_optional_crlf_after_chunk: Optional[bool] = None, + lenient_spaces_after_chunk_size: Optional[bool] = None, + ): + cdef cparser.llhttp_t* parser = self._cparser + if lenient_headers is not None: + cparser.llhttp_set_lenient_headers( + parser, lenient_headers) + if lenient_chunked_length is not None: + cparser.llhttp_set_lenient_chunked_length( + parser, lenient_chunked_length) + if lenient_keep_alive is not None: + cparser.llhttp_set_lenient_keep_alive( + parser, lenient_keep_alive) + if lenient_transfer_encoding is not None: + cparser.llhttp_set_lenient_transfer_encoding( + parser, lenient_transfer_encoding) + if lenient_version is not None: + cparser.llhttp_set_lenient_version( + parser, lenient_version) + if lenient_data_after_close is not None: + cparser.llhttp_set_lenient_data_after_close( + parser, lenient_data_after_close) + if lenient_optional_lf_after_cr is not None: + cparser.llhttp_set_lenient_optional_lf_after_cr( + parser, lenient_optional_lf_after_cr) + if lenient_optional_cr_before_lf is not None: + cparser.llhttp_set_lenient_optional_cr_before_lf( + parser, lenient_optional_cr_before_lf) + if lenient_optional_crlf_after_chunk is not None: + cparser.llhttp_set_lenient_optional_crlf_after_chunk( + parser, lenient_optional_crlf_after_chunk) + if lenient_spaces_after_chunk_size is not None: + cparser.llhttp_set_lenient_spaces_after_chunk_size( + parser, lenient_spaces_after_chunk_size) + def get_http_version(self): cdef cparser.llhttp_t* parser = self._cparser return '{}.{}'.format(parser.http_major, parser.http_minor) @@ -161,7 +208,7 @@ cdef class HttpParser: cparser.llhttp_errno_t err Py_buffer *buf bint owning_buf = False - char* err_pos + const char* err_pos if PyMemoryView_Check(data): buf = PyMemoryView_GET_BUFFER(data) diff --git a/tests/test_parser.py b/tests/test_parser.py index 7535e1f..86584c3 100644 --- a/tests/test_parser.py +++ b/tests/test_parser.py @@ -6,6 +6,18 @@ RESPONSE1_HEAD = b'''HTTP/1.1 200 OK Date: Mon, 23 May 2005 22:38:34 GMT +Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) +Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT +ETag: "3f80f-1b6-3e1cb03b" +Content-Type: text/html; charset=UTF-8 +Content-Length: 130 +Accept-Ranges: bytes +Connection: close + +'''.replace(b'\n', b'\r\n') + +RESPONSE1_SPACES_IN_HEAD = b'''HTTP/1.1 200 OK +Date: Mon, 23 May 2005 22:38:34 GMT Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT @@ -89,7 +101,7 @@ def test_parser_response_1(self): self.assertEqual(len(headers), 8) self.assertEqual(headers.get(b'Connection'), b'close') self.assertEqual(headers.get(b'Content-Type'), - b'text/html; charset=UTF-8') + b'text/html; charset=UTF-8') self.assertFalse(m.on_body.called) p.feed_data(bytearray(RESPONSE1_BODY)) @@ -109,6 +121,53 @@ def test_parser_response_1b(self): 'Expected HTTP/'): p.feed_data(b'12123123') + def test_parser_response_leninent_headers_1(self): + m = mock.Mock() + + headers = {} + m.on_header.side_effect = headers.__setitem__ + + p = httptools.HttpResponseParser(m) + + with self.assertRaisesRegex( + httptools.HttpParserError, + "whitespace after header value", + ): + p.feed_data(memoryview(RESPONSE1_SPACES_IN_HEAD)) + + def test_parser_response_leninent_headers_2(self): + m = mock.Mock() + + headers = {} + m.on_header.side_effect = headers.__setitem__ + + p = httptools.HttpResponseParser(m) + + p.set_dangerous_leniencies(lenient_headers=True) + p.feed_data(memoryview(RESPONSE1_SPACES_IN_HEAD)) + + self.assertEqual(p.get_http_version(), '1.1') + self.assertEqual(p.get_status_code(), 200) + + m.on_status.assert_called_once_with(b'OK') + + m.on_headers_complete.assert_called_once_with() + self.assertEqual(m.on_header.call_count, 8) + self.assertEqual(len(headers), 8) + self.assertEqual(headers.get(b'Connection'), b'close') + self.assertEqual(headers.get(b'Content-Type'), + b'text/html; charset=UTF-8') + + self.assertFalse(m.on_body.called) + p.feed_data(bytearray(RESPONSE1_BODY)) + m.on_body.assert_called_once_with(RESPONSE1_BODY) + + m.on_message_complete.assert_called_once_with() + + self.assertFalse(m.on_url.called) + self.assertFalse(m.on_chunk_header.called) + self.assertFalse(m.on_chunk_complete.called) + def test_parser_response_2(self): with self.assertRaisesRegex(TypeError, 'a bytes-like object'): httptools.HttpResponseParser(None).feed_data('') diff --git a/vendor/llhttp b/vendor/llhttp index caed04d..610a87d 160000 --- a/vendor/llhttp +++ b/vendor/llhttp @@ -1 +1 @@ -Subproject commit caed04d6c1251e54c642bddfc7d0330af234f0d3 +Subproject commit 610a87d755f6bae466cd871c2ba97574ccac5483 From 5e720bf037edef03a517e25e096893638b6af801 Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Wed, 16 Oct 2024 12:18:46 -0700 Subject: [PATCH 19/22] httptools 0.6.3 Fixes ===== * Fix missing CR is some tests (by @mgorny in 21a199d3 for #112) * Bump bundled llhttp to 9.2.1 Fixes CVE-2024-27982 (by @elprans in 560bd9ea for #113) --- httptools/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httptools/_version.py b/httptools/_version.py index c1c278c..5a70bc1 100644 --- a/httptools/_version.py +++ b/httptools/_version.py @@ -10,4 +10,4 @@ # supported platforms, publish the packages on PyPI, merge the PR # to the target branch, create a Git tag pointing to the commit. -__version__ = '0.6.2' +__version__ = '0.6.3' From 2287a95af7a14b0fa178700e05c17a849242ef5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Date: Wed, 16 Oct 2024 21:28:20 +0200 Subject: [PATCH 20/22] Include Cython source files in sdist (#115) Fixes #110 --- MANIFEST.in | 1 + 1 file changed, 1 insertion(+) diff --git a/MANIFEST.in b/MANIFEST.in index 6b2e857..d4915a9 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,2 +1,3 @@ +recursive-include httptools *.pxd *.pyx recursive-include vendor *.c *.h LICENSE* README* include MANIFEST.in LICENSE From e265ae033d3d7212f92a614963a349e315f82df3 Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Wed, 16 Oct 2024 12:34:33 -0700 Subject: [PATCH 21/22] httptools 0.6.4 Fixes ===== * Include Cython source files in sdist (by @mgorny in 2287a95a for #115) --- httptools/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httptools/_version.py b/httptools/_version.py index 5a70bc1..d49ea6f 100644 --- a/httptools/_version.py +++ b/httptools/_version.py @@ -10,4 +10,4 @@ # supported platforms, publish the packages on PyPI, merge the PR # to the target branch, create a Git tag pointing to the commit. -__version__ = '0.6.3' +__version__ = '0.6.4' From 922f366068f3a0b505cdfd22ff51c4c457e8e6df Mon Sep 17 00:00:00 2001 From: Elvis Pranskevichus Date: Wed, 16 Oct 2024 13:33:41 -0700 Subject: [PATCH 22/22] Post-release version bump --- httptools/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httptools/_version.py b/httptools/_version.py index d49ea6f..f1999b3 100644 --- a/httptools/_version.py +++ b/httptools/_version.py @@ -10,4 +10,4 @@ # supported platforms, publish the packages on PyPI, merge the PR # to the target branch, create a Git tag pointing to the commit. -__version__ = '0.6.4' +__version__ = '0.7.0.dev0'