aio-libs/aiohttp (aiohttp)
### [`v3.9.4`](https://togithub.com/aio-libs/aiohttp/releases/tag/v3.9.4): 3.9.4
[Compare Source](https://togithub.com/aio-libs/aiohttp/compare/v3.9.3...v3.9.4)
## Bug fixes
- The asynchronous internals now set the underlying causes
when assigning exceptions to the future objects
\-- by :user:`webknjaz`.
*Related issues and pull requests on GitHub:*
[#8089](https://togithub.com/aio-libs/aiohttp/issues/8089).
- Treated values of `Accept-Encoding` header as case-insensitive when checking
for gzip files -- by :user:`steverep`.
*Related issues and pull requests on GitHub:*
[#8104](https://togithub.com/aio-libs/aiohttp/issues/8104).
- Improved the DNS resolution performance on cache hit -- by :user:`bdraco`.
This is achieved by avoiding an :mod:`asyncio` task creation in this case.
*Related issues and pull requests on GitHub:*
[#8163](https://togithub.com/aio-libs/aiohttp/issues/8163).
- Changed the type annotations to allow `dict` on :meth:`aiohttp.MultipartWriter.append`,
:meth:`aiohttp.MultipartWriter.append_json` and
:meth:`aiohttp.MultipartWriter.append_form` -- by :user:`cakemanny`
*Related issues and pull requests on GitHub:*
[#7741](https://togithub.com/aio-libs/aiohttp/issues/7741).
- Ensure websocket transport is closed when client does not close it
\-- by :user:`bdraco`.
The transport could remain open if the client did not close it. This
change ensures the transport is closed when the client does not close
it.
*Related issues and pull requests on GitHub:*
[#8200](https://togithub.com/aio-libs/aiohttp/issues/8200).
- Leave websocket transport open if receive times out or is cancelled
\-- by :user:`bdraco`.
This restores the behavior prior to the change in [#7978](https://togithub.com/aio-libs/aiohttp/issues/7978).
*Related issues and pull requests on GitHub:*
[#8251](https://togithub.com/aio-libs/aiohttp/issues/8251).
- Fixed content not being read when an upgrade request was not supported with the pure Python implementation.
\-- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
[#8252](https://togithub.com/aio-libs/aiohttp/issues/8252).
- Fixed a race condition with incoming connections during server shutdown -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
[#8271](https://togithub.com/aio-libs/aiohttp/issues/8271).
- Fixed `multipart/form-data` compliance with :rfc:`7578` -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
[#8280](https://togithub.com/aio-libs/aiohttp/issues/8280).
- Fixed blocking I/O in the event loop while processing files in a POST request
\-- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
[#8283](https://togithub.com/aio-libs/aiohttp/issues/8283).
- Escaped filenames in static view -- by :user:`bdraco`.
*Related issues and pull requests on GitHub:*
[#8317](https://togithub.com/aio-libs/aiohttp/issues/8317).
- Fixed the pure python parser to mark a connection as closing when a
response has no length -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
[#8320](https://togithub.com/aio-libs/aiohttp/issues/8320).
## Features
- Upgraded *llhttp* to 9.2.1, and started rejecting obsolete line folding
in Python parser to match -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
[#8146](https://togithub.com/aio-libs/aiohttp/issues/8146), [#8292](https://togithub.com/aio-libs/aiohttp/issues/8292).
## Deprecations (removal in next major release)
- Deprecated `content_transfer_encoding` parameter in :py:meth:`FormData.add_field() ` -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
[#8280](https://togithub.com/aio-libs/aiohttp/issues/8280).
## Improved documentation
- Added a note about canceling tasks to avoid delaying server shutdown -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
[#8267](https://togithub.com/aio-libs/aiohttp/issues/8267).
## Contributor-facing changes
- The pull request template is now asking the contributors to
answer a question about the long-term maintenance challenges
they envision as a result of merging their patches
\-- by :user:`webknjaz`.
*Related issues and pull requests on GitHub:*
[#8099](https://togithub.com/aio-libs/aiohttp/issues/8099).
- Updated CI and documentation to use NPM clean install and upgrade
node to version 18 -- by :user:`steverep`.
*Related issues and pull requests on GitHub:*
[#8116](https://togithub.com/aio-libs/aiohttp/issues/8116).
- A pytest fixture `hello_txt` was introduced to aid
static file serving tests in
:file:`test_web_sendfile_functional.py`. It dynamically
provisions `hello.txt` file variants shared across the
tests in the module.
\-- by :user:`steverep`
*Related issues and pull requests on GitHub:*
[#8136](https://togithub.com/aio-libs/aiohttp/issues/8136).
## Packaging updates and notes for downstreams
- Added an `internal` pytest marker for tests which should be skipped
by packagers (use `-m 'not internal'` to disable them) -- by :user:`Dreamsorcerer`.
*Related issues and pull requests on GitHub:*
[#8299](https://togithub.com/aio-libs/aiohttp/issues/8299).
***
Configuration
š Schedule: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
3.9.3->3.9.4GitHub Vulnerability Alerts
CVE-2024-27306
Summary
A XSS vulnerability exists on index pages for static file handling.
Details
When using
web.static(..., show_index=True), the resulting index pages do not escape file names.If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.
Workaround
We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.
Other users can disable
show_indexif unable to upgrade.Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
Release Notes
aio-libs/aiohttp (aiohttp)
### [`v3.9.4`](https://togithub.com/aio-libs/aiohttp/releases/tag/v3.9.4): 3.9.4 [Compare Source](https://togithub.com/aio-libs/aiohttp/compare/v3.9.3...v3.9.4) ## Bug fixes - The asynchronous internals now set the underlying causes when assigning exceptions to the future objects \-- by :user:`webknjaz`. *Related issues and pull requests on GitHub:* [#8089](https://togithub.com/aio-libs/aiohttp/issues/8089). - Treated values of `Accept-Encoding` header as case-insensitive when checking for gzip files -- by :user:`steverep`. *Related issues and pull requests on GitHub:* [#8104](https://togithub.com/aio-libs/aiohttp/issues/8104). - Improved the DNS resolution performance on cache hit -- by :user:`bdraco`. This is achieved by avoiding an :mod:`asyncio` task creation in this case. *Related issues and pull requests on GitHub:* [#8163](https://togithub.com/aio-libs/aiohttp/issues/8163). - Changed the type annotations to allow `dict` on :meth:`aiohttp.MultipartWriter.append`, :meth:`aiohttp.MultipartWriter.append_json` and :meth:`aiohttp.MultipartWriter.append_form` -- by :user:`cakemanny` *Related issues and pull requests on GitHub:* [#7741](https://togithub.com/aio-libs/aiohttp/issues/7741). - Ensure websocket transport is closed when client does not close it \-- by :user:`bdraco`. The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it. *Related issues and pull requests on GitHub:* [#8200](https://togithub.com/aio-libs/aiohttp/issues/8200). - Leave websocket transport open if receive times out or is cancelled \-- by :user:`bdraco`. This restores the behavior prior to the change in [#7978](https://togithub.com/aio-libs/aiohttp/issues/7978). *Related issues and pull requests on GitHub:* [#8251](https://togithub.com/aio-libs/aiohttp/issues/8251). - Fixed content not being read when an upgrade request was not supported with the pure Python implementation. \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* [#8252](https://togithub.com/aio-libs/aiohttp/issues/8252). - Fixed a race condition with incoming connections during server shutdown -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* [#8271](https://togithub.com/aio-libs/aiohttp/issues/8271). - Fixed `multipart/form-data` compliance with :rfc:`7578` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* [#8280](https://togithub.com/aio-libs/aiohttp/issues/8280). - Fixed blocking I/O in the event loop while processing files in a POST request \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* [#8283](https://togithub.com/aio-libs/aiohttp/issues/8283). - Escaped filenames in static view -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* [#8317](https://togithub.com/aio-libs/aiohttp/issues/8317). - Fixed the pure python parser to mark a connection as closing when a response has no length -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* [#8320](https://togithub.com/aio-libs/aiohttp/issues/8320). ## Features - Upgraded *llhttp* to 9.2.1, and started rejecting obsolete line folding in Python parser to match -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* [#8146](https://togithub.com/aio-libs/aiohttp/issues/8146), [#8292](https://togithub.com/aio-libs/aiohttp/issues/8292). ## Deprecations (removal in next major release) - Deprecated `content_transfer_encoding` parameter in :py:meth:`FormData.add_field()Configuration
š Schedule: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.