aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/Lib/urllib/request.py
Commit message (Collapse)AuthorAge
* gh-128192: support HTTP sha-256 digest authentication as per RFC-7617 ↵Calvin Bui2024-12-28
| | | | | | | | | (GH-128193) support sha-256 digest authentication Co-authored-by: Peter Bierma <zintensitydev@gmail.com> Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* gh-127734: improve signature of ↵Stephen Morton2024-12-08
| | | | | `urllib.request.HTTPPasswordMgrWithPriorAuth.__init__` (#127735) improve signature of urllib.request.HTTPPasswordMgrWithPriorAuth.__init__
* GH-127090: Fix `urllib.response.addinfourl.url` value for opened `file:` ↵Barney Gale2024-12-07
| | | | | URIs (#127091) The canonical `file:` URL (as generated by `pathname2url()`) is now used as the `url` attribute of the returned `addinfourl` object. The `addinfourl.url` attribute reflects the resolved URL for both `file:` or `http[s]:` URLs now.
* GH-127236: `pathname2url()`: generate RFC 1738 URL for absolute POSIX path ↵Barney Gale2024-11-25
| | | | | | | | | | | | | | | (#127194) When handed an absolute Windows path such as `C:\foo` or `//server/share`, the `urllib.request.pathname2url()` function returns a URL with an authority section, such as `///C:/foo` or `//server/share` (or before GH-126205, `////server/share`). Only the `file:` prefix is omitted. But when handed an absolute POSIX path such as `/etc/hosts`, or a Windows path of the same form (rooted but lacking a drive), the function returns a URL without an authority section, such as `/etc/hosts`. This patch corrects the discrepancy by adding a `//` prefix before drive-less, rooted paths when generating URLs.
* gh-127217: Fix pathname2url() for paths starting with multiple slashes on ↵Serhiy Storchaka2024-11-24
| | | | Posix (GH-127218)
* GH-126766: `url2pathname()`: handle 'localhost' authority (#127129)Barney Gale2024-11-22
| | | | | Discard any 'localhost' authority from the beginning of a `file:` URI. As a result, file URIs like `//localhost/etc/hosts` are correctly decoded as `/etc/hosts`.
* GH-85168: Use filesystem encoding when converting to/from `file` URIs (#126852)Barney Gale2024-11-19
| | | | | | | | Adjust `urllib.request.url2pathname()` and `pathname2url()` to use the filesystem encoding when quoting and unquoting file URIs, rather than forcing use of UTF-8. No changes are needed in the `nturl2path` module because Windows always uses UTF-8, per PEP 529.
* GH-84850: Remove `urllib.request.URLopener` and `FancyURLopener` (#125739)Barney Gale2024-11-19
|
* GH-126766: `url2pathname()`: handle empty authority section. (#126767)Barney Gale2024-11-14
| | | | | Discard two leading slashes from the beginning of a `file:` URI if they introduce an empty authority section. As a result, file URIs like `///etc/hosts` are correctly parsed as `/etc/hosts`.
* gh-122909: Pass ftp error strings to URLError constructor (#122913)Jeremy Hylton2024-08-20
| | | | | | | | | | | * pass the original string error message from the ftplib error to URLError() * Update request.py Change error string for ftp error to be consistent with other errors reported for ftp * Add NEWS entry for change to urllib.request for ftp errors. * Track the change in the ftp error message in the test.
* gh-120417: Add #noqa to used imports in the stdlib (#120421)Victor Stinner2024-06-13
| | | | | Tools such as ruff can ignore "imported but unused" warnings if a line ends with "# noqa: F401". It avoids the temptation to remove an import which is used effectively.
* gh-99730: urllib.request: Keep HEAD method on redirect (GH-99731)Harmen Stoppels2024-05-01
|
* gh-115197: Stop resolving host in urllib.request proxy bypass (GH-115210)Weii Wang2024-02-28
| | | Use of a proxy is intended to defer DNS for the hosts to the proxy itself, rather than a potential for information leak of the host doing DNS resolution itself for any reason. Proxy bypass lists are strictly name based. Most implementations of proxy support agree.
* gh-91539: Small performance improvement of ↵Raphaël Marinier2024-01-15
| | | | | urrlib.request.getproxies_environment() (#108771) Small performance improvement of getproxies_environment() when there are many environment variables. In a benchmark with 5k environment variables not related to proxies, and 5 specifying proxies, we get a 10% walltime improvement.
* gh-105382: Remove urllib.request cafile parameter (#105384)Victor Stinner2023-06-06
| | | | Remove cafile, capath and cadefault parameters of the urllib.request.urlopen() function, deprecated in Python 3.6.
* gh-81403: Fix for CacheFTPHandler in urllib (#13951)Dan Hemberger2023-04-22
| | | | | | | | | | | | | | bpo-37222: Fix for CacheFTPHandler in urllib A call to FTP.ntransfercmd must be followed by FTP.voidresp to clear the "end transfer" message. Without this, the client and server get out of sync, which will result in an error if the FTP instance is reused to open a second URL. This scenario occurs for even the most basic usage of CacheFTPHandler. Reverts the patch merged as a resolution to bpo-16270 and adds a test case for the CacheFTPHandler in test_urllib2net.py. Co-authored-by: Senthil Kumaran <senthil@python.org>
* gh-99352: Respect `http.client.HTTPConnection.debuglevel` in ↵Wheeler Law2023-04-20
| | | | | | | | | | | | | | | | | | | | | `urllib.request.AbstractHTTPHandler` (#99353) * bugfix: let the HTTP- and HTTPSHandlers respect the value of http.client.HTTPConnection.debuglevel * add tests * add news * ReSTify NEWS and reword a bit. * Address Review Comments. * Use mock.patch.object instead of settting the module level value. * Used test values to assert the debuglevel. --------- Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Senthil Kumaran <senthil@python.org>
* bpo-45975: Simplify some while-loops with walrus operator (GH-29347)Nick Drozd2022-11-26
|
* bpo-43564: preserve original exception in args of FTP URLError (#24938)Carl Meyer2022-10-09
| | | | | | | * bpo-43564: preserve original error in args of FTP URLError * Add NEWS blurb Co-authored-by: Carl Meyer <carljm@instagram.com>
* gh-91539: improve performance of get_proxies_environment (#91566)Pieter Eendebak2022-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * improve performance of get_proxies_environment when there are many environment variables * 📜🤖 Added by blurb_it. * fix case of short env name * fix formatting * fix whitespace * whitespace * Update Lib/urllib/request.py Co-authored-by: Carl Meyer <carl@oddbird.net> * Update Lib/urllib/request.py Co-authored-by: Carl Meyer <carl@oddbird.net> * Update Lib/urllib/request.py Co-authored-by: Carl Meyer <carl@oddbird.net> * Update Lib/urllib/request.py Co-authored-by: Carl Meyer <carl@oddbird.net> * whitespace * Update Misc/NEWS.d/next/Library/2022-04-15-11-29-38.gh-issue-91539.7WgVuA.rst Co-authored-by: Carl Meyer <carl@oddbird.net> * Update Lib/urllib/request.py Co-authored-by: Carl Meyer <carl@oddbird.net> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Carl Meyer <carl@oddbird.net>
* gh-94172: urllib.request avoids deprecated key_file/cert_file (#94232)Victor Stinner2022-06-26
| | | | The urllib.request module no longer uses the deprecated key_file and cert_file parameter of the http.client module.
* gh-94172: urllib.request avoids deprecated check_hostname (#94193)Victor Stinner2022-06-24
| | | | | | | | | | | The urllib.request no longer uses the deprecated check_hostname parameter of the http.client module. Add private http.client._create_https_context() helper to http.client, used by urllib.request. Remove the now redundant check on check_hostname and verify_mode in http.client: the SSLContext.check_hostname setter already implements the check.
* gh-84623: Remove unused imports in stdlib (#93773)Victor Stinner2022-06-13
|
* bpo-42627: Fix incorrect parsing of Windows registry proxy settings (GH-26307)狂男风2022-05-11
|
* Replace with_traceback() with exception chaining and reraising (GH-32074)Oleg Iarygin2022-03-30
|
* bpo-46756: Fix authorization check in urllib.request (GH-31353)Serhiy Storchaka2022-02-25
| | | | | | Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo".
* bpo-40321: Add missing test, slightly expand documentation (GH-28760)Łukasz Langa2021-10-06
|
* bpo-40321: Support HTTP response status code 308 in urllib.request (#19588)Jochem Schulenklopper2021-10-05
| | | | | | | | | | | * Support HTTP response status code 308 in urllib. HTTP response status code 308 is defined in https://tools.ietf.org/html/rfc7538 to be the permanent redirect variant of 307 (temporary redirect). * Update documentation to include http_error_308() * Add blurb for bpo-40321 fix Co-authored-by: Roland Crosby <roland@rolandcrosby.com>
* Update URLs in comments and metadata to use HTTPS (GH-27458)Noah Kantrowitz2021-07-30
|
* bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)Yeting Li2021-04-07
| | | | | | | Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
* Allow / character in username,password fields in _PROXY envvars. (#23973)Senthil Kumaran2020-12-29
|
* bpo-40968: Send http/1.1 ALPN extension (#20959)Christian Heimes2020-11-13
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-41471: Ignore invalid prefix lengths in system proxy settings on macOS ↵Ronald Oussoren2020-10-19
| | | | (GH-22762)
* bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284)Victor Stinner2020-04-02
| | | | | | | | | | | | | The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge. Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
* bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest Auth (GH-18338)Stephen Balousek2020-02-29
| | | | | | | | | | | | | | | | | | | | | | * bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest authentication - The 'qop' value in the 'WWW-Authenticate' header is optional. The presence of 'qop' in the header should be checked before its value is parsed with 'split'. Signed-off-by: Stephen Balousek <stephen@balousek.net> * bpo-39548: Fix handling of 'WWW-Authenticate' header for Digest authentication - Add NEWS item Signed-off-by: Stephen Balousek <stephen@balousek.net> * Update Misc/NEWS.d/next/Library/2020-02-06-05-33-52.bpo-39548.DF4FFe.rst Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com> Co-authored-by: Brandt Bucher <brandtbucher@gmail.com>
* bpo-39057: Fix urllib.request.proxy_bypass_environment(). (GH-17619)Serhiy Storchaka2020-01-05
| | | Ignore leading dots and no longer ignore a trailing newline.
* bpo-38686: fix HTTP Digest handling in request.py (#17045)PypeBros2019-11-22
| | | | | | | | | | | | | | | | | | | | | * fix HTTP Digest handling in request.py There is a bug triggered when server replies to a request with `WWW-Authenticate: Digest` where `qop="auth,auth-int"` rather than mere `qop="auth"`. Having both `auth` and `auth-int` is legitimate according to the `qop-options` rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]: > qop-options = "qop" "=" <"> 1#qop-value <"> > qop-value = "auth" | "auth-int" | token > **qop-options**: [...] If present, it is a quoted string **of one or more** tokens indicating the "quality of protection" values supported by the server. The value `"auth"` indicates authentication; the value `"auth-int"` indicates authentication with integrity protection This is description confirmed by the definition of the [//n//]`#`[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'. When this reply is parsed by `get_authorization`, request.py only tests for identity with `'auth'`, failing to recognize it as one of the supported modes the server announced, and claims that `"qop 'auth,auth-int' is not supported"`. * 📜🤖 Added by blurb_it. * bpo-38686 review fix: remember why. * fix trailing space in Lib/urllib/request.py Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>
* Remove binding of captured exceptions when not used to reduce the chances of ↵Pablo Galindo2019-11-19
| | | | | | | creating cycles (GH-17246) Capturing exceptions into names can lead to reference cycles though the __traceback__ attribute of the exceptions in some obscure cases that have been reported previously and fixed individually. As these variables are not used anyway, we can remove the binding to reduce the chances of creating reference cycles. See for example GH-13135
* bpo-25068: urllib.request.ProxyHandler now lowercases the dict keys (GH-13489)Zackery Spytz2019-09-13
|
* bpo-12707: deprecate info(), geturl(), getcode() methods in favor of ↵Ashwin Ramaswami2019-09-13
| | | | | headers, url, and status properties for HTTPResponse and addinfourl (GH-11447) Co-Authored-By: epicfaace <aramaswamis@gmail.com>
* bpo-35397: Remove deprecation and document urllib.parse.unwrap (GH-11481)Rémi Lapeyre2019-05-27
|
* bpo-36842: Implement PEP 578 (GH-12613)Steve Dower2019-05-23
| | | Adds sys.audit, sys.addaudithook, io.open_code, and associated C APIs.
* bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474)Victor Stinner2019-05-22
| | | | | | | CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in URLopener().open() and URLopener().retrieve() of urllib.request. Co-Authored-By: SH <push0ebp@gmail.com>
* bpo-36948: Fix NameError in urllib.request.URLopener.retrieve (GH-13389)Xtreak2019-05-19
|
* bpo-36431: Use PEP 448 dict unpacking for merging two dicts. (GH-12553)Serhiy Storchaka2019-03-27
|
* closes bpo-35309: cpath should be capath (GH-10699)Boštjan Mejak2018-11-25
|
* bpo-27485: Rename and deprecate undocumented functions in urllib.parse (GH-2205)Cheryl Sabella2018-04-25
|
* Revert unneccessary changes made in bpo-30296 and apply other improvements. ↵Serhiy Storchaka2018-02-26
| | | | (GH-2624)
* urllib.request: Remove unused import (GH-5268)INADA Naoki2018-01-22
|
* bpo-30296 Remove unnecessary tuples, lists, sets, and dicts (#1489)Jon Dufresne2017-05-18
| | | | | | | | * Replaced list(<generator expression>) with list comprehension * Replaced dict(<generator expression>) with dict comprehension * Replaced set(<list literal>) with set literal * Replaced builtin func(<list comprehension>) with func(<generator expression>) when supported (e.g. any(), all(), tuple(), min(), & max())
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-05 20:31:05 +0000