Update dependency aiohttp to v3.7.4 [SECURITY] #20
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.6.3
->==3.7.4
GitHub Vulnerability Alerts
CVE-2021-21330
Impact
What kind of vulnerability is it? Who is impacted?
Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.
It is caused by a bug in the
aiohttp.web_middlewares.normalize_path_middleware
middleware.Patches
Has the problem been patched? What versions should users upgrade to?
This security problem has been fixed in v3.7.4. Upgrade your dependency as follows:
pip install aiohttp >= 3.7.4
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
If upgrading is not an option for you, a workaround can be to avoid using
aiohttp.web_middlewares.normalize_path_middleware
in your applications.References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Credit: Jelmer Vernooij and Beast Glatisant.
Release Notes
aio-libs/aiohttp
v3.7.4
Compare Source
========================
Misc
chardet
runtime dependencyto allow their v4.0 version stream.
#​5366 <https://github.com/aio-libs/aiohttp/issues/5366>
_v3.7.3
Compare Source
==================
Features
#​3803 <https://github.com/aio-libs/aiohttp/issues/3803>
_#​4077 <https://github.com/aio-libs/aiohttp/issues/4077>
_Bugfixes
HTTP Reason Phrase.
#​3532 <https://github.com/aio-libs/aiohttp/issues/3532>
_web_middlewares.normalize_path_middleware
behavior for patch without slash.#​3669 <https://github.com/aio-libs/aiohttp/issues/3669>
_#​3701 <https://github.com/aio-libs/aiohttp/issues/3701>
_BaseConnector.close()
a coroutine and wait until the client closes all connections. Drop deprecated "with Connector():" syntax.#​3736 <https://github.com/aio-libs/aiohttp/issues/3736>
_sock_read
timeout each time data is received for aaiohttp.client
response.#​3808 <https://github.com/aio-libs/aiohttp/issues/3808>
_#​3880 <https://github.com/aio-libs/aiohttp/issues/3880>
_#​5156 <https://github.com/aio-libs/aiohttp/issues/5156>
_#​5163 <https://github.com/aio-libs/aiohttp/issues/5163>
_#​5230 <https://github.com/aio-libs/aiohttp/issues/5230>
_Improved Documentation
aiohttp.web.FileResponse
.#​3958 <https://github.com/aio-libs/aiohttp/issues/3958>
_#​3964 <https://github.com/aio-libs/aiohttp/issues/3964>
_aiohttp.client.request
.#​4603 <https://github.com/aio-libs/aiohttp/issues/4603>
_#​5228 <https://github.com/aio-libs/aiohttp/issues/5228>
_Misc
#​4102 <https://github.com/aio-libs/aiohttp/issues/4102>
_v3.7.2
Compare Source
==================
Bugfixes
.sendfile()
support#​5149 <https://github.com/aio-libs/aiohttp/issues/5149>
_v3.7.1
Compare Source
==================
Bugfixes
Protocol
.#​5111 <https://github.com/aio-libs/aiohttp/issues/5111>
_#​4901 <https://github.com/aio-libs/aiohttp/issues/4901>
_#​4957 <https://github.com/aio-libs/aiohttp/issues/4957>
_typing_extensions
library.#​5107 <https://github.com/aio-libs/aiohttp/issues/5107>
_ThreadedResolver.resolve
toreturn the resolved IP as the
hostname
in each record, which preventedvalidation of HTTPS connections.
#​5110 <https://github.com/aio-libs/aiohttp/issues/5110>
_#​5115 <https://github.com/aio-libs/aiohttp/issues/5115>
_#​5116 <https://github.com/aio-libs/aiohttp/issues/5116>
_#​5124 <https://github.com/aio-libs/aiohttp/issues/5124>
_web.run_app()
about Python version checking on Windows#​5127 <https://github.com/aio-libs/aiohttp/issues/5127>
_v3.7.0
Compare Source
==================
Features
on_response_prepare
hooks, directly before headers are sent to the client.#​1958 <https://github.com/aio-libs/aiohttp/issues/1958>
_quote_cookie
option toCookieJar
, a way to skip quotation wrapping of cookies containing special characters.#​2571 <https://github.com/aio-libs/aiohttp/issues/2571>
_AccessLogger.log
with the current exception available fromsys.exc_info()
.#​3557 <https://github.com/aio-libs/aiohttp/issues/3557>
_web.UrlDispatcher.add_routes
andweb.Application.add_routes
return a listof registered
AbstractRoute
instances.AbstractRouteDef.register
(and allsubclasses) return a list of registered resources registered resource.
#​3866 <https://github.com/aio-libs/aiohttp/issues/3866>
_#​3882 <https://github.com/aio-libs/aiohttp/issues/3882>
_OSError
on reading/writing instead.#​4080 <https://github.com/aio-libs/aiohttp/issues/4080>
_#​4189 <https://github.com/aio-libs/aiohttp/issues/4189>
_ClientSession.timeout
property.#​4191 <https://github.com/aio-libs/aiohttp/issues/4191>
_#​4224 <https://github.com/aio-libs/aiohttp/issues/4224>
_loop.sendfile()
instead of custom implementation if available.#​4269 <https://github.com/aio-libs/aiohttp/issues/4269>
_#​4393 <https://github.com/aio-libs/aiohttp/issues/4393>
_#​4402 <https://github.com/aio-libs/aiohttp/issues/4402>
_read_bufsize
argument.#​4453 <https://github.com/aio-libs/aiohttp/issues/4453>
_#​4513 <https://github.com/aio-libs/aiohttp/issues/4513>
_method
andurl
attributes toTraceRequestChunkSentParams
andTraceResponseChunkReceivedParams
.#​4674 <https://github.com/aio-libs/aiohttp/issues/4674>
_#​4711 <https://github.com/aio-libs/aiohttp/issues/4711>
_#​4850 <https://github.com/aio-libs/aiohttp/issues/4850>
_None
is passed in as the host.#​4894 <https://github.com/aio-libs/aiohttp/issues/4894>
_http_parser
to 2.9.4#​5070 <https://github.com/aio-libs/aiohttp/issues/5070>
_Bugfixes
Fix keepalive connections not being closed in time
#​3296 <https://github.com/aio-libs/aiohttp/issues/3296>
_Fix failed websocket handshake leaving connection hanging.
#​3380 <https://github.com/aio-libs/aiohttp/issues/3380>
_Fix tasks cancellation order on exit. The run_app task needs to be cancelled first for cleanup hooks to run with all tasks intact.
#​3805 <https://github.com/aio-libs/aiohttp/issues/3805>
_Don't start heartbeat until writer is set
#​4062 <https://github.com/aio-libs/aiohttp/issues/4062>
Fix handling of multipart file uploads without a content type.
#​4089 <https://github.com/aio-libs/aiohttp/issues/4089>
_Preserve view handler function attributes across middlewares
#​4174 <https://github.com/aio-libs/aiohttp/issues/4174>
_Fix the string representation of
ServerDisconnectedError
.#​4175 <https://github.com/aio-libs/aiohttp/issues/4175>
_Raising RuntimeError when trying to get encoding from not read body
#​4214 <https://github.com/aio-libs/aiohttp/issues/4214>
_Remove warning messages from noop.
#​4282 <https://github.com/aio-libs/aiohttp/issues/4282>
_Raise ClientPayloadError if FormData re-processed.
#​4345 <https://github.com/aio-libs/aiohttp/issues/4345>
_Fix a warning about unfinished task in
web_protocol.py
#​4408 <https://github.com/aio-libs/aiohttp/issues/4408>
_Fixed 'deflate' compression. According to RFC 2616 now.
#​4506 <https://github.com/aio-libs/aiohttp/issues/4506>
_Fixed OverflowError on platforms with 32-bit time_t
#​4515 <https://github.com/aio-libs/aiohttp/issues/4515>
_Fixed request.body_exists returns wrong value for methods without body.
#​4528 <https://github.com/aio-libs/aiohttp/issues/4528>
_Fix connecting to link-local IPv6 addresses.
#​4554 <https://github.com/aio-libs/aiohttp/issues/4554>
_Fix a problem with connection waiters that are never awaited.
#​4562 <https://github.com/aio-libs/aiohttp/issues/4562>
_Always make sure transport is not closing before reuse a connection.
Reuse a protocol based on keepalive in headers is unreliable.
For example, uWSGI will not support keepalive even it serves a
HTTP 1.1 request, except explicitly configure uWSGI with a
--http-keepalive
option.Servers designed like uWSGI could cause aiohttp intermittently
raise a ConnectionResetException when the protocol poll runs
out and some protocol is reused.
#​4587 <https://github.com/aio-libs/aiohttp/issues/4587>
_Handle the last CRLF correctly even if it is received via separate TCP segment.
#​4630 <https://github.com/aio-libs/aiohttp/issues/4630>
_Fix the register_resource function to validate route name before splitting it so that route name can include python keywords.
#​4691 <https://github.com/aio-libs/aiohttp/issues/4691>
_Improve typing annotations for
web.Request
,aiohttp.ClientResponse
andmultipart
module.#​4736 <https://github.com/aio-libs/aiohttp/issues/4736>
_Fix resolver task is not awaited when connector is cancelled
#​4795 <https://github.com/aio-libs/aiohttp/issues/4795>
_Fix a bug "Aiohttp doesn't return any error on invalid request methods"
#​4798 <https://github.com/aio-libs/aiohttp/issues/4798>
_Fix HEAD requests for static content.
#​4809 <https://github.com/aio-libs/aiohttp/issues/4809>
_Fix incorrect size calculation for memoryview
#​4890 <https://github.com/aio-libs/aiohttp/issues/4890>
_Add HTTPMove to all_.
#​4897 <https://github.com/aio-libs/aiohttp/issues/4897>
_Fixed the type annotations in the
tracing
module.#​4912 <https://github.com/aio-libs/aiohttp/issues/4912>
_Fix typing for multipart
__aiter__
.#​4931 <https://github.com/aio-libs/aiohttp/issues/4931>
_Fix for race condition on connections in BaseConnector that leads to exceeding the connection limit.
#​4936 <https://github.com/aio-libs/aiohttp/issues/4936>
_Add forced UTF-8 encoding for
application/rdap+json
responses.#​4938 <https://github.com/aio-libs/aiohttp/issues/4938>
_Fix inconsistency between Python and C http request parsers in parsing pct-encoded URL.
#​4972 <https://github.com/aio-libs/aiohttp/issues/4972>
_Fix connection closing issue in HEAD request.
#​5012 <https://github.com/aio-libs/aiohttp/issues/5012>
_Fix type hint on BaseRunner.addresses (from
List[str]
toList[Any]
)#​5086 <https://github.com/aio-libs/aiohttp/issues/5086>
_Make
web.run_app()
more responsive to Ctrl+C on Windows for Python < 3.8. It slightlyincreases CPU load as a side effect.
#​5098 <https://github.com/aio-libs/aiohttp/issues/5098>
_Improved Documentation
#​3376 <https://github.com/aio-libs/aiohttp/issues/3376>
_ttl_dns_cache
default value#​3512 <https://github.com/aio-libs/aiohttp/issues/3512>
_#​4201 <https://github.com/aio-libs/aiohttp/issues/4201>
_Optional[str]
toOptional[bool]
#​4204 <https://github.com/aio-libs/aiohttp/issues/4204>
_ttl_dns_cache
type from int to Optional[int].#​4270 <https://github.com/aio-libs/aiohttp/issues/4270>
_#​4272 <https://github.com/aio-libs/aiohttp/issues/4272>
_#​4285 <https://github.com/aio-libs/aiohttp/issues/4285>
_#​4312 <https://github.com/aio-libs/aiohttp/issues/4312>
_#​4314 <https://github.com/aio-libs/aiohttp/issues/4314>
_#​4810 <https://github.com/aio-libs/aiohttp/issues/4810>
_#​4986 <https://github.com/aio-libs/aiohttp/issues/4986>
_aiohttp-sse-client
library to third party usage list.#​5084 <https://github.com/aio-libs/aiohttp/issues/5084>
_Misc
#​2856 <https://github.com/aio-libs/aiohttp/issues/2856>
,#​4218 <https://github.com/aio-libs/aiohttp/issues/4218>
,#​4250 <https://github.com/aio-libs/aiohttp/issues/4250>
_Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.