Bug fixes
-
Fixed a race condition in :py:class:
~aiohttp.TCPConnectorwhere closing the connector while a DNS resolution was in-flight could raise :py:exc:AttributeErrorinstead of :py:exc:~aiohttp.ClientConnectionError-- by :user:goingforstudying-ctrl.Related issues and pull requests on GitHub:
#12497. -
Fixed
CancelledErrornot closing a connection -- by :user:aiolibsbot.Related issues and pull requests on GitHub:
#12795. -
Tightened up some websocket parser checks -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#12817. -
Fixed :class:
~aiohttp.CookieJardropping the host-only flag of cookies when persisted with :meth:~aiohttp.CookieJar.saveand reloaded with :meth:~aiohttp.CookieJar.load, so a cookie set without aDomainattribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:~aiohttp.CookieJar.loadnow replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:~aiohttp.CookieJar.update_cookies, so a cookie for an IP-address host is dropped when loaded into a jar created withoutunsafe=True-- by :user:bdraco.Related issues and pull requests on GitHub:
#12824. -
Scoped :class:
~aiohttp.DigestAuthMiddlewarecredentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616domaindirective -- by :user:bdraco.Related issues and pull requests on GitHub:
#12825. -
Fixed the C HTTP parser not enforcing
max_line_sizeon a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raisingLineTooLong. The accumulated length is now checked, matching the pure-Python parser -- by :user:bdraco.Related issues and pull requests on GitHub:
#12826. -
Changed :class:
~aiohttp.TCPConnectorto reject legacy non-canonical numeric IPv4 host forms such as2130706433,017700000001and127.1with :exc:~aiohttp.InvalidUrlClientError; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:bdraco.Related issues and pull requests on GitHub:
#12827. -
Fixed :meth:
~aiohttp.StreamReader.readanyand :meth:~aiohttp.StreamReader.read_nowaitjoining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:bytes; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:bdraco.Related issues and pull requests on GitHub:
#12828. -
Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:
bdraco.Related issues and pull requests on GitHub:
#12830. -
Fixed :meth:
aiohttp.web.Response.write_eofskippingPayload.close()when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in afinallyso a :class:~aiohttp.payload.Payloadbody always releases its resources -- by :user:bdraco.Related issues and pull requests on GitHub:
#12831. -
Fixed the pure-Python HTTP parser not enforcing
max_line_sizeon a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:bdraco.Related issues and pull requests on GitHub:
#12832. -
Included the per-request
server_hostnameoverride in the :class:~aiohttp.TCPConnectorconnection pool key, so a pooled TLS connection is no longer reused for a request that setsserver_hostnameto a different value -- by :user:bdraco.Related issues and pull requests on GitHub:
#12835.