Commit Graph

2390 Commits

Author SHA1 Message Date
L. Kärkkäinen
1e4b1c4d1a Forwarded headers and otherwise improved proxy handling (#1638)
* Added support for HTTP Forwarded header and combined parsing of other proxy headers.

- Accessible via request.forwarded that tries parse_forwarded and then parse_xforwarded
- parse_forwarded uses the Forwarded header, if config.FORWARDED_SECRET is provided and a matching header field is found
- parse_xforwarded uses X-Real-IP and X-Forwarded-* much alike the existing implementation
- This commit does not change existing request properties that still use the old code and won't make use of Forwarded headers.

* Use req.forwarded in req properties server_name, server_port, scheme and remote_addr.

X-Scheme handling moved to parse_xforwarded.

* Cleanup and fix req.server_port; no longer reports socket port if any forwards headers are used.

* Update docstrings to incidate that forwarded header is used first.

* Remove testing function.

* Fix tests and linting.

- One test removed due to change of semantics - no socket port will be used if any forwarded headers are in effect.
- Other tests augmented with X-Forwarded-For, to allow the header being tested take effect (shouldn't affect old implementation).

* Try to workaround buggy tools complaining about incorrect ordering of imports.

* Cleanup forwarded processing, add comments. secret is now also returned.

* Added tests, fixed quoted string handling, cleanup.

* Further tests for full coverage.

* Try'n make linter happy.

* Add support for multiple Forwarded headers. Unify parse_forwarded parameters with parse_xforwarded.

* Implement multiple headers support for X-Forwarded-For.

- Previously only the first header was used, so this BUGFIX may affect functionality.

* Bugfix for request.server_name: strip port and other parts.

- request.server_name docs claim that it returns the hostname only (no port).
- config.SERVER_NAME may be full URL, so strip scheme, port and path
- HTTP Host and consequently forwarded Host may include port number, so
  strip that also for forwarded hosts (previously only done for HTTP Host).
- Possible performance benefit of limiting to one split.

* Fallback to app.url_for and let it handle SERVER_NAME if defined (until a proper solution is implemented).

* Revise previous commit. Only fallback for full URL SERVER_NAMEs; allows host to be defined and proxied information still being used.

* Heil lintnazi.

* Modify testcase not to use underscores in URLs. Use hyphens which the spec allows for.

* Forwarded and Host header parsing improved.

- request.forwarded lowercases hosts, separates host:port into their own fields and lowercases addresses
- forwarded.parse_host helper function added and used for parsing all host-style headers (IPv6 cannot be simply split(":")).
- more tests fixed not to use underscores in hosts as those are no longer accepted and lead to the field being rejected

* Fixed typo in docstring.

* Added IPv6 address tests for Host header.

* Fix regex.

* Further tests and stricter forwarded handling.

* Fix merge commit

* Linter

* Linter

* Linter

* Add  to avoid re-using the  variable. Make a few raw strings non-raw.

* Remove unnecessary or

* Updated docs (work in progress).

* Enable REAL_IP_HEADER parsing irregardless of PROXIES_COUNT setting.

- Also cleanup and added comments

* New defaults for PROXIES_COUNT and REAL_IP_HEADER, updated tests.

* Remove support for PROXIES_COUNT=-1.

* Linter errors.

- This is getting ridiculous: cannot fit an URL on one line, linter requires
  splitting the string literal!

* Add support for by=_proxySecret, updated docs, updated tests.

* Forwarded headers' semantics tuning.

- Forwarded host is now preserved in original format
- request.host now returns a forwarded host if available, else the Host header
- Forwarded options are preserved in original order, and later keys override earlier ones
- Forwarded path is automatically URL-unquoted
- Forwarded 'by' and 'for' are omitted if their value is unknown
- Tests modified accordingly
- Cleanup and improved documentation

* Add ASGI test.

* Linter

* Linter #2
2019-09-02 08:50:56 -05:00
Subham Roy
ae91852cd5 check for already set asyncio event loop policy (#1637)
* check for already set asyncio event loop policy

* fix linting warning
2019-08-28 11:30:23 -05:00
L. Kärkkäinen
2011f3a0b2 PEP 594 has cgi module scheduled for deprecation in Python 3.8 (#1649)
* PEP 594 has cgi module scheduled for deprecation in Python 3.8. Reimplement
cgi.parse_header in Sanic. The new implementation is much faster than either
cgi.parse_header or equivalent werkzeug.parse_options_header, and unlike the
two, handles also quoted values with semicolons or \" in them.

* Fix string escape.

* Useless linter complaints.

* More linter issues

* Add return type hint.

* Do not support quoted-pair escapes.

- Improved documentation and renamed the function more aptly as it only seems
  to apply to content-type and content-disposition headers.

* Unquote filenames also in normal mode.

* Add tests for headers. Adapted from CPython parse_header tests with changes on the final test.

* Linter

* Revert "Unquote filenames also in normal mode."

This reverts commit bf0d502bcd.

* Improved parse_content_header and added tests with Firefox and Chrome.

- Unescaping of quotes moved to parse_content_header because it affects all fields,
  not just filenames.
- It is impossible to handle all cases correctly but the current heuristics should
  suffice well for typical cases and beyond.
- Added comparisons with cgi.parse_header and werkzeug.parse_options_header.

* Updated comments as well.
2019-08-27 08:30:23 -05:00
7
228a31ee0a
Merge pull request #1657 from huge-success/release-19.6.3
release: 19.6.3
2019-08-21 23:00:51 -07:00
Yun Xu
8bf2bdff74 Bumping up version from 19.6.2 to 19.6.3 2019-08-20 18:51:17 -07:00
7
41862eca61
Merge pull request #1654 from huge-success/asgi-content-type
Add content-type headers in response in ASGI mode
2019-08-13 12:30:40 -07:00
Yun Xu
21307b397b release: 19.6.3 2019-08-13 10:03:08 -07:00
7
3f9c94ba4a
Merge pull request #1635 from huge-success/upgrade-websockets
Upgrade websockets, resolve incompatible issue between multidict and websockets
2019-08-12 10:48:56 -07:00
Adam Hopkins
aa270d3ac2 Add content-type headers in response in ASGI mode 2019-08-11 11:29:08 +03:00
7
a15d9552c4
Merge pull request #1632 from harshanarayana/feature/GIT-1631-Enable_Towncrier
feature: GIT-1631 enable towncrier
2019-08-06 08:33:10 -07:00
7
2363c0653e
Merge pull request #1640 from Tronic/sockaddrfix
Fix server crash on request.server_port when bound to IPv6.
2019-07-25 00:10:56 -07:00
Harsha Narayana
651c98d19a
fix: #1631: add ignore file to ensure empty changelog dir is retained
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-24 05:39:20 +05:30
Harsha Narayana
c1a7e0e3cd
feat: #1631: enable change log as part of release script
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-24 05:32:00 +05:30
Harsha Narayana
80b32d0c71
feat: #1631: enable make command to support settings up release
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-24 05:03:04 +05:30
Harsha Narayana
3842eb36fd
fix: #1631: fix pyproject toml indentation
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-24 04:28:11 +05:30
L. Kärkkäinen
7c7bedfa5d Fix server crash on request.server_port when bound to IPv6.
If no X-Forwarded-Port nor Host headers are present, Sanic uses "sockname"
to determine the port. This expected (host, port) tuple to be returned but
for IPv6 a 4-tuple is returned instead. Changed code so that port is picked
up in either case. Handling of "peername" was already correct in this regard.

_get_address and server_port both still return incorrect data or crash for
other socket types (e.g unix). Socket type should checked before any queries.
2019-07-22 15:32:57 +03:00
Yun Xu
5dafa9a170 bugfix: replace CIMultiDict with compat.Header in all places 2019-07-18 20:11:25 -07:00
Yun Xu
b397637bb9 bugfix: fix incompatible api between multidict and websockets, and bump up websockets version to match uvicorn 2019-07-18 19:57:17 -07:00
Harsha Narayana
95a0b2db2c
fix: #1631: move pyproject.toml to avoid PEP 517 conflict 2019-07-14 14:26:22 +05:30
Harsha Narayana
83864f890a
fix: #1631: add common contribution guidelines and towncrier detail to contribution guides
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-13 21:48:34 +05:30
Harsha Narayana
a019ff61e3
fix: #1631: linter fix and tox platform selector
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-13 21:48:26 +05:30
Harsha Narayana
b3ada6308b
fix: #1631: add doc test for travis CI
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-13 21:48:16 +05:30
Harsha Narayana
4e50295bf0
fix: #1631: add tox test support for documentation
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-13 21:48:06 +05:30
Harsha Narayana
32eb8abb63
fix: #1631: add towncrier support and fix documentation warnings
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-13 21:47:48 +05:30
7
84b41123f2
Merge pull request #1625 from harshanarayana/fix/GIT-1623-Cookie_Handling
fix: GIT-1623: handle cookie duplication and serialization issue
2019-07-10 21:35:35 -07:00
Harsha Narayana
23f2d33394
fix: GIT-1623: fix dict initalization for empty case
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-11 06:38:55 +05:30
Harsha Narayana
97f288a534
fix: GIT-1623: handle cookie duplication and serialization issue
Signed-off-by: Harsha Narayana <harsha2k4@gmail.com>
2019-07-08 13:03:33 +05:30
Adam Hopkins
68d5039c5f
Merge pull request #1624 from huge-success/release-19-6-2
19.6.2 release
2019-07-07 05:04:23 +03:00
Yun Xu
9d07988d75 19.6.2 release 2019-07-06 18:05:44 -07:00
7
1eaa2e3a5f
Merge pull request #1614 from huge-success/asgi-custom-request
Add custom request support to ASGI mode; fix a couple tests
2019-07-06 11:47:58 -07:00
Yun Xu
c7f2399ded remove commented code 2019-07-06 11:34:22 -07:00
7
650ab61c2e
Merge pull request #1619 from huge-success/abc-fix
Resolve deprecation notice for import of an ABC from collections module
2019-07-04 15:07:53 -07:00
Lagicrus
b7df86e7dd Updated routing docs (#1620)
* Updated routing docs

Updated routing docs to show all supported types as defined within 3685b4de85/sanic/router.py (L18)
Added example code for all examples besides regex
Added examples of queries that work with that type and ones that would not

* Tweak to call out string not str

Related to https://github.com/huge-success/sanic/pull/1620#discussion_r300120962

* Changed to using code comments to achieve a mono space like display

To address https://github.com/huge-success/sanic/pull/1620#discussion_r300120726

* Adjusted to list

Following https://github.com/huge-success/sanic/pull/1620#discussion_r300120726
2019-07-04 07:14:10 -05:00
BananaWanted
72b445621b Respect X-Forward-* headers and generate correct URLs in url_for (#1465)
* handle forwarded address in request

* added test cases

* Fix lint errors

* Fix uncovered code branch

* Update docstrings

* Update documents

* fix import order
2019-07-04 07:13:43 -05:00
Adam Hopkins
ba0e9baffa Resolve deprecation notice for import of an ABC from collections module 2019-07-03 09:39:38 +03:00
Adam Hopkins
503622438a
Merge pull request #1617 from newAM/patch-2
Fix a minor typo in websocket.rst.
2019-07-01 09:37:40 +03:00
Alex
d5e9aae425
Fix a minor typo in websocket.rst. 2019-06-30 22:11:02 -07:00
Adam Hopkins
a2666a2b8a Add custom request support to ASGI mode; fix a couple tests
Undo change to request stream test
2019-06-24 22:59:23 +03:00
7
966b05b47e
Merge pull request #1612 from c-goosen/bandit_security_static_analysis
Add bandit code static analyzer for security.
2019-06-24 10:05:20 -07:00
Christo Goosen
78fe97b9cb Add bandit code static analyzer for security, some false positives removed with #nosec.
Bandit is a python package for staticly scanning code for security issues.
* Added to tox.ini
* Added to setup.py
* Added to .travis.yml

As part of CI/CD pipeline
2019-06-24 09:53:29 +02:00
7
d2094fed38
Merge pull request #1607 from huge-success/doc-changelog
Changelog for 19.6.0 release
2019-06-21 09:42:12 -07:00
Yun Xu
e2d65ba57c fix readthedoc changelog page 2019-06-20 22:35:47 -07:00
Yun Xu
c9d8ab4b27 release: add 19.6.0 standard release changelog 2019-06-20 22:35:26 -07:00
7
891f99d71d
Merge pull request #1475 from tomchristie/asgi-refactor-attempt
ASGI refactoring attempt
2019-06-20 16:33:44 -07:00
Adam Hopkins
3f47fa9f99 Specify websockets version 2019-06-19 00:40:44 +03:00
Adam Hopkins
b1c23fdbaa Increase testing coverage for ASGI
Beautify

Specify websockets version
2019-06-19 00:38:58 +03:00
Adam Hopkins
62e0e5b9ec Increase testing coverage for ASGI
Beautify
2019-06-19 00:19:40 +03:00
Adam Hopkins
fb61834a2e Add ASGI documentation 2019-06-18 09:57:42 +03:00
7
8fbbe94fe1
Merge pull request #1436 from jotagesales/config_from_object_string
Config from object string
2019-06-16 16:58:43 -07:00
Adam Hopkins
ab706dda7d Resolve linting issues with imports 2019-06-11 11:21:37 +03:00