A simple, yet elegant, HTTP library.
APACHE-2.0 License
Bot releases are hidden (Show)
Bugfixes
ssl
module. (#6724)Published by nateprewitt 5 months ago
Deprecations
To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection
to
a new public API, get_connection_with_tls_context
. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection
is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)
Published by nateprewitt 5 months ago
Bugfixes
Published by nateprewitt 5 months ago
Security
verify=False
on the first request from averify
.Improvements
verify=True
now reuses a global SSLContext which should improvechardet
or charset_normalizer
) when repackaged or vendored.pip
and other projects to minimize their vendoringResponse.text()
and apparent_encoding
APIsutf-8
if neither library is present. (#6702)Bugfixes
/
(path separator) could leadDeprecations
Documentation
Packaging
requests
) is now locatedsrc/requests
in the Requests sdist. (#6506)hatchling
. This should not impact the average user, but extremely oldFull Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2320-2024-05-20
Published by nateprewitt over 1 year ago
Security
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization
headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization
header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization
header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Full details can be read in our Github Security Advisory
and CVE-2023-32681.
Published by nateprewitt over 1 year ago
Dependencies
⚠️ Added support for urllib3 2.0. ⚠️
This may contain minor breaking changes so we advise careful testing and
reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html
prior to upgrading.
Users who wish to stay on urllib3 1.x can pin to urllib3<2
.
Published by nateprewitt over 1 year ago
Improvements
Published by nateprewitt almost 2 years ago
Dependencies
Bugfixes
Full Changelog: https://github.com/psf/requests/compare/v2.28.1...v2.28.2
Published by nateprewitt over 2 years ago
Improvements
iter_content
with transition to yield from
. (#6170)Dependencies
Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2281-2022-06-29
Published by nateprewitt over 2 years ago
Deprecations
Improvements
json()
API consistent. (#6097)Bugfixes
CURL_CA_BUNDLE
to an empty string would disableurllib3.exceptions.SSLError
withrequests.exceptions.SSLError
for content
and iter_content
. (#6057)Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2280-2022-06-09
Published by nateprewitt almost 3 years ago
Bugfixes
auth
component beingFull Changelog: https://github.com/psf/requests/blob/v2.27.1/HISTORY.md#2271-2022-01-05
Published by nateprewitt almost 3 years ago
Improvements
Officially added support for Python 3.10. (#5928)
Added a requests.exceptions.JSONDecodeError
to unify JSON exceptions between
Python 2 and 3. This gets raised in the response.json()
method, and is
backwards compatible as it inherits from previously thrown exceptions.
Can be caught from requests.exceptions.RequestException
as well. (#5856)
Improved error text for misnamed InvalidSchema
and MissingSchema
exceptions. This is a temporary fix until exceptions can be renamed
(Schema->Scheme). (#6017)
Improved proxy parsing for proxy URLs missing a scheme. This will address
recent changes to urlparse
in Python 3.9+. (#5917)
Bugfixes
Fixed defect in extract_zipped_paths
which could result in an infinite loop
for some paths. (#5851)
Fixed handling for AttributeError
when calculating length of files obtained
by Tarfile.extractfile()
. (#5239)
Fixed urllib3 exception leak, wrapping urllib3.exceptions.InvalidHeader
with
requests.exceptions.InvalidHeader
. (#5914)
Fixed bug where two Host headers were sent for chunked requests. (#5391)
Fixed regression in Requests 2.26.0 where Proxy-Authorization
was
incorrectly stripped from all requests sent with Session.send
. (#5924)
Fixed performance regression in 2.26.0 for hosts with a large number of
proxies available in the environment. (#5924)
Fixed idna exception leak, wrapping UnicodeError
with
requests.exceptions.InvalidURL
for URLs with a leading dot (.) in the
domain. (#5414)
Deprecations
Full Changelog: https://github.com/psf/requests/blob/v2.27.0/HISTORY.md#2270-2022-01-03