3.7.4 (2021-02-25)
Bugfixes
(SECURITY BUG) Started preventing open redirects in the aiohttp.web.normalize_path_middleware middleware. For more details, see https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg.
Thanks to Beast Glatisant for finding the first instance of this issue and Jelmer Vernooij for reporting and tracking it down in aiohttp.
Fix interpretation difference of the pure-Python and the Cython-based HTTP parsers construct a yarl.URL object for HTTP request-target.
Before this fix, the Python parser would turn the URI's absolute-path for //some-path into / while the Cython code preserved it as //some-path. Now, both do the latter.
3.7.3
=====
Features
--------
- Use Brotli instead of brotlipy
- Made exceptions pickleable. Also changed the repr of some exceptions.
Bugfixes
--------
- Raise a ClientResponseError instead of an AssertionError for a blank
HTTP Reason Phrase.
- Fix ``web_middlewares.normalize_path_middleware`` behavior for patch without slash.
- Fix overshadowing of overlapped sub-applications prefixes.
- Make `BaseConnector.close()` a coroutine and wait until the client closes all connections. Drop deprecated "with Connector():" syntax.
- Reset the ``sock_read`` timeout each time data is received for a ``aiohttp.client`` response.
- Fixed type annotation for add_view method of UrlDispatcher to accept any subclass of View
- Fixed querying the address families from DNS that the current host supports.
- Change return type of MultipartReader.__aiter__() and BodyPartReader.__aiter__() to AsyncIterator.
- Provide x86 Windows wheels.
Improved Documentation
----------------------
- Add documentation for ``aiohttp.web.FileResponse``.
- Removed deprecation warning in tracing example docs
- Fixed wrong "Usage" docstring of ``aiohttp.client.request``.
- Add aiohttp-pydantic to third party libraries
3.7.1
Bugfixes
- Fixed a type error caused by the conditional import of `Protocol`.
- Server doesn't send Content-Length for 1xx or 204
- Fix run_app typing
- Always require ``typing_extensions`` library.
- Fix a variable-shadowing bug causing `ThreadedResolver.resolve` to
return the resolved IP as the ``hostname`` in each record, which prevented
validation of HTTPS connections.
- Added annotations to all public attributes.
- Fix flaky test_when_timeout_smaller_second
- Ensure sending a zero byte file does not throw an exception
- Fix a bug in ``web.run_app()`` about Python version checking on Windows
3.6.2:
Features
- Made exceptions pickleable. Also changed the repr of some exceptions.
- Use Iterable type hint instead of Sequence for Application *middleware*
parameter.
Bugfixes
- Reset the sock_read timeout each time data is received for a
aiohttp.ClientResponse.
- Fix handling of expired cookies so they are not stored in CookieJar.
- Fix misleading message in the string representation of ClientConnectorError;
self.ssl == None means default SSL context, not SSL disabled
- Don't clobber HTTP status when using FileResponse.
Improved Documentation
- Added minimal required logging configuration to logging documentation.
- Update docs to reflect proxy support.
- Fix typo in code example in testing docs.
3.6.1:
Features
- Compatibility with Python 3.8.
Bugfixes
- correct some exception string format
- Emit a warning when ``ssl.OP_NO_COMPRESSION`` is
unavailable because the runtime is built against
an outdated OpenSSL.
- Update multidict requirement to >= 4.5
Improved Documentation
- Provide pytest-aiohttp namespace for pytest fixtures in docs.
3.6.0:
Features
- Add support for Named Pipes (Site and Connector) under Windows. This feature requires Proactor event loop to work.
- Removed `Transfer-Encoding: chunked` header from websocket responses to be compatible with more http proxy servers.
- Accept non-GET request for starting websocket handshake on server side.
Bugfixes
- Raise a ClientResponseError instead of an AssertionError for a blank
HTTP Reason Phrase.
- Fix an issue where cookies would sometimes not be set during a redirect.
- Change normalize_path_middleware to use 308 redirect instead of 301.
This behavior should prevent clients from being unable to use PUT/POST
methods on endpoints that are redirected because of a trailing slash.
- Drop the processed task from ``all_tasks()`` list early. It prevents logging about a task with unhandled exception when the server is used in conjunction with ``asyncio.run()``.
- ``Signal`` type annotation changed from `Signal[Callable[['TraceConfig'], Awaitable[None]]]` to `Signal[Callable[ClientSession, SimpleNamespace, ...]`.
- Use sanitized URL as Location header in redirects
- Improve typing annotations for multipart.py along with changes required
by mypy in files that references multipart.py.
- Close session created inside ``aiohttp.request`` when unhandled exception occurs
- Cleanup per-chunk data in generic data read. Memory leak fixed.
- Use correct type for add_view and family
- Fix _keepalive field in __slots__ of web_protocol.RequestHandler.
- Properly handle ConnectionResetError, to silence the "Cannot write to closing
transport" exception when clients disconnect uncleanly.
- Suppress pytest warnings due to test util classes
- Fix overshadowing of overlapped subbaps prefixes.
- Fixed return type annotation for WSMessage.json()
- Properly expose TooManyRedirects publicly as documented.
- Fix missing brackets for IPv6 in proxy CONNECT request
- Make the signature of `aiohttp.test_utils.TestClient.request` match `asyncio.ClientSession.request` according to the docs
- Use correct style for re-exported imports, makes mypy ``--strict`` mode happy.
- Fixed type annotation for add_view method of UrlDispatcher to accept any subclass of View
- Made cython HTTP parser set Reason-Phrase of the response to an empty string if it is missing.
- Add URL to the string representation of ClientResponseError.
- Accept istr keys in LooseHeaders type hints.
- Fixed race conditions in _resolve_host caching and throttling when tracing is enabled.
- For URLs like "unix://localhost/..." set Host HTTP header to "localhost" instead of "localhost:None".
3.5.3:
Bugfixes
- Fix type stubs for aiohttp.web.run_app(access_log=True) and fix edge case of access_log=True and the event loop being in debug mode.
- Fix aiohttp.ClientTimeout type annotations to accept None for fields
- Send custom per-request cookies even if session jar is empty
- Restore Linux binary wheels publishing on PyPI
3.5.2:
Features
- FileResponse from web_fileresponse.py uses a ThreadPoolExecutor to work with files asynchronously.
I/O based payloads from payload.py uses a ThreadPoolExecutor to work with I/O objects asynchronously.
- Internal Server Errors in plain text if the browser does not support HTML.
Bugfixes
- Preserve MultipartWriter parts headers on write.
Refactor the way how Payload.headers are handled. Payload instances now always
have headers and Content-Type defined.
Fix Payload Content-Disposition header reset after initial creation.
- Log suppressed exceptions in GunicornWebWorker.
- Remove wildcard imports.
- Use the same task for app initialization and web server handling in gunicorn workers.
It allows to use Python3.7 context vars smoothly.
- Fix handling of chunked+gzipped response when first chunk does not give uncompressed data
- Replace collections.MutableMapping with collections.abc.MutableMapping to avoid a deprecation warning.
- Payload.size type annotation changed from Optional[float] to Optional[int].
- Ignore done tasks when cancels pending activities on web.run_app finalization.
3.5.0 (2018-12-22)
Features
The library type annotations are checked in strict mode now.
Add support for setting cookies for individual request
Application.add_domain implementation
The default app in the request returned by test_utils.make_mocked_request can now have objects assigned to it and retrieved using the [] operator.
Make request.url accessible when transport is closed.
Add zlib_executor_size argument to Response constructor to allow compression to run in a background executor to avoid blocking the main thread and potentially triggering health check failures.
Enable users to set ClientTimeout in aiohttp.request
Don’t raise a warning if NETRC environment variable is not set and ~/.netrc file doesn’t exist.
Add default logging handler to web.run_app
If the Application.debug flag is set and the default logger aiohttp.access is used, access logs will now be output using a stderr StreamHandler if no handlers are attached. Furthermore, if the default logger has no log level set, the log level will be set to DEBUG.
Add method argument to session.ws_connect().
Sometimes server API requires a different HTTP method for WebSocket connection establishment.
For example, Docker exec needs POST.
Create a task per request handling.
Bugfixes
Enable passing access_log_class via handler_args
Return empty bytes with end-of-chunk marker in empty stream reader.
Accept CIMultiDictProxy instances for headers argument in web.Response constructor.
Don’t uppercase HTTP method in parser
Make method match regexp RFC-7230 compliant
Add app.pre_frozen state to properly handle startup signals in sub-applications.
Enhanced parsing and validation of helpers.BasicAuth.decode.
Change imports from collections module in preparation for 3.8.
Ensure Host header is added first to ClientRequest to better replicate browser
Fix forward compatibility with Python 3.8: importing ABCs directly from the collections module will not be supported anymore.
Keep the query string by normalize_path_middleware.
Fix missing parameter raise_for_status for aiohttp.request()
Bracket IPv6 addresses in the HOST header
Fix default message for server ping and pong frames.
Fix tests/test_connector.py typo and tests/autobahn/server.py duplicate loop def.
Fix false-negative indicator end_of_HTTP_chunk in StreamReader.readchunk function
Release HTTP response before raising status exception
Fix task cancellation when sendfile() syscall is used by static file handling.
Fix stack trace for asyncio.TimeoutError which was not logged, when it is caught in the handler.
Improved Documentation
Improve documentation of Application.make_handler parameters.
Fix BaseRequest.raw_headers doc.
Fix typo in TypeError exception reason in web.Application._handle
Make server access log format placeholder %b documentation reflect behavior and docstring.
Deprecations and Removals
Deprecate modification of session.requote_redirect_url
Deprecate stream.unread_data()
Deprecated use of boolean in resp.enable_compression()
Encourage creation of aiohttp public objects inside a coroutine
Drop dead Connection.detach() and Connection.writer. Both methods were broken for more than 2 years.
Deprecate app.loop, request.loop, client.loop and connector.loop properties.
Deprecate explicit debug argument. Use asyncio debug mode instead.
Deprecate body parameter in HTTPException (and derived classes) constructor.
Deprecate bare connector close, use async with connector: and await connector.close() instead.
Deprecate obsolete read_timeout and conn_timeout in ClientSession constructor.
3.4.4:
Fix installation from sources when compiling toolkit is not available
3.4.3:
Add app.pre_frozen state to properly handle startup signals in sub-applications.
3.4.0:
Features
Add type hints
Add raise_for_status request parameter
Add type hints to HTTP client
Minor server optimizations
Preserve the cause when HTTPException is raised from another exception.
Add close_boundary option in MultipartWriter.write method. Support streaming
Added a remove_slash option to the normalize_path_middleware factory.
The class AbstractRouteDef is importable from aiohttp.web.
Bugfixes
Prevent double closing when client connection is released before the last data_received() callback.
Make redirect with normalize_path_middleware work when using url encoded paths.
Postpone web task creation to connection establishment.
Fix sock_read timeout.
When using a server-request body as the data= argument of a client request, iterate over the content with readany instead of readline to avoid Line too long errors.
fix UrlDispatcher has no attribute add_options, add web.options
correct filename in content-disposition with multipart body
Many HTTP proxies has buggy keepalive support. Let's not reuse connection but close it after processing every response.
raise 413 "Payload Too Large" rather than raising ValueError in request.post() Add helpful debug message to 413 responses
Fix StreamResponse equality, now that they are MutableMapping objects.
Fix server request objects comparison
Do not hang on 206 Partial Content response with Content-Encoding: gzip
Fix timeout precondition checkers
Improved Documentation
Add a new FAQ entry that clarifies that you should not reuse response objects in middleware functions.
Add FAQ section "Why is creating a ClientSession outside of an event loop dangerous?"
Fix link to Rambler
Fix TCPSite documentation on the Server Reference page.
Fix documentation build configuration file for Windows.
Remove no longer existing lingering_timeout parameter of Application.make_handler from documentation.
Mention that app.make_handler is deprecated, recommend to use runners API instead.
Deprecations and Removals
Drop loop.current_task() from helpers.current_task()
Drop reader parameter from request.multipart().
3.3.2:
- Many HTTP proxies has buggy keepalive support. Let's not reuse connection but
close it after processing every response.
- Provide vendor source files in tarball
3.3.1:
- Fix sock_read timeout.
- When using a server-request body as the data= argument of a client request,
iterate over the content with readany instead of readline to avoid Line
too long errors.
3.3.0:
Features
- Raise ConnectionResetError instead of CancelledError on trying to
write to a closed stream.
- Implement ClientTimeout class and support socket read timeout.
- Enable logging when aiohttp.web is used as a program
- Add canonical property to resources
- Forbid reading response BODY after release
- Implement base protocol class to avoid a dependency from internal
asyncio.streams.FlowControlMixin
- Cythonize @helpers.reify, 5% boost on macro benchmark
- Optimize HTTP parser
- Implement runner.addresses property.
- Use bytearray instead of a list of bytes in websocket reader. It
improves websocket message reading a little.
- Remove heartbeat on closing connection on keepalive timeout. The used hack
violates HTTP protocol.
- Limit websocket message size on reading to 4 MB by default.
Bugfixes
- Don't reuse a connection with the same URL but different proxy/TLS settings
- When parsing the Forwarded header, the optional port number is now preserved.
Improved Documentation
- Make Change Log more visible in docs
- Make style and grammar improvements on the FAQ page.
- Document that signal handlers should be async functions since aiohttp 3.0
Deprecations and Removals
- Deprecate custom application's router.
3.2.0
Features
Raise TooManyRedirects exception when client gets redirected too many times instead of returning last response.
Extract route definitions into separate web_routedef.py file
Raise an exception on request body reading after sending response.
ClientResponse and RequestInfo now have real_url property, which is request url without fragment part being stripped
Speed up connector limiting
Added and links property for ClientResponse object
Add request.config_dict for exposing nested applications data.
Speed up HTTP headers serialization, server micro-benchmark runs 5% faster now.
Apply assertions in debug mode only
Bugfixes
expose property app for TestClient
Call on_chunk_sent when write_eof takes as a param the last chunk
A closing bracket was added to __repr__ of resources
Fix compression of FileResponse
Fixes some bugs in the limit connection feature
Improved Documentation
Drop async_timeout usage from documentation for client API in favor of timeout parameter.
Improve Gunicorn logging documentation
Replace multipart writer .serialize() method with .write() in documentation.
Deprecations and Removals
Deprecate Application.make_handler()
3.1.0:
Features
- Relax JSON content-type checking in the ClientResponse.json() to allow
"application/xxx+json" instead of strict "application/json".
- Bump C HTTP parser to version 2.8
- Accept a coroutine as an application factory in web.run_app and gunicorn
worker.
- Implement application cleanup context
- Make writer.write_headers a coroutine.
- Add tracking signals for getting request/response bodies.
- Deprecate ClientResponseError.code in favor of .status to keep similarity
with response classes.
- Implement app.add_routes() method.
- Implement web.static() and RouteTableDef.static() API.
- Install a test event loop as default by asyncio.set_event_loop(). The
change affects aiohttp test utils but backward compatibility is not broken
for 99.99% of use cases.
- Refactor ClientResponse constructor: make logically required constructor
arguments mandatory, drop _post_init() method.
- Use app.add_routes() in server docs everywhere
- Websockets refactoring, all websocket writer methods are converted into
coroutines.
- Provide Content-Range header for Range requests
Bugfixes
- Fix websocket client return EofStream.
- Fix websocket demo.
- Property BaseRequest.http_range now returns a python-like slice when
requesting the tail of the range. It's now indicated by a negative value in
range.start rather then in range.stop
- Close a connection if an unexpected exception occurs while sending a request
- Fix firing DNS tracing events.
Improved Documentation
- Change ClientResponse.json() documentation to reflect that it now
allows "application/xxx+json" content-types
- Document behavior when cchardet detects encodings that are unknown to Python.
- Add diagrams for tracing request life style.
- Drop removed functionality for passing StreamReader as data at client
side.
3.0.7:
Fix SSL proxy support by client.
Restore a imperative check in setup.py for python version. The check works in parallel to environment marker. As effect a error about unsupported Python versions is raised even on outdated systems with very old setuptools version installed.
3.0.2:
Security Fix
Prevent Windows absolute URLs in static files. Paths like /static/D:\path and /static/\\hostname\drive\path are forbidden.
3.0.1:
Technical release for fixing distribution problems.
aiohttp 3.0 release:
Major release, many already deprecated things are removed
Minimal supported Python version is 3.5.3.
aiohttp uses shiny async/await syntax everywhere internally (while old yield from is still supported).
Read https://docs.aiohttp.org/en/stable/whats_new_3_0.html for brief information about most important changes.
2.3.5:
Fix compatibility with pytest 3.3+
2.3.4:
Make request.app point to proper application instance when using nested applications (with middlewares).
Change base class of ClientConnectorSSLError to ClientSSLError from ClientConnectorError.
Return client connection back to free pool on error in connector.connect().
2.3.3:
Having a ; in Response content type does not assume it contains a charset anymore.
Use getattr(asyncio, ‘async’) for keeping compatibility with Python 3.7.
Ignore NotImplementedError raised by set_child_watcher from uvloop.
Fix warning in ClientSession.__del__ by stopping to try to close it.
Fixed typo’s in Third-party libraries page. And added async-v20 to the list
2.3.2:
Fix passing client max size on cloning request obj.
Fix ClientConnectorSSLError and ClientProxyConnectionError for proxy connector.
Drop generated _http_parser shared object from tarball distribution.
Fix connector convert OSError to ClientConnectorError.
Fix connection attempts for multiple dns hosts.
Fix ValueError for AF_INET6 sockets if a preexisting INET6 socket to the aiohttp.web.run_app function.
_SessionRequestContextManager closes the session properly now.
Rename from_env to trust_env in client reference.
2.3.1:
Relax attribute lookup in warning about old-styled middleware
2.3.0:
Features
--------
Add SSL related params to ClientSession.request
Make enable_compression work on HTTP/1.0
Deprecate registering synchronous web handlers
Switch to multidict 3.0. All HTTP headers preserve casing now but compared in case-insensitive way.
Improvement for normalize_path_middleware. Added possibility to handle URLs with query string.
Use towncrier for CHANGES.txt build
Implement trust_env=True param in ClientSession.
Added variable to customize proxy headers
Implement router.add_routes and router decorators.
Deprecated BaseRequest.has_body in favor of BaseRequest.can_read_body Added BaseRequest.body_exists attribute that stays static for the lifetime of the request
Provide BaseRequest.loop attribute
Make _CoroGuard awaitable and fix ClientSession.close warning message
Responses to redirects without Location header are returned instead of raising a RuntimeError
Added get_client, get_server, setUpAsync and tearDownAsync methods to AioHTTPTestCase
Add automatically a SafeChildWatcher to the test loop
add ability to disable automatic response decompression
Add support for throttling DNS request, avoiding the requests saturation when there is a miss in the DNS cache and many requests getting into the connector at the same time.
Use request for getting access log information instead of message/transport pair. Add RequestBase.remote property for accessing to IP of client initiated HTTP request.
json() raises a ContentTypeError exception if the content-type does not meet the requirements instead of raising a generic ClientResponseError.
Make the HTTP client able to return HTTP chunks when chunked transfer encoding is used.
add append_version arg into StaticResource.url and StaticResource.url_for methods for getting an url with hash (version) of the file.
Fix parsing the Forwarded header. * commas and semicolons are allowed inside quoted-strings; * empty forwarded-pairs (as in for=_1;;by=_2) are allowed; * non-standard parameters are allowed (although this alone could be easily done in the previous parser).
Don’t require ssl module to run. aiohttp does not require SSL to function. The code paths involved with SSL will only be hit upon SSL usage. Raise RuntimeError if HTTPS protocol is required but ssl module is not present.
Accept coroutine fixtures in pytest plugin
Call shutdown_asyncgens before event loop closing on Python 3.6.
Speed up Signals when there are no receivers
Raise InvalidURL instead of ValueError on fetches with invalid URL.
Move DummyCookieJar into cookiejar.py
run_app: Make print=None disable printing
Support brotli encoding (generic-purpose lossless compression algorithm)
Add server support for WebSockets Per-Message Deflate. Add client option to add deflate compress header in WebSockets request header. If calling ClientSession.ws_connect() with compress=15 the client will support deflate compress negotiation.
Support verify_ssl, fingerprint, ssl_context and proxy_headers by client.ws_connect.
Added aiohttp.ClientConnectorSSLError when connection fails due ssl.SSLError
aiohttp.web.Application.make_handler support access_log_class
Build HTTP parser extension in non-strict mode by default.
Bugfixes
--------
Clear auth information on redirecting to other domain
Fix missing app.loop on startup hooks during tests
Fix issue with synchronous session closing when using ClientSession as an asynchronous context manager.
Fix issue with CookieJar incorrectly expiring cookies in some edge cases.
Force use of IPv4 during test, this will make tests run in a Docker container
Warnings about unawaited coroutines now correctly point to the user’s code.
Fix issue with IndexError being raised by the StreamReader.iter_chunks() generator.
Support HTTP 308 Permanent redirect in client class.
Fix FileResponse sending empty chunked body on 304.
Do not add Content-Length: 0 to GET/HEAD/TRACE/OPTIONS requests by default.
Fix parsing the Forwarded header according to RFC 7239.
Securely determining remote/scheme/host
Fix header name parsing, if name is split into multiple lines
Handle session close during connection, KeyError: <aiohttp.connector._TransportPlaceholder>
Fixes uncaught TypeError in helpers.guess_filename if name is not a string
Raise OSError on async DNS lookup if resolved domain is an alias for another one, which does not have an A or CNAME record.
Fix incorrect warning in StreamReader.
Properly clone state of web request
Fix C HTTP parser for cases when status line is split into different TCP packets.
Fix web.FileResponse overriding user supplied Content-Type
Features:
* Supports both Client and HTTP Server.
* Supports both Server WebSockets and Client WebSockets out-of-the-box.
* Web-server has Middlewares, Signals and pluggable routing.
