A simple, yet elegant, HTTP library.
Security
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization
headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization
header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization
header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.
Full details can be read in our Github Security Advisory and CVE-2023-32681.
Dependencies
⚠️ Added support for urllib3 2.0. ⚠️
This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html prior to upgrading.
Users who wish to stay on urllib3 1.x can pin to urllib3<2
.
Dependencies
Bugfixes
Full Changelog: https://github.com/psf/requests/compare/v2.28.1...v2.28.2
Improvements
iter_content
with transition to yield from
. (#6170)Dependencies
Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2281-2022-06-29
Deprecations
Improvements
json()
API consistent. (#6097)Bugfixes
CURL_CA_BUNDLE
to an empty string would disable
cert verification. All Requests 2.x versions before 2.28.0 are affected. (#6074)urllib3.exceptions.SSLError
with
requests.exceptions.SSLError
for content
and iter_content
. (#6057)Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2280-2022-06-09
Bugfixes
auth
component being
dropped from proxy URLs. (#6028)Full Changelog: https://github.com/psf/requests/blob/v2.27.1/HISTORY.md#2271-2022-01-05
Improvements
Officially added support for Python 3.10. (#5928)
Added a requests.exceptions.JSONDecodeError
to unify JSON exceptions between
Python 2 and 3. This gets raised in the response.json()
method, and is
backwards compatible as it inherits from previously thrown exceptions.
Can be caught from requests.exceptions.RequestException
as well. (#5856)
Improved error text for misnamed InvalidSchema
and MissingSchema
exceptions. This is a temporary fix until exceptions can be renamed
(Schema->Scheme). (#6017)
Improved proxy parsing for proxy URLs missing a scheme. This will address
recent changes to urlparse
in Python 3.9+. (#5917)
Bugfixes
Fixed defect in extract_zipped_paths
which could result in an infinite loop
for some paths. (#5851)
Fixed handling for AttributeError
when calculating length of files obtained
by Tarfile.extractfile()
. (#5239)
Fixed urllib3 exception leak, wrapping urllib3.exceptions.InvalidHeader
with
requests.exceptions.InvalidHeader
. (#5914)
Fixed bug where two Host headers were sent for chunked requests. (#5391)
Fixed regression in Requests 2.26.0 where Proxy-Authorization
was
incorrectly stripped from all requests sent with Session.send
. (#5924)
Fixed performance regression in 2.26.0 for hosts with a large number of proxies available in the environment. (#5924)
Fixed idna exception leak, wrapping UnicodeError
with
requests.exceptions.InvalidURL
for URLs with a leading dot (.) in the
domain. (#5414)
Deprecations
Full Changelog: https://github.com/psf/requests/blob/v2.27.0/HISTORY.md#2270-2022-01-03