Update dependency starlette to v0.25.0 [SECURITY] #137
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==0.13.2
->==0.25.0
GitHub Vulnerability Alerts
GHSA-74m5-2c7w-9w3x
Impact
The
MultipartParser
using the packagepython-multipart
accepts an unlimited number of multipart parts (form fields or files).Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill.
This can be triggered by sending too many small form fields with no content, or too many empty files.
For this to take effect application code has to:
python-multipart
installed andrequest.form()
UploadFile
parameters, which in turn callsrequest.form()
.Patches
The vulnerability is solved in Starlette 0.25.0 by making the maximum fields and files customizable and with a sensible default (1000).
Applications will be secure by just upgrading their Starlette version to 0.25.0 (or FastAPI to 0.92.0).
If application code needs to customize the new max field and file number, there are new
request.form()
parameters (with the default values):max_files=1000
max_fields=1000
Workarounds
Applications that don't install
python-multipart
or that don't use form fields are safe.In older versions, it's also possible to instead of calling
request.form()
callrequest.stream()
and parse the form data in internal code.In most cases, the best solution is to upgrade the Starlette version.
References
This was reported in private by @das7pad via internal email. He also coordinated the fix across multiple frameworks and parsers.
The details about how
multipart/form-data
is structured and parsed are in the RFC 7578.Release Notes
encode/starlette
v0.25.0
: Version 0.25.0Compare Source
Fixed
multipart/form-data
on theMultipartParser
8c74c2c and #2036.v0.24.0
: Version 0.24.0Compare Source
Added
StaticFiles
to follow symlinks #1683.Request.form()
as a context manager #1903.size
attribute toUploadFile
#1405.env_prefix
argument toConfig
#1990.str
anddatetime
onexpires
parameter on theResponse.set_cookie
method #1908.Changed
file
argument required onUploadFile
#1413.Fixed
URL.replace
#1965.v0.23.1
: Version 0.23.1Compare Source
Fixed
body_stream
if body is empty on theBaseHTTPMiddleware
#1940.v0.23.0
: Version 0.23.0Compare Source
Added
headers
parameter to theTestClient
#1966.Deprecated
Starlette
andRouter
decorators #1897.Fixed
FloatConvertor
regex #1973.v0.22.0
: Version 0.22.0Compare Source
Changed
GZipMiddleware
when response includesContent-Encoding
#1901.Fixed
unquote()
from query parameters on theTestClient
#1953.MutableHeaders._list
is actually alist
#1917.AnyIO
#1936.v0.21.0
: Version 0.21.0Compare Source
This release replaces the underlying HTTP client used on the
TestClient
(requests
➡️httpx
), and as those clients differ a bit on their API, your test suite will likely break. To make the migration smoother, you can use thebump-testclient
tool.Changed
requests
withhttpx
inTestClient
#1376.Added
WebSocketException
and support for WebSocket exception handlers #1263.middleware
parameter toMount
class #1649.__repr__
for route classes #1864.Fixed
BackgroundTasks
were cancelled when usingBaseHTTPMiddleware
and client disconnected #1715.v0.20.4
: Version 0.20.4Compare Source
Fixed
v0.20.3
: Version 0.20.3Compare Source
Fixed
StaticFiles
to follow symlinks" #1681.v0.20.2
: Version 0.20.2Compare Source
Fixed
StaticFiles
to follow symlinks #1337.v0.20.1
: Version 0.20.1Compare Source
Fixed
boundary
is missing #1617.Content-Disposition
header #1643.StreamingResponse
onBaseHTTPMiddleware
#1609.__bool__
dunder forSecret
#1625.v0.20.0
: Version 0.20.0Compare Source
Removed
v0.19.1
: Version 0.19.1Compare Source
Fixed
Route.name
when created from methods #1553.TypeError
onwebsocket.disconnect
when code isNone
#1574.Deprecated
WS_1004_NO_STATUS_RCVD
andWS_1005_ABNORMAL_CLOSURE
in favor ofWS_1005_NO_STATUS_RCVD
andWS_1006_ABNORMAL_CLOSURE
, as the previous constants didn't match the WebSockets specs #1580.v0.19.0
: Version 0.19.0Compare Source
Added
headers
parameter toHTTPException
#1435.405
status code insert anAllow
header, as described by RFC 7231 #1436.content
argument inJSONResponse
is now required #1431.FileResponse
#1266.raw_path
toTestClient
scope #1445.MutableHeaders
#1240.anyio
required version range to>=3.4.0,<5.0
#1421 and #1460.typing-extensions>=3.10
requirement - used only on lower versions than Python 3.10 #1475.Fixed
BaseHTTPMiddleware
from hiding errors ofStreamingResponse
and mounted applications #1459.SessionMiddleware
uses an explicitpath=...
, instead of defaulting to the ASGI 'root_path' #1512.Request.client
is now compliant with the ASGI specifications #1462.KeyError
at early stage for missing boundary #1349.Deprecated
run_until_first_complete
#1443.v0.18.0
: Version 0.18.0Compare Source
Added
FileResponse
#1345.functools.partial
inWebSocketRoute
#1356.StaticFiles
packages with directory #1350.Jinja2Templates
#1401.HttpEndpoint
#1346.websocket.accept
message #1361 and #1422.reason
toWebSocket
close ASGI event #1417.UploadFile
#1382.Content-Length
header forContent-Length: 0
cases #1395.SessionMiddleware.max_age
now acceptsNone
, so cookie can last as long as the browser session #1387.Fixed
hashlib.md5()
function onFileResponse
s ETag generation. The parameterusedforsecurity
flag is set toFalse
, if the flag is available on the system. This fixes an error raised on systems with FIPS enabled #1366 and #1410.path_params
type onurl_path_for()
method i.e. turnstr
intoAny
#1341.Host
now ignoresport
on routing #1322.v0.17.1
: Version 0.17.1Compare Source
Fixed
IndexError
in authenticationrequires
when wrapped function arguments are distributed between*args
and**kwargs
#1335.v0.17.0
: Version 0.17.0Compare Source
Added
Response.delete_cookie
now accepts the same parameters asResponse.set_cookie
#1228.Jinja2Templates
constructor to allowPathLike
#1292.Fixed
HTTPConnection.__getitem__
return type fromstr
totyping.Any
#1118.ImmutableMultiDict.getlist
return type fromtyping.List[str]
totyping.List[typing.Any]
#1235.OSError
exceptions onStaticFiles
#1220.StaticFiles
404.html in HTML mode #1314.Removed
v0.16.0
: Version 0.16.0Compare Source
Added
#1219
Fixed
starlette.websockets.WebSocket
instances are now hashable and compare by identity#1039
#1213,
#1227
Deprecated/removed
starlette.templates.Jinja2Templates.get_env
was removed#1218
starlette.testclient.TestClient.async_backend
was removed,the backend is now configured using constructor kwargs
#1211
starlette.router.Router(lifespan_context=)
is deprecated. You should wrap your lifespan in@contextlib.asynccontextmanager
.#1227
#1110
v0.15.0
: Version 0.15.0Compare Source
0.15.0
This release includes major changes to the low-level asynchronous parts of Starlette. As a result, Starlette now depends on AnyIO and some minor API changes have occurred. Another significant change with this release is the deprecation of built-in GraphQL support.
Added
TestClient.websocket_connect()
now must be used as a context manager.GZipMiddleware
is now adjustable - #1128.Fixed
CORSMiddleware
. See #1111, #1112, #1113, #1199.RedirectResponse
now usesquote
instead ofquote_plus
encoding for theLocation
header to better match the behaviour in other frameworks such as Django - #1164.BaseHTTPMiddleware
when handling large responses - #1012 fixed via #1157Deprecated/removed
GraphQLApp
class has been deprecated and will be removed in a future release. Please see #619. GraphQL is not supported on Python 3.10.executor
parameter toGraphQLApp
was removed. Useexecutor_class
instead.workers
parameter toWSGIMiddleware
was removed. This hasn't had any effect since Starlette v0.6.3.v0.14.2
: Version 0.14.2Compare Source
Fixed
ServerErrorMiddleware
compatibility with Python 3.9.1/3.8.7 when debug mode is enabled - #1132.ResourceWarning
s when using theTestClient
with WebSocket endpoints - #1132.async
endpoints wrapped infunctools.partial
on Python 3.8+ - #1106.v0.14.1
: Version 0.14.1Compare Source
Removed
UJSONResponse
was removed (this change was intended to be included in 0.14.0). Please see the documentation for how to implement responses using custom JSON serialization - #1074.v0.14.0
: Version 0.14.0Compare Source
Added
StreamingResponse
, allow custom async iterator such as objects from classes implementing__aiter__
.functools.partial
async handlers in Python versions 3.6 and 3.7.Changed
asyncio.wait
.format_exception
instead offormat_tb
inServerErrorMiddleware
'sdebug
responses.requires
decorator.v0.13.8
: Version 0.13.8Compare Source
Revert
Queue(maxsize=1)
fix forBaseHTTPMiddleware
middleware classes and streaming responses.The
StaticFiles
constructor now allowspathlib.Path
in addition to strings for itsdirectory
argument.v0.13.7
: Version 0.13.7Compare Source
v0.13.6
: Version 0.13.6Compare Source
StaticFiles
.v0.13.5
: Version 0.13.5Compare Source
0.13.5
Starlette(lifespan=...)
functions.v0.13.4
: Version 0.13.4Compare Source
v0.13.3
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.