uvicorn 0.30.5__py3-none-any.whl → 0.31.0__py3-none-any.whl

uvicorn/__init__.py

@@ -1,5 +1,5 @@
 from uvicorn.config import Config
 from uvicorn.main import Server, main, run
 
-__version__ = "0.30.5"
+__version__ = "0.31.0"
 __all__ = ["main", "run", "Config", "Server"]

uvicorn/main.py

@@ -240,8 +240,10 @@ def print_version(ctx: click.Context, param: click.Parameter, value: bool) -> No
     "--forwarded-allow-ips",
     type=str,
     default=None,
-    help="Comma separated list of IPs to trust with proxy headers. Defaults to"
-    " the $FORWARDED_ALLOW_IPS environment variable if available, or '127.0.0.1'.",
+    help="Comma separated list of IP Addresses, IP Networks, or literals "
+    "(e.g. UNIX Socket path) to trust with proxy headers. Defaults to the "
+    "$FORWARDED_ALLOW_IPS environment variable if available, or '127.0.0.1'. "
+    "The literal '*' means trust everything.",
 )
 @click.option(
     "--root-path",

uvicorn/middleware/proxy_headers.py

@@ -1,70 +1,142 @@
-"""
-This middleware can be used when a known proxy is fronting the application,
-and is trusted to be properly setting the `X-Forwarded-Proto` and
-`X-Forwarded-For` headers with the connecting client information.
+from __future__ import annotations
 
-Modifies the `client` and `scheme` information so that they reference
-the connecting client, rather that the connecting proxy.
+import ipaddress
 
-https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#Proxies
-"""
+from uvicorn._types import ASGI3Application, ASGIReceiveCallable, ASGISendCallable, Scope
 
-from __future__ import annotations
 
-from typing import Union, cast
+class ProxyHeadersMiddleware:
+    """Middleware for handling known proxy headers
 
-from uvicorn._types import ASGI3Application, ASGIReceiveCallable, ASGISendCallable, HTTPScope, Scope, WebSocketScope
+    This middleware can be used when a known proxy is fronting the application,
+    and is trusted to be properly setting the `X-Forwarded-Proto` and
+    `X-Forwarded-For` headers with the connecting client information.
 
+    Modifies the `client` and `scheme` information so that they reference
+    the connecting client, rather that the connecting proxy.
 
-class ProxyHeadersMiddleware:
-    def __init__(
-        self,
-        app: ASGI3Application,
-        trusted_hosts: list[str] | str = "127.0.0.1",
-    ) -> None:
+    References:
+    - <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#Proxies>
+    - <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For>
+    """
+
+    def __init__(self, app: ASGI3Application, trusted_hosts: list[str] | str = "127.0.0.1") -> None:
         self.app = app
-        if isinstance(trusted_hosts, str):
-            self.trusted_hosts = {item.strip() for item in trusted_hosts.split(",")}
-        else:
-            self.trusted_hosts = set(trusted_hosts)
-        self.always_trust = "*" in self.trusted_hosts
+        self.trusted_hosts = _TrustedHosts(trusted_hosts)
 
-    def get_trusted_client_host(self, x_forwarded_for_hosts: list[str]) -> str | None:
-        if self.always_trust:
-            return x_forwarded_for_hosts[0]
+    async def __call__(self, scope: Scope, receive: ASGIReceiveCallable, send: ASGISendCallable) -> None:
+        if scope["type"] == "lifespan":
+            return await self.app(scope, receive, send)
 
-        for host in reversed(x_forwarded_for_hosts):
-            if host not in self.trusted_hosts:
-                return host
+        client_addr = scope.get("client")
+        client_host = client_addr[0] if client_addr else None
 
-        return None  # pragma: full coverage
+        if client_host in self.trusted_hosts:
+            headers = dict(scope["headers"])
 
-    async def __call__(self, scope: Scope, receive: ASGIReceiveCallable, send: ASGISendCallable) -> None:
-        if scope["type"] in ("http", "websocket"):
-            scope = cast(Union["HTTPScope", "WebSocketScope"], scope)
-            client_addr: tuple[str, int] | None = scope.get("client")
-            client_host = client_addr[0] if client_addr else None
-
-            if self.always_trust or client_host in self.trusted_hosts:
-                headers = dict(scope["headers"])
-
-                if b"x-forwarded-proto" in headers:
-                    # Determine if the incoming request was http or https based on
-                    # the X-Forwarded-Proto header.
-                    x_forwarded_proto = headers[b"x-forwarded-proto"].decode("latin1").strip()
+            if b"x-forwarded-proto" in headers:
+                x_forwarded_proto = headers[b"x-forwarded-proto"].decode("latin1").strip()
+
+                if x_forwarded_proto in {"http", "https", "ws", "wss"}:
                     if scope["type"] == "websocket":
                         scope["scheme"] = x_forwarded_proto.replace("http", "ws")
                     else:
                         scope["scheme"] = x_forwarded_proto
 
-                if b"x-forwarded-for" in headers:
-                    # Determine the client address from the last trusted IP in the
-                    # X-Forwarded-For header. We've lost the connecting client's port
-                    # information by now, so only include the host.
-                    x_forwarded_for = headers[b"x-forwarded-for"].decode("latin1")
-                    x_forwarded_for_hosts = [item.strip() for item in x_forwarded_for.split(",")]
-                    host = self.get_trusted_client_host(x_forwarded_for_hosts)
+            if b"x-forwarded-for" in headers:
+                x_forwarded_for = headers[b"x-forwarded-for"].decode("latin1")
+                host = self.trusted_hosts.get_trusted_client_host(x_forwarded_for)
+
+                if host:
+                    # If the x-forwarded-for header is empty then host is an empty string.
+                    # Only set the client if we actually got something usable.
+                    # See: https://github.com/encode/uvicorn/issues/1068
+
+                    # We've lost the connecting client's port information by now,
+                    # so only include the host.
                     port = 0
-                    scope["client"] = (host, port)  # type: ignore[arg-type]
+                    scope["client"] = (host, port)
 
         return await self.app(scope, receive, send)
+
+
+def _parse_raw_hosts(value: str) -> list[str]:
+    return [item.strip() for item in value.split(",")]
+
+
+class _TrustedHosts:
+    """Container for trusted hosts and networks"""
+
+    def __init__(self, trusted_hosts: list[str] | str) -> None:
+        self.always_trust: bool = trusted_hosts == "*"
+
+        self.trusted_literals: set[str] = set()
+        self.trusted_hosts: set[ipaddress.IPv4Address | ipaddress.IPv6Address] = set()
+        self.trusted_networks: set[ipaddress.IPv4Network | ipaddress.IPv6Network] = set()
+
+        # Notes:
+        # - We separate hosts from literals as there are many ways to write
+        #   an IPv6 Address so we need to compare by object.
+        # - We don't convert IP Address to single host networks (e.g. /32 / 128) as
+        #   it more efficient to do an address lookup in a set than check for
+        #   membership in each network.
+        # - We still allow literals as it might be possible that we receive a
+        #   something that isn't an IP Address e.g. a unix socket.
+
+        if not self.always_trust:
+            if isinstance(trusted_hosts, str):
+                trusted_hosts = _parse_raw_hosts(trusted_hosts)
+
+            for host in trusted_hosts:
+                # Note: because we always convert invalid IP types to literals it
+                # is not possible for the user to know they provided a malformed IP
+                # type - this may lead to unexpected / difficult to debug behaviour.
+
+                if "/" in host:
+                    # Looks like a network
+                    try:
+                        self.trusted_networks.add(ipaddress.ip_network(host))
+                    except ValueError:
+                        # Was not a valid IP Network
+                        self.trusted_literals.add(host)
+                else:
+                    try:
+                        self.trusted_hosts.add(ipaddress.ip_address(host))
+                    except ValueError:
+                        # Was not a valid IP Address
+                        self.trusted_literals.add(host)
+
+    def __contains__(self, host: str | None) -> bool:
+        if self.always_trust:
+            return True
+
+        if not host:
+            return False
+
+        try:
+            ip = ipaddress.ip_address(host)
+            if ip in self.trusted_hosts:
+                return True
+            return any(ip in net for net in self.trusted_networks)
+
+        except ValueError:
+            return host in self.trusted_literals
+
+    def get_trusted_client_host(self, x_forwarded_for: str) -> str:
+        """Extract the client host from x_forwarded_for header
+
+        In general this is the first "untrusted" host in the forwarded for list.
+        """
+        x_forwarded_for_hosts = _parse_raw_hosts(x_forwarded_for)
+
+        if self.always_trust:
+            return x_forwarded_for_hosts[0]
+
+        # Note: each proxy appends to the header list so check it in reverse order
+        for host in reversed(x_forwarded_for_hosts):
+            if host not in self:
+                return host
+
+        # All hosts are trusted meaning that the client was also a trusted proxy
+        # See https://github.com/encode/uvicorn/issues/1068#issuecomment-855371576
+        return x_forwarded_for_hosts[0]

uvicorn/protocols/http/h11_impl.py

@@ -147,14 +147,24 @@ class H11Protocol(asyncio.Protocol):
 
     def _should_upgrade_to_ws(self) -> bool:
         if self.ws_protocol_class is None:
-            if self.config.ws == "auto":
-                msg = "Unsupported upgrade request."
-                self.logger.warning(msg)
-                msg = "No supported WebSocket library detected. Please use \"pip install 'uvicorn[standard]'\", or install 'websockets' or 'wsproto' manually."  # noqa: E501
-                self.logger.warning(msg)
             return False
         return True
 
+    def _unsupported_upgrade_warning(self) -> None:
+        msg = "Unsupported upgrade request."
+        self.logger.warning(msg)
+        if not self._should_upgrade_to_ws():
+            msg = "No supported WebSocket library detected. Please use \"pip install 'uvicorn[standard]'\", or install 'websockets' or 'wsproto' manually."  # noqa: E501
+            self.logger.warning(msg)
+
+    def _should_upgrade(self) -> bool:
+        upgrade = self._get_upgrade()
+        if upgrade == b"websocket" and self._should_upgrade_to_ws():
+            return True
+        if upgrade is not None:
+            self._unsupported_upgrade_warning()
+        return False
+
     def data_received(self, data: bytes) -> None:
         self._unset_keepalive_if_required()
 
@@ -206,9 +216,7 @@ class H11Protocol(asyncio.Protocol):
                     "headers": self.headers,
                     "state": self.app_state.copy(),
                 }
-
-                upgrade = self._get_upgrade()
-                if upgrade == b"websocket" and self._should_upgrade_to_ws():
+                if self._should_upgrade():
                     self.handle_websocket_upgrade(event)
                     return
 

uvicorn/protocols/http/httptools_impl.py

@@ -141,19 +141,20 @@ class HttpToolsProtocol(asyncio.Protocol):
             return upgrade
         return None  # pragma: full coverage
 
-    def _should_upgrade_to_ws(self, upgrade: bytes | None) -> bool:
-        if upgrade == b"websocket" and self.ws_protocol_class is not None:
-            return True
-        if self.config.ws == "auto":
-            msg = "Unsupported upgrade request."
-            self.logger.warning(msg)
+    def _should_upgrade_to_ws(self) -> bool:
+        if self.ws_protocol_class is None:
+            return False
+        return True
+
+    def _unsupported_upgrade_warning(self) -> None:
+        self.logger.warning("Unsupported upgrade request.")
+        if not self._should_upgrade_to_ws():
             msg = "No supported WebSocket library detected. Please use \"pip install 'uvicorn[standard]'\", or install 'websockets' or 'wsproto' manually."  # noqa: E501
             self.logger.warning(msg)
-        return False
 
     def _should_upgrade(self) -> bool:
         upgrade = self._get_upgrade()
-        return self._should_upgrade_to_ws(upgrade)
+        return upgrade == b"websocket" and self._should_upgrade_to_ws()
 
     def data_received(self, data: bytes) -> None:
         self._unset_keepalive_if_required()
@@ -166,9 +167,10 @@ class HttpToolsProtocol(asyncio.Protocol):
             self.send_400_response(msg)
             return
         except httptools.HttpParserUpgrade:
-            upgrade = self._get_upgrade()
-            if self._should_upgrade_to_ws(upgrade):
+            if self._should_upgrade():
                 self.handle_websocket_upgrade()
+            else:
+                self._unsupported_upgrade_warning()
 
     def handle_websocket_upgrade(self) -> None:
         if self.logger.level <= TRACE_LOG_LEVEL:

{uvicorn-0.30.5.dist-info → uvicorn-0.31.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: uvicorn
-Version: 0.30.5
+Version: 0.31.0
 Summary: The lightning-fast ASGI server.
 Project-URL: Changelog, https://github.com/encode/uvicorn/blob/master/CHANGELOG.md
 Project-URL: Funding, https://github.com/sponsors/encode

{uvicorn-0.30.5.dist-info → uvicorn-0.31.0.dist-info}/RECORD

@@ -1,11 +1,11 @@
-uvicorn/__init__.py,sha256=aSoUZbVO0X1F9pIylSyTOjDCsq4sO-CYKjka_R5eP0Y,147
+uvicorn/__init__.py,sha256=C-q5FbOk-czeRzwHSldRMGQJKWQE5uLkJc9U3BvMCb8,147
 uvicorn/__main__.py,sha256=DQizy6nKP0ywhPpnCHgmRDYIMfcqZKVEzNIWQZjqtVQ,62
 uvicorn/_subprocess.py,sha256=HbfRnsCkXyg7xCWVAWWzXQTeWlvLKfTlIF5wevFBkR4,2766
 uvicorn/_types.py,sha256=TcUzCyKNq90ZX2Hxa6ce0juF558zLO_AyBB1XijnD2Y,7814
 uvicorn/config.py,sha256=4PZiIBMV8Bu8pNq63-P3pv5ynyEGz-K0aVoC98Y5hrQ,20830
 uvicorn/importer.py,sha256=nRt0QQ3qpi264-n_mR0l55C2ddM8nowTNzT1jsWaam8,1128
 uvicorn/logging.py,sha256=sg4D9lHaW_kKQj_kmP-bolbChjKfhBuihktlWp8RjSI,4236
-uvicorn/main.py,sha256=jmZOCNq5frbWmlflJpGJ1wpqPxlXTDxcN8bGm2TQfSo,16783
+uvicorn/main.py,sha256=zWgYECz0qZh0kj0Y-IoF0AthvohKz9hmzqMyDEOwa80,16896
 uvicorn/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
 uvicorn/server.py,sha256=pIpMlW1WMWxarhM3wuZrffX0OcTEKoZXA82oY_M25d8,12879
 uvicorn/workers.py,sha256=DukTKlrCyyvWVHbJWBJflIV2yUe-q6KaGdrEwLrNmyc,3893
@@ -19,15 +19,15 @@ uvicorn/loops/uvloop.py,sha256=K4QybYVxtK9C2emDhDPUCkBXR4XMT5Ofv9BPFPoX0ok,148
 uvicorn/middleware/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 uvicorn/middleware/asgi2.py,sha256=YQrQNm3RehFts3mzk3k4yw8aD8Egtj0tRS3N45YkQa0,394
 uvicorn/middleware/message_logger.py,sha256=IHEZUSnFNaMFUFdwtZO3AuFATnYcSor-gVtOjbCzt8M,2859
-uvicorn/middleware/proxy_headers.py,sha256=McSfCWvhMEFOTkUbQWgnt9QCBIAY9RfFSaEZboBbAYg,3065
+uvicorn/middleware/proxy_headers.py,sha256=fUMuYPOA23IJ3zQQBv5GOV1g8yu6hA5RpXhOXgnFu7Y,5781
 uvicorn/middleware/wsgi.py,sha256=TBeG4W_gEmWddbGfWyxdzJ0IDaWWkJZyF8eIp-1fv0U,7111
 uvicorn/protocols/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 uvicorn/protocols/utils.py,sha256=rCjYLd4_uwPeZkbRXQ6beCfxyI_oYpvJCwz3jEGNOiE,1849
 uvicorn/protocols/http/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 uvicorn/protocols/http/auto.py,sha256=YfXGyzWTaaE2p_jkTPWrJCXsxEaQnC3NK0-G7Wgmnls,403
 uvicorn/protocols/http/flow_control.py,sha256=050WVg31EvPOkHwynCoMP1zXFl_vO3U4durlc5vyp4U,1701
-uvicorn/protocols/http/h11_impl.py,sha256=37iA--AYCidYBFlcwE8vFEuLXBR_eiFT_inSp548dN8,20541
-uvicorn/protocols/http/httptools_impl.py,sha256=IFxanBZZDlTePYKJ4qV3-L8iVSfxT8wh93FePcroAVY,21475
+uvicorn/protocols/http/h11_impl.py,sha256=MuX72-pIyZGHDtZ75-1mveeTj6_ruL-306Ug7z0yV8w,20765
+uvicorn/protocols/http/httptools_impl.py,sha256=TikbbIZRFG08KTClZER47ehM1Tu8koBfT6WGU5t5ACg,21491
 uvicorn/protocols/websockets/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 uvicorn/protocols/websockets/auto.py,sha256=kNP-h07ZzjA9dKRUd7MNO0J7xhRJ5xVBfit7wCbdB0A,574
 uvicorn/protocols/websockets/websockets_impl.py,sha256=59SLT1Q2sXnpbfxdk5e2SDTJPjrxOvqsYQOHxxCjCP4,15504
@@ -38,8 +38,8 @@ uvicorn/supervisors/multiprocess.py,sha256=Opt0XvOUj1DIMXYwb4OlkJZxeh_RjweFnTmDP
 uvicorn/supervisors/statreload.py,sha256=gc-HUB44f811PvxD_ZIEQYenM7mWmhQQjYg7KKQ1c5o,1542
 uvicorn/supervisors/watchfilesreload.py,sha256=41FGNMXPKrKvPr-5O8yRWg43l6OCBtapt39M-gpdk0E,3010
 uvicorn/supervisors/watchgodreload.py,sha256=kd-gOvp14ArTNIc206Nt5CEjZZ4NP2UmMVYE7571yRQ,5486
-uvicorn-0.30.5.dist-info/METADATA,sha256=k_D1EOmTRZCMibKvZHu_XNcxIpSE65BQsBd0JjUf1DU,6569
-uvicorn-0.30.5.dist-info/WHEEL,sha256=1yFddiXMmvYK7QYTqtRNtX66WJ0Mz8PYEiEUoOUUxRY,87
-uvicorn-0.30.5.dist-info/entry_points.txt,sha256=FW1w-hkc9QgwaGoovMvm0ZY73w_NcycWdGAUfDsNGxw,46
-uvicorn-0.30.5.dist-info/licenses/LICENSE.md,sha256=7-Gs8-YvuZwoiw7HPlp3O3Jo70Mg_nV-qZQhTktjw3E,1526
-uvicorn-0.30.5.dist-info/RECORD,,
+uvicorn-0.31.0.dist-info/METADATA,sha256=VKk1dOX3pwKhtJjjDXFzq6teX5AMs_jvlSofsXUJUrQ,6569
+uvicorn-0.31.0.dist-info/WHEEL,sha256=1yFddiXMmvYK7QYTqtRNtX66WJ0Mz8PYEiEUoOUUxRY,87
+uvicorn-0.31.0.dist-info/entry_points.txt,sha256=FW1w-hkc9QgwaGoovMvm0ZY73w_NcycWdGAUfDsNGxw,46
+uvicorn-0.31.0.dist-info/licenses/LICENSE.md,sha256=7-Gs8-YvuZwoiw7HPlp3O3Jo70Mg_nV-qZQhTktjw3E,1526
+uvicorn-0.31.0.dist-info/RECORD,,