HISTORY.md
Bugfixes
Announcements
Security
requests.utils.extract_zipped_paths now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.Improvements
Bugfixes
Deprecations
Documentation
Bugfixes
Deprecations
Security
Improvements
Deprecations
Bugfixes
ssl module. (#6724)Deprecations
To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)
Bugfixes
Security
verify=False on the first request from a
Session will cause subsequent requests to the same origin to also ignore
cert verification, regardless of the value of verify.
(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)Improvements
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)Bugfixes
/ (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)Deprecations
Documentation
Packaging
requests) is now located
in src/requests in the Requests sdist. (#6506)hatchling. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.Security
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.
Full details can be read in our Github Security Advisory and CVE-2023-32681.
Dependencies
⚠️ Added support for urllib3 2.0. ⚠️
This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html prior to upgrading.
Users who wish to stay on urllib3 1.x can pin to urllib3<2.
Improvements
Dependencies
Bugfixes
Improvements
iter_content with transition to yield from. (#6170)Dependencies
Deprecations
Improvements
json() API consistent. (#6097)Bugfixes
CURL_CA_BUNDLE to an empty string would disable
cert verification. All Requests 2.x versions before 2.28.0 are affected. (#6074)urllib3.exceptions.SSLError with
requests.exceptions.SSLError for content and iter_content. (#6057)Bugfixes
auth component being
dropped from proxy URLs. (#6028)Improvements
Officially added support for Python 3.10. (#5928)
Added a requests.exceptions.JSONDecodeError to unify JSON exceptions between
Python 2 and 3. This gets raised in the response.json() method, and is
backwards compatible as it inherits from previously thrown exceptions.
Can be caught from requests.exceptions.RequestException as well. (#5856)
Improved error text for misnamed InvalidSchema and MissingSchema
exceptions. This is a temporary fix until exceptions can be renamed
(Schema->Scheme). (#6017)
Improved proxy parsing for proxy URLs missing a scheme. This will address
recent changes to urlparse in Python 3.9+. (#5917)
Bugfixes
Fixed defect in extract_zipped_paths which could result in an infinite loop
for some paths. (#5851)
Fixed handling for AttributeError when calculating length of files obtained
by Tarfile.extractfile(). (#5239)
Fixed urllib3 exception leak, wrapping urllib3.exceptions.InvalidHeader with
requests.exceptions.InvalidHeader. (#5914)
Fixed bug where two Host headers were sent for chunked requests. (#5391)
Fixed regression in Requests 2.26.0 where Proxy-Authorization was
incorrectly stripped from all requests sent with Session.send. (#5924)
Fixed performance regression in 2.26.0 for hosts with a large number of proxies available in the environment. (#5924)
Fixed idna exception leak, wrapping UnicodeError with
requests.exceptions.InvalidURL for URLs with a leading dot (.) in the
domain. (#5414)
Deprecations
Improvements
Requests now supports Brotli compression, if either the brotli or
brotlicffi package is installed. (#5783)
Session.send now correctly resolves proxy configurations from both
the Session and Request. Behavior now matches Session.request. (#5681)
Bugfixes
Dependencies
Instead of chardet, use the MIT-licensed charset_normalizer for Python3
to remove license ambiguity for projects bundling requests. If chardet
is already installed on your machine it will be used instead of charset_normalizer
to keep backwards compatibility. (#5797)
You can also install chardet while installing requests by
specifying [use_chardet_on_py3] extra as follows:
pip install "requests[use_chardet_on_py3]"
Python2 still depends upon the chardet module.
Requests now supports idna 3.x on Python 3. idna 2.x will continue to
be used on Python 2 installations. (#5711)
Deprecations
The requests[security] extra has been converted to a no-op install.
PyOpenSSL is no longer the recommended secure option for Requests. (#5867)
Requests has officially dropped support for Python 3.5. (#5867)
Bugfixes
application/json as utf8 by default. Resolving
inconsistencies between r.text and r.json output. (#5673)Dependencies
Improvements
Dependencies
Deprecations
requests[security] extra is officially deprecated and will be removed
in Requests v2.26.0.Improvements
pyOpenSSL TLS implementation is now only used if Python
either doesn't have an ssl module or doesn't support
SNI. Previously pyOpenSSL was unconditionally used if available.
This applies even if pyOpenSSL is installed via the
requests[security] extra (#5443)
Redirect resolution should now only occur when
allow_redirects is True. (#5492)
No longer perform unnecessary Content-Length calculation for requests that won't use it. (#5496)
Improvements
prefetch in Session __attrs__ (#5110)Bugfixes
Dependencies
chardet and idna now uses major version instead of minor.
This hopefully reduces the need for releases every time a dependency is updated.Dependencies
Deprecations
Dependencies
Bugfixes
Bugfixes
should_bypass_proxies now handles URIs without hostnames (e.g.
files).Dependencies
Deprecations
Bugfixes
init function failed trying
to append to a __doc__ value of None.Improvements
Request.content.Bugfixes
Link headers with parse_header_links() no longer
return one bogus entry.IOError.ImportError on windows system which do
not support winreg module.None as a file pointer to the files param no longer
raises an exception.copy on a RequestsCookieJar will now preserve the cookie
policy correctly.Dependencies
Improvements
Dependencies
Improvements
$ python -m requests.help now includes the installed
version of idna.Bugfixes
ConnectionError instead of
SSLError when encountering SSL problems when using urllib3 v1.22.Bugfixes
requests.help no longer fails on Python 2.6 due to the absence of
ssl.OPENSSL_VERSION_NUMBER.Dependencies
Bugfixes
*.whl contained
incorrect data that regressed the fix in v2.17.3.Improvements
Response is now a context manager, so can be used directly in a
with statement without first having to be wrapped by
contextlib.closing().Bugfixes
Improvements
packages namespace identity support, for monkeypatching
libraries.Improvements
packages namespace identity support, for monkeypatching
libraries.Improvements
packages namespace identity support, for monkeypatching
libraries.Improvements
$ python -m requests.help.$ python -m requests.help command, for
debugging with maintainers!requests.packages namespace for compatibility
reasons.requests.packages namespace for compatibility
reasons.No code modification (noted below) should be necessary any longer.
requests.packages namespace for compatibility
reasons.urllib3 version parsing.Note: code that was written to import against the
requests.packages namespace previously will have to import code that
rests at this module-level now.
For example:
from requests.packages.urllib3.poolmanager import PoolManager
Will need to be re-written to be:
from requests.packages import urllib3
urllib3.poolmanager.PoolManager
Or, even better:
from urllib3.poolmanager import PoolManager
Improvements
Response.next property, for getting the next
PreparedResponse from a redirect chain (when
allow_redirects=False).__version__ module.Bugfixes
requests.utils.get_environ_proxies().Bugfixes
Bugfixes
Improvements
no_proxy as a key to the proxies
dictionary to provide handling similar to the NO_PROXY environment
variable.IOError, rather than failing at
the time of the HTTPS request with a fairly inscrutable certificate
validation error.SessionRedirectMixin was slightly altered.
resolve_redirects will now detect a redirect by calling
get_redirect_target(response) instead of directly querying
Response.is_redirect and Response.headers['location']. Advanced
users will be able to process malformed redirects more easily.win_inet_pton as conditional dependency for the [socks]
extra on Windows with Python 2.7.http but are not http or
https no longer have their host parts forced to lowercase.Bugfixes
Location header values in
redirects. Fewer UnicodeDecodeErrors are encountered on Python 2,
and Python 3 now correctly understands that Latin-1 is unlikely to
be the correct encoding.seek file to find out its length fails, we now
appropriately handle that by aborting our content-length
calculations.HTTPDigestAuth to only respond to auth challenges made
on 4XX responses, rather than to all auth challenges.DeprecationWarning on Python 3.6./o\\) no longer has a big head. I'm
sure this is what you were all worrying about most.Miscellaneous
Features
idna library when we've determined we need it. This
will save some memory for users.Miscellaneous
Bugfixes
Bugfixes
Bugfixes
Bugfixes
InvalidSchema errors.Response.content to
raise an AttributeError.Bugfixes
Miscellaneous
Improvements
StringIO into memory.Content-Length headers for
PreparedRequest objects.tell method
but do have a seek method.Mapping is now treated like a
dictionary by the data= keyword argument.Bugfixes
response.close, the call to close will be
propagated through to non-urllib3 backends.ALL_PROXY environment variable would be
preferred over scheme-specific variables like HTTP_PROXY.Miscellaneous
Bugfixes
iter_content with decode_unicode=True for
streamed bodies would raise AttributeError. This bug was
introduced in 2.11.Improvements
ALL_PROXY environment variable.Bugfixes
TypeError when attempting to decode a JSON
response that occurred in an error case. Now correctly returns a
ValueError.NO_PROXY environment variables: Requests now treats it as a
specific IP.iter_content only accepts
integers and None for chunk sizes.HTTPAdapter had been configured to use a blocking
connection pool.Miscellaneous
New Features
$ pip install requests[socks])Miscellaneous
Improvements
Bugfixes
tell(), send them
via chunked transfer encoding instead of failing.Bugfixes
Miscellaneous
Minor Improvements (Backwards compatible)
verify keyword argument now supports being passed a path to a
directory of CA certificates, not just a single-file bundle.Bugfixes
Transfer-Encoding: chunked rather
than Content-Length: 0.qop
directive that contains no token, by treating it the same as if no
qop directive was provided at all.Miscellaneous
Bugfixes
certifi 2015.9.6.2's weak
certificate bundle.ConnectTimeout
instead of ConnectionErrorjson parameter. Broken in 2.8.0.Minor Improvements (Backwards Compatible)
proxies
dictionary to have entries of the form
{'<scheme>://<hostname>': '<proxy>'}. Host-specific proxies will
be used in preference to the previously-supported scheme-specific
ones, but the previous syntax will continue to work.Response.raise_for_status now prints the URL that failed as part
of the exception message.requests.utils.get_netrc_auth now takes an raise_errors kwarg,
defaulting to False. When True, errors parsing .netrc files
cause exceptions to be thrown.Bugfixes
json parameter to post() and friends will now only be used
if neither data nor files are present, consistent with the
documentation.NO_PROXY environment variable.httplib.BadStatusLine would get raised if
combining stream=True with contextlib.closing.Updates
This is the first release that follows our new release process. For more, see our documentation.
Bugfixes
Bugfixes
Bugfixes
Bugfixes
install_requires dependency and
python setup.py test is run. (#2462)urllib3's header handling.Features and Improvements
files
argument. (#2468)str, bytes,
or bytearray input to the files argument.Bugfixes
Features and Improvements
Bugfixes
Set-Cookie headers properly.
(shazow/urllib3#534)Security
cacert.pem.Behavioural Changes
Bugfixes
Improvements
iter_lines method on a response now accepts a delimiter with
which to split the content (#2295)Behavioural Changes
Bugfixes
Documentation
Bugfixes
Improvements
Bugfixes
Documentation
$ pip install requests[security]Behavioral Changes
Connection: keep-alive header is now sent automatically.Improvements
API Changes
Response property is_redirect, which is true when the
library could have processed this response as a redirection (whether
or not it actually did).timeout parameter now affects requests with both stream=True
and stream=False equally.http://.CaseInsensitiveDict used for HTTP headers now behaves like a
normal dictionary when references as string or viewed in the
interpreter.Bugfixes
None on the Session are now correctly not sent.decode_unicode even if it wasn't used earlier in
the same response.compress as a supported Content-Encoding.Response.history parameter is now always a list.urllib3 bugfixes.Bugfixes
API Changes
ContentDecodingError. Raised instead of urllib3
DecodeError exceptions.Bugfixes
proxy_bypass on OS X in Python 2.6.CookieJar objects.Session (e.g. via
Session.get()) are no longer persisted to the Session.Host:
header.Response objects pickleable.API Changes:
MissingSchema
exception will be raised if they don't.Stream=False.RequestException is now a subclass of IOError, not
RuntimeError.PreparedRequest objects:
PreparedRequest.copy().Session objects: Session.update_request().
This method updates a Request object with the data (e.g. cookies)
stored on the Session.Session objects: Session.prepare_request().
This method updates and prepares a Request object, and returns the
corresponding PreparedRequest object.HTTPAdapter objects:
HTTPAdapter.proxy_headers(). This should not be called directly,
but improves the subclass interface.httplib.IncompleteRead exceptions caused by incorrect chunked
encoding will now raise a Requests ChunkedEncodingError instead.InvalidURL
exception to be raised."im_used". Correctly uses
"already_reported"."im_used").Bugfixes:
.netrc no longer overrides explicit auth.BytesIO can be used to perform streaming uploads.no_proxy environment variable.signature_type sent no
datajson.loads() via the
Response.json() methodContent-Length header by default on GET or HEAD
requestselapsed attribute to Response objects to time how long a
request took.RequestsCookieJarThe change in how hooks are dispatched will likely cause a great deal of issues.
This is not a backwards compatible change.
Response.json property.pre_request to a more usable place.pre_send hook.certify isn't available.certifi isn't
available.strict_mode configuration to disable new redirect behavior.Response.content is now bytes-only. (Backwards Incompatible)Response.text is unicode-only.Response.encoding is specified and chardet is available,
Response.text will guess an encoding.Response.register_hook for registering hooks within the
pipeline.Response.url is now Unicode.[, ], and _ allowed.decode_unicode setting.r.read/close methods.r.faw interface for advanced response usage.*requests.async module, for making async requests w/
gevent.\o/settings.max_redirects)read())python-requests.org default User-Agent headerr.requests.get('hwe://blah'); r.raise_for_status()New Authentication Manager System
: - Simpler Basic HTTP System
- Supports all built-in urllib2 Auths
- Allows for custom Auth Handlers
New HTTPHandling Methods
: - Response.\_\_nonzero\_\_ (false if bad HTTP Status)
- Response.ok (True if expected HTTP Status)
- Response.error (Logged HTTPError if bad HTTP Status)
- Response.raise\_for\_status() (Raises stored HTTPError)