Release 0.8.1

CHANGES.md

@@ -1,8 +1,25 @@
 # Microdot change log
 
+**Release 0.8.1** - 2022-03-18
+
+- Optimizations for request streams and bodies ([commit](https://github.com/miguelgrinberg/microdot/commit/29a9f6f46c737aa0fd452766c23bd83008594ac4))
+
+**Release 0.8.0** - 2022-02-18
+
+- Support streamed request payloads [#26](https://github.com/miguelgrinberg/microdot/issues/26) ([commit](https://github.com/miguelgrinberg/microdot/commit/992fa722c1312c0ac0ee9fbd5e23ad7b52d3caca))
+- Use case insensitive comparisons for HTTP headers [#33](https://github.com/miguelgrinberg/microdot/issues/33) ([commit](https://github.com/miguelgrinberg/microdot/commit/e16fb94b2d1e88ef681d70f7f456c37ee9859df6)) (thanks **Steve Li**!)
+- More robust logic to read request body [#31](https://github.com/miguelgrinberg/microdot/issues/31) ([commit](https://github.com/miguelgrinberg/microdot/commit/bd82c4deabf40d37e6b7397b08e8eb40ba2b6a42))
+- Simplified `hello_async.py` example ([commit](https://github.com/miguelgrinberg/microdot/commit/c130d8f2d45dcce9606dda25d31d653ce91faf92))
+
+**Release 0.7.2** - 2021-09-28
+
+- Document a security risk in the send_file function ([commit](https://github.com/miguelgrinberg/microdot/commit/d29ed6aaa1f2080fcf471bf6ae0f480f95ff1716)) (thanks **Ky Tran**!)
+- Validate redirect URLs ([commit](https://github.com/miguelgrinberg/microdot/commit/8e5fb92ff1ccd50972b0c1cb5a6c3bd5eb54d86b)) (thanks **Ky Tran**!)
+- Return a 400 error when request object could not be created ([commit](https://github.com/miguelgrinberg/microdot/commit/06015934b834622d39f52b3e13d16bfee9dc8e5a))
+
 **Release 0.7.1** - 2021-09-27
 
-- Breaking change: Limit the size of each request line to 2KB. A different maximum can be set in `Request.max_readline`. ([commit](https://github.com/miguelgrinberg/microdot/commit/de9c991a9ab836d57d5c08bf4282f99f073b502a))  (thanks **Ky Tran**!)
+- Breaking change: Limit the size of each request line to 2KB. A different maximum can be set in `Request.max_readline`. ([commit](https://github.com/miguelgrinberg/microdot/commit/de9c991a9ab836d57d5c08bf4282f99f073b502a)) (thanks **Ky Tran**!)
 
 **Release 0.7.0** - 2021-09-27
 

bin/mkrelease

@@ -1,33 +0,0 @@
-#!/bin/bash
-VERSION=$1
-if [[ "$VERSION" == "" ]]; then
-    echo Usage: $0 "<version>"
-    exit 1
-fi
-
-git diff --cached --exit-code >/dev/null
-if [[ "$?" != "0" ]]; then
-    echo Commit your changes before using this script.
-    exit 1
-fi
-
-set -e
-for PKG in microdot*; do
-    echo Building $PKG...
-    cd $PKG
-    sed -i "" "s/version.*$/version=\"$VERSION\",/" setup.py
-    git add setup.py
-    rm -rf dist
-    python setup.py sdist bdist_wheel --universal
-    cd ..
-done
-git commit -m "Release v$VERSION"
-git tag v$VERSION
-git push --tags origin master
-
-for PKG in microdot*; do
-    echo Releasing $PKG...
-    cd $PKG
-    twine upload dist/*
-    cd ..
-done

examples/hello_async.py

@@ -33,8 +33,4 @@ async def shutdown(request):
     return 'The server is shutting down...'
 
 
-async def main():
-    await app.start_server(debug=True)
-
-
-asyncio.run(main())
+app.run(debug=True)

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = microdot
-version = 0.7.1
+version = 0.8.1
 author = Miguel Grinberg
 author_email = miguel.grinberg@gmail.com
 description = The impossibly small web framework for MicroPython

src/microdot.py

@@ -181,7 +181,8 @@ class Request():
     :var cookies: A dictionary with the cookies included in the request.
     :var content_length: The parsed ``Content-Length`` header.
     :var content_type: The parsed ``Content-Type`` header.
-    :var body: A stream from where the body can be read.
+    :var stream: The input stream, containing the request body.
+    :var body: The body of the request, as bytes.
     :var json: The parsed JSON body, as a dictionary or list, or ``None`` if
                the request does not have a JSON body.
     :var form: The parsed form submission body, as a :class:`MultiDict` object,
@@ -198,6 +199,17 @@ class Request():
     #:    Request.max_content_length = 1 * 1024 * 1024  # 1MB requests allowed
     max_content_length = 16 * 1024
 
+    #: Specify the maximum payload size that can be stored in ``body``.
+    #: Requests with payloads that are larger than this size and up to
+    #: ``max_content_length`` bytes will be accepted, but the application will
+    #: only be able to access the body of the request by reading from
+    #: ``stream``. Set to 0 if you always access the body as a stream.
+    #:
+    #: Example::
+    #:
+    #:    Request.max_body_length = 4 * 1024  # up to 4KB bodies read
+    max_body_length = 16 * 1024
+
     #: Specify the maximum length allowed for a line in the request. Requests
     #: with longer lines will not be correctly interpreted. Applications can
     #: change this maximum as necessary.
@@ -211,7 +223,7 @@ class Request():
         pass
 
     def __init__(self, app, client_addr, method, url, http_version, headers,
-                 body):
+                 body=None, stream=None):
         self.app = app
         self.client_addr = client_addr
         self.method = method
@@ -228,15 +240,19 @@ class Request():
         self.content_length = 0
         self.content_type = None
         for header, value in self.headers.items():
-            if header == 'Content-Length':
+            header = header.lower()
+            if header == 'content-length':
                 self.content_length = int(value)
-            elif header == 'Content-Type':
+            elif header == 'content-type':
                 self.content_type = value
-            elif header == 'Cookie':
+            elif header == 'cookie':
                 for cookie in value.split(';'):
                     name, value = cookie.strip().split('=', 1)
                     self.cookies[name] = value
-        self.body = body
+        self._body = body
+        self.body_used = False
+        self._stream = stream
+        self.stream_used = False
         self._json = None
         self._form = None
         self.g = Request.G()
@@ -261,7 +277,6 @@ class Request():
 
         # headers
         headers = {}
-        content_length = 0
         while True:
             line = Request._safe_readline(client_stream).strip().decode()
             if line == '':
@@ -269,15 +284,9 @@ class Request():
             header, value = line.split(':', 1)
             value = value.strip()
             headers[header] = value
-            if header == 'Content-Length':
-                content_length = int(value)
-
-        # body
-        body = client_stream.read(content_length) if content_length and \
-            content_length <= Request.max_content_length else b''
 
         return Request(app, client_addr, method, url, http_version, headers,
-                       body)
+                       stream=client_stream)
 
     def _parse_urlencoded(self, urlencoded):
         data = MultiDict()
@@ -285,6 +294,30 @@ class Request():
             data[urldecode(k)] = urldecode(v)
         return data
 
+    @property
+    def body(self):
+        if self.stream_used:
+            raise RuntimeError('Cannot use both stream and body')
+        if self._body is None:
+            self._body = b''
+            if self.content_length and \
+                    self.content_length <= Request.max_body_length:
+                while len(self._body) < self.content_length:
+                    data = self._stream.read(
+                        self.content_length - len(self._body))
+                    if len(data) == 0:  # pragma: no cover
+                        raise EOFError()
+                    self._body += data
+                self.body_used = True
+        return self._body
+
+    @property
+    def stream(self):
+        if self.body_used:
+            raise RuntimeError('Cannot use both stream and body')
+        self.stream_used = True
+        return self._stream
+
     @property
     def json(self):
         if self._json is None:
@@ -310,7 +343,6 @@ class Request():
     @staticmethod
     def _safe_readline(stream):
         line = stream.readline(Request.max_readline + 1)
-        print(line, Request.max_readline)
         if len(line) > Request.max_readline:
             raise ValueError('line too long')
         return line
@@ -431,6 +463,8 @@ class Response():
         :param status_code: The 3xx status code to use for the redirect. The
                             default is 302.
         """
+        if '\x0d' in location or '\x0a' in location:
+            raise ValueError('invalid redirect URL')
         return cls(status_code=status_code, headers={'Location': location})
 
     @classmethod
@@ -443,6 +477,10 @@ class Response():
         :param content_type: The ``Content-Type`` header to use in the
                              response. If omitted, it is generated
                              automatically from the file extension.
+
+        Security note: The filename is assumed to be trusted. Never pass
+        filenames provided by the user before validating and sanitizing them
+        first.
         """
         if content_type is None:
             ext = filename.split('.')[-1]
@@ -795,7 +833,11 @@ class Microdot():
         else:
             stream = sock
 
-        req = Request.create(self, stream, addr)
+        req = None
+        try:
+            req = Request.create(self, stream, addr)
+        except Exception as exc:  # pragma: no cover
+            print_exception(exc)
         if req:
             if req.content_length > req.max_content_length:
                 if 413 in self.error_handlers:
@@ -836,11 +878,13 @@ class Microdot():
                             res = self.error_handlers[500](req)
                         else:
                             res = 'Internal server error', 500
-            if isinstance(res, tuple):
-                res = Response(*res)
-            elif not isinstance(res, Response):
-                res = Response(res)
-            res.write(stream)
+        else:
+            res = 'Bad request', 400
+        if isinstance(res, tuple):
+            res = Response(*res)
+        elif not isinstance(res, Response):
+            res = Response(res)
+        res.write(stream)
         stream.close()
         if stream != sock:  # pragma: no cover
             sock.close()

src/microdot_asyncio.py

@@ -10,6 +10,12 @@ try:
     import uasyncio as asyncio
 except ImportError:
     import asyncio
+
+try:
+    import uio as io
+except ImportError:
+    import io
+
 from microdot import Microdot as BaseMicrodot
 from microdot import print_exception
 from microdot import Request as BaseRequest
@@ -20,6 +26,23 @@ def _iscoroutine(coro):
     return hasattr(coro, 'send') and hasattr(coro, 'throw')
 
 
+class _AsyncBytesIO:
+    def __init__(self, data):
+        self.stream = io.BytesIO(data)
+
+    async def read(self, n=-1):
+        return self.stream.read(n)
+
+    async def readline(self):  # pragma: no cover
+        return self.stream.readline()
+
+    async def readexactly(self, n):  # pragma: no cover
+        return self.stream.read(n)
+
+    async def readuntil(self, separator=b'\n'):  # pragma: no cover
+        return self.stream.readuntil(separator=separator)
+
+
 class Request(BaseRequest):
     @staticmethod
     async def create(app, client_stream, client_addr):
@@ -51,15 +74,27 @@ class Request(BaseRequest):
             header, value = line.split(':', 1)
             value = value.strip()
             headers[header] = value
-            if header == 'Content-Length':
+            if header.lower() == 'content-length':
                 content_length = int(value)
 
         # body
-        body = await client_stream.read(content_length) if content_length and \
-            content_length <= Request.max_content_length else b''
+        body = b''
+        print(Request.max_body_length)
+        if content_length and content_length <= Request.max_body_length:
+            body = await client_stream.readexactly(content_length)
+            stream = None
+        else:
+            body = b''
+            stream = client_stream
 
         return Request(app, client_addr, method, url, http_version, headers,
-                       body)
+                       body=body, stream=stream)
+
+    @property
+    def stream(self):
+        if self._stream is None:
+            self._stream = _AsyncBytesIO(self._body)
+        return self._stream
 
     @staticmethod
     async def _safe_readline(stream):
@@ -218,8 +253,12 @@ class Microdot(BaseMicrodot):
         self.server.close()
 
     async def dispatch_request(self, reader, writer):
-        req = await Request.create(self, reader,
-                                   writer.get_extra_info('peername'))
+        req = None
+        try:
+            req = await Request.create(self, reader,
+                                       writer.get_extra_info('peername'))
+        except Exception as exc:  # pragma: no cover
+            print_exception(exc)
         if req:
             if req.content_length > req.max_content_length:
                 if 413 in self.error_handlers:
@@ -266,11 +305,13 @@ class Microdot(BaseMicrodot):
                                 self.error_handlers[500], req)
                         else:
                             res = 'Internal server error', 500
-            if isinstance(res, tuple):
-                res = Response(*res)
-            elif not isinstance(res, Response):
-                res = Response(res)
-            await res.write(writer)
+        else:
+            res = 'Bad request', 400
+        if isinstance(res, tuple):
+            res = Response(*res)
+        elif not isinstance(res, Response):
+            res = Response(res)
+        await res.write(writer)
         await writer.aclose()
         if self.debug and req:  # pragma: no cover
             print('{method} {path} {status_code}'.format(

tests/microdot/test_microdot.py

@@ -73,7 +73,10 @@ class TestMicrodot(unittest.TestCase):
         mock_socket._requests.append(fd)
         self._add_shutdown(app)
         app.run()
-        assert fd.response == b''
+        self.assertTrue(fd.response.startswith(b'HTTP/1.0 400 N/A\r\n'))
+        self.assertIn(b'Content-Length: 11\r\n', fd.response)
+        self.assertIn(b'Content-Type: text/plain\r\n', fd.response)
+        self.assertTrue(fd.response.endswith(b'\r\n\r\nBad request'))
 
     def test_method_decorators(self):
         app = Microdot()

tests/microdot/test_request.py

@@ -91,14 +91,38 @@ class TestRequest(unittest.TestCase):
 
         Request.max_readline = saved_max_readline
 
+    def test_stream(self):
+        fd = get_request_fd('GET', '/foo', headers={
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Content-Length': '19'},
+            body='foo=bar&abc=def&x=y')
+        req = Request.create('app', fd, 'addr')
+        self.assertEqual(req.stream.read(), b'foo=bar&abc=def&x=y')
+        with self.assertRaises(RuntimeError):
+            req.body
+
+    def test_body(self):
+        fd = get_request_fd('GET', '/foo', headers={
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Content-Length': '19'},
+            body='foo=bar&abc=def&x=y')
+        req = Request.create('app', fd, 'addr')
+        self.assertEqual(req.body, b'foo=bar&abc=def&x=y')
+        with self.assertRaises(RuntimeError):
+            req.stream
+
     def test_large_payload(self):
         saved_max_content_length = Request.max_content_length
-        Request.max_content_length = 16
+        saved_max_body_length = Request.max_body_length
+        Request.max_content_length = 32
+        Request.max_body_length = 16
 
         fd = get_request_fd('GET', '/foo', headers={
             'Content-Type': 'application/x-www-form-urlencoded'},
             body='foo=bar&abc=def&x=y')
         req = Request.create('app', fd, 'addr')
         self.assertEqual(req.body, b'')
+        self.assertEqual(req.stream.read(), b'foo=bar&abc=def&x=y')
 
         Request.max_content_length = saved_max_content_length
+        Request.max_body_length = saved_max_body_length

tests/microdot/test_response.py

@@ -167,6 +167,9 @@ class TestResponse(unittest.TestCase):
         self.assertEqual(res.status_code, 301)
         self.assertEqual(res.headers['Location'], '/foo')
 
+        with self.assertRaises(ValueError):
+            Response.redirect('/foo\x0d\x0a\x0d\x0a<p>Foo</p>')
+
     def test_send_file(self):
         files = [
             ('test.txt', 'text/plain'),

tests/microdot_asyncio/test_microdot_asyncio.py

@@ -84,7 +84,10 @@ class TestMicrodotAsync(unittest.TestCase):
         mock_socket._requests.append(fd)
         self._add_shutdown(app)
         app.run()
-        assert fd.response == b''
+        self.assertTrue(fd.response.startswith(b'HTTP/1.0 400 N/A\r\n'))
+        self.assertIn(b'Content-Length: 11\r\n', fd.response)
+        self.assertIn(b'Content-Type: text/plain\r\n', fd.response)
+        self.assertTrue(fd.response.endswith(b'\r\n\r\nBad request'))
 
     def test_before_after_request(self):
         app = Microdot()

tests/microdot_asyncio/test_request_asyncio.py

@@ -101,14 +101,30 @@ class TestRequestAsync(unittest.TestCase):
 
         Request.max_readline = saved_max_readline
 
+    def test_stream(self):
+        fd = get_async_request_fd('GET', '/foo', headers={
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Content-Length': '19'},
+            body='foo=bar&abc=def&x=y')
+        req = _run(Request.create('app', fd, 'addr'))
+        self.assertEqual(req.body, b'foo=bar&abc=def&x=y')
+        data = _run(req.stream.read())
+        self.assertEqual(data, b'foo=bar&abc=def&x=y')
+
     def test_large_payload(self):
         saved_max_content_length = Request.max_content_length
-        Request.max_content_length = 16
+        saved_max_body_length = Request.max_body_length
+        Request.max_content_length = 32
+        Request.max_body_length = 16
 
         fd = get_async_request_fd('GET', '/foo', headers={
-            'Content-Type': 'application/x-www-form-urlencoded'},
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Content-Length': '19'},
             body='foo=bar&abc=def&x=y')
         req = _run(Request.create('app', fd, 'addr'))
         self.assertEqual(req.body, b'')
+        data = _run(req.stream.read())
+        self.assertEqual(data, b'foo=bar&abc=def&x=y')
 
         Request.max_content_length = saved_max_content_length
+        Request.max_body_length = saved_max_body_length

tests/mock_socket.py

@@ -56,7 +56,10 @@ class FakeStreamAsync:
     async def readline(self):
         return self.stream.readline()
 
-    async def read(self, n):
+    async def read(self, n=-1):
+        return self.stream.read(n)
+
+    async def readexactly(self, n):
         return self.stream.read(n)
 
     async def awrite(self, data):