Merge branch '3.7' into 3.8

greshilov · Feb 25, 2021 · 8931d92 · 8931d92
2 parents c5b7ba3 + 0a26acc
commit 8931d92
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 15 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -14,6 +14,34 @@ Changelog
 
 .. towncrier release notes start
 
+3.7.3 (2021-02-25)
+==================
+
+Bugfixes
+--------
+
+- **(SECURITY BUG)** Started preventing open redirects in the
+  ``aiohttp.web.normalize_path_middleware`` middleware. For
+  more details, see
+  https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg.
+
+  Thanks to `Beast Glatisant <https://github.com/g147>`__ for
+  finding the first instance of this issue and `Jelmer Vernooĳ
+  <https://jelmer.uk/>`__ for reporting and tracking it down
+  in aiohttp.
+  `#5497 <https://github.com/aio-libs/aiohttp/issues/5497>`_
+- Fix interpretation difference of the pure-Python and the Cython-based
+  HTTP parsers construct a ``yarl.URL`` object for HTTP request-target.
+
+  Before this fix, the Python parser would turn the URI's absolute-path
+  for ``//some-path`` into ``/`` while the Cython code preserved it as
+  ``//some-path``. Now, both do the latter.
+  `#5498 <https://github.com/aio-libs/aiohttp/issues/5498>`_
+
+
+----
+
+
 3.7.3 (2020-11-18)
 ==================
 

diff --git a/CHANGES/5497.bugfix b/CHANGES/5497.bugfix
diff --git a/CHANGES/5498.bugfix b/CHANGES/5498.bugfix
diff --git a/tests/test_web_middleware.py b/tests/test_web_middleware.py
@@ -1,4 +1,5 @@
 import re
+from typing import Any
 
 import pytest
 from yarl import URL