Reject non-string header values #302
Labels
Milestone
Comments
sandhose
added a commit
to element-hq/synapse
that referenced
this issue
Sep 25, 2024
Bumps [treq](https://github.com/twisted/treq) from 23.11.0 to 24.9.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/twisted/treq/releases">treq's releases</a>.</em></p> <blockquote> <h2>Treq 24.9.0</h2> <h2>Features</h2> <ul> <li>treq now ships type annotations. (<a href="https://redirect.github.com/twisted/treq/issues/366">#366</a>)</li> <li>The new <code>treq.cookies</code> module provides helper functions for working with <code>http.cookiejar.Cookie</code> and <code>CookieJar</code> objects. (<a href="https://redirect.github.com/twisted/treq/issues/384">#384</a>)</li> <li>Python 3.13 is now supported. (<a href="https://redirect.github.com/twisted/treq/issues/391">#391</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li><code>treq.content.text_content()</code> no longer generates deprecation warnings due to use of the <code>cgi</code> module. (<a href="https://redirect.github.com/twisted/treq/issues/355">#355</a>)</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Mixing the <em>json</em> argument with <em>files</em> or <em>data</em> now raises <code>TypeError</code>. (<a href="https://redirect.github.com/twisted/treq/issues/297">#297</a>)</li> <li>Passing non-string (<code>str</code> or <code>bytes</code>) values as part of a dict to the <em>headers</em> argument now results in a <code>TypeError</code>, as does passing any collection other than a <code>dict</code> or <code>Headers</code> instance. (<a href="https://redirect.github.com/twisted/treq/issues/302">#302</a>)</li> <li>Support for Python 3.7 and PyPy 3.8, which have reached end of support, has been dropped. (<a href="https://redirect.github.com/twisted/treq/issues/378">#378</a>)</li> </ul> <h2>Misc</h2> <ul> <li><a href="https://redirect.github.com/twisted/treq/issues/336">#336</a>, <a href="https://redirect.github.com/twisted/treq/issues/382">#382</a>, <a href="https://redirect.github.com/twisted/treq/issues/395">#395</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/twisted/treq/blob/trunk/CHANGELOG.rst">treq's changelog</a>.</em></p> <blockquote> <h1>24.9.1 (2024-09-19)</h1> <h2>Bugfixes</h2> <ul> <li>treq has vendored its dependency on the <code>multipart</code> library to avoid import conflicts with <code>python-multipart</code>; it should now be installable alongside that library. (<code>[#399](twisted/treq#399) <https://github.com/twisted/treq/issues/399></code>__)</li> </ul> <h1>24.9.0 (2024-09-17)</h1> <h2>Features</h2> <ul> <li>treq now ships type annotations. (<code>[#366](twisted/treq#366) <https://github.com/twisted/treq/issues/366></code>__)</li> <li>The new :mod:<code>treq.cookies</code> module provides helper functions for working with <code>http.cookiejar.Cookie</code> and <code>CookieJar</code> objects. (<code>[#384](twisted/treq#384) <https://github.com/twisted/treq/issues/384></code>__)</li> <li>Python 3.13 is now supported. (<code>[#391](twisted/treq#391) <https://github.com/twisted/treq/issues/391></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>:mod:<code>treq.content.text_content()</code> no longer generates deprecation warnings due to use of the <code>cgi</code> module. (<code>[#355](twisted/treq#355) <https://github.com/twisted/treq/issues/355></code>__)</li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Mixing the <em>json</em> argument with <em>files</em> or <em>data</em> now raises <code>TypeError</code>. (<code>[#297](twisted/treq#297) <https://github.com/twisted/treq/issues/297></code>__)</li> <li>Passing non-string (<code>str</code> or <code>bytes</code>) values as part of a dict to the <em>headers</em> argument now results in a <code>TypeError</code>, as does passing any collection other than a <code>dict</code> or <code>Headers</code> instance. (<code>[#302](twisted/treq#302) <https://github.com/twisted/treq/issues/302></code>__)</li> <li>Support for Python 3.7 and PyPy 3.8, which have reached end of support, has been dropped. (<code>[#378](twisted/treq#378) <https://github.com/twisted/treq/issues/378></code>__)</li> </ul> <h2>Misc</h2> <ul> <li><code>[#336](twisted/treq#336) <https://github.com/twisted/treq/issues/336></code><strong>, <code>[#382](twisted/treq#382) <https://github.com/twisted/treq/issues/382></code></strong>, <code>[#395](twisted/treq#395) <https://github.com/twisted/treq/issues/395></code>__</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/twisted/treq/commit/caaf9fcb62992de47ad5ebcb628cce5106b8d1b1"><code>caaf9fc</code></a> Release 24.9.1</li> <li><a href="https://github.com/twisted/treq/commit/9cedb088b40e5d756f1196defb46b5a7e41bf1c8"><code>9cedb08</code></a> Merge pull request <a href="https://redirect.github.com/twisted/treq/issues/400">#400</a> from twisted/vendor-multipart-for-now</li> <li><a href="https://github.com/twisted/treq/commit/4aa1ee8a3ca5461c165ea380b1cbd0ea5b41cce4"><code>4aa1ee8</code></a> news fragment</li> <li><a href="https://github.com/twisted/treq/commit/d7c16de8f522c5fc10cf2108371afce635d39e4e"><code>d7c16de</code></a> octothorpes rise up</li> <li><a href="https://github.com/twisted/treq/commit/4fd3c842c21a3fa45560dc7eb41767fcbb4e653a"><code>4fd3c84</code></a> try to make the linter happy</li> <li><a href="https://github.com/twisted/treq/commit/f0a5148cba2c983335758dd34ab78bff46f2dc6b"><code>f0a5148</code></a> fix import, switch to <code>from</code></li> <li><a href="https://github.com/twisted/treq/commit/7f16b87f0a2574a2ef67a50e6bf89ad9941fcf4c"><code>7f16b87</code></a> correct import</li> <li><a href="https://github.com/twisted/treq/commit/1526431a37745bb33982f79bb38d1d4e4554907d"><code>1526431</code></a> add a lightly-modified vendored version of <a href="https://github.com/defnull/multipa">https://github.com/defnull/multipa</a>...</li> <li><a href="https://github.com/twisted/treq/commit/7c52d4917f41291da271fd5cebf2e69e73dcee32"><code>7c52d49</code></a> remove dependency on <code>multipart</code> package</li> <li><a href="https://github.com/twisted/treq/commit/ca3966f57a34fa4a3c0b3eb1a90e3f1cc1951bf3"><code>ca3966f</code></a> Merge pull request <a href="https://redirect.github.com/twisted/treq/issues/398">#398</a> from twisted/397-release-24.9.0</li> <li>Additional commits viewable in <a href="https://github.com/twisted/treq/compare/release-23.11.0...treq-24.9.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Quentin Gliech <quenting@element.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Continuing on #294, which now produces a deprecation warning, treq should raise
TypeErrorwhen passed a dict with non-string header values.The text was updated successfully, but these errors were encountered: