Pure-Python HPACK header compression
========================================
.. image:: https://raw.github.com/Lukasa/hyper/development/docs/source/images/hyper.png
.. image:: https://travis-ci.org/python-hyper/hpack.png?branch=master :target: https://travis-ci.org/python-hyper/hpack
This module contains a pure-Python HTTP/2 header encoding (HPACK) logic for use
in Python programs that implement HTTP/2. It also contains a compatibility
layer that automatically enables the use of nghttp2
if it's available.
Documentation is available at http://python-hyper.org/hpack/.
hpack
welcomes contributions from anyone! Unlike many other projects we are
happy to accept cosmetic contributions and small contributions, in addition to
large feature requests and changes.
Before you contribute (either by opening an issue or filing a pull request),
please read the contribution guidelines
_.
.. _read the contribution guidelines: http://hyper.readthedocs.org/en/development/contributing.html
hpack
is made available under the MIT License. For more details, see the
LICENSE
file in the repository.
hpack
is maintained by Cory Benfield, with contributions from others. For
more details about the contributors, please see CONTRIBUTORS.rst
.
API Changes (Backward Incompatible)
API Changes (Backward Compatible)
InvalidTableSizeError
thrown when the encoder does not
respect the maximum table size set by the user.Decoder.max_allowed_table_size
field that sets the maximum
allowed size of the decoder header table. See the documentation for an
indication of how this should be used.Bugfixes
Security Fixes
CVE-2016-6581: HPACK Bomb. This release now enforces a maximum value of the decompressed size of the header list. This is to avoid the so-called "HPACK Bomb" vulnerability, which is caused when a malicious peer sends a compressed HPACK body that decompresses to a gigantic header list size.
This also adds a OversizedHeaderListError
, which is thrown by the
decode
method if the maximum header list size is being violated. This
places the HPACK decoder into a broken state: it must not be used after this
exception is thrown.
This also adds a max_header_list_size
to the Decoder
object. This
controls the maximum allowable decompressed size of the header list. By
default this is set to 64kB.
API Changes (Backward Compatible)
HeaderTuple
and NeverIndexedHeaderTuple
classes that signal
whether a given header field may ever be indexed in HTTP/2 header
compression.Decoder.decode()
to return the newly added HeaderTuple
class
and subclass. These objects behave like two-tuples, so this change does not
break working code.Bugfixes
Bugfixes
Encoder.encode
, HPACK
now ensures that HTTP/2 special headers (headers whose names begin with
:
characters) appear first in the header block.API Changes (Backward Compatible)
InvalidTableIndex
exception, a subclass of
HPACKDecodingError
.IndexError
when encountering invalid encoded integers
HPACK now throws HPACKDecodingError
.UnicodeDecodeError
when encountering headers that are
not UTF-8 encoded, HPACK now throws HPACKDecodingError
.IndexError
when encountering invalid table offsets,
HPACK now throws InvalidTableIndex
.raw
flag to decode
, allowing decode
to return bytes instead
of attempting to decode the headers as UTF-8.Bugfixes
memoryview
objects are now used when decoding HPACK, improving the
performance by avoiding unnecessary data copies.HPACKEncodingError
.Encoder
, Decoder
,
HPACKError
, HPACKDecodingError
) directly, rather than from
hpack.hpack
.Tatsuhiro Tsujikawa
_... _Tatsuhiro Tsujikawa: https://github.com/tatsuhiro-t
hyper
_... _hyper: https://hyper.readthedocs.org/