mirror of https://github.com/python/cpython
548 lines
21 KiB
ReStructuredText
548 lines
21 KiB
ReStructuredText
:mod:`!http.server` --- HTTP servers
|
|
====================================
|
|
|
|
.. module:: http.server
|
|
:synopsis: HTTP server and request handlers.
|
|
|
|
**Source code:** :source:`Lib/http/server.py`
|
|
|
|
.. index::
|
|
pair: WWW; server
|
|
pair: HTTP; protocol
|
|
single: URL
|
|
single: httpd
|
|
|
|
--------------
|
|
|
|
This module defines classes for implementing HTTP servers.
|
|
|
|
|
|
.. warning::
|
|
|
|
:mod:`http.server` is not recommended for production. It only implements
|
|
:ref:`basic security checks <http.server-security>`.
|
|
|
|
.. include:: ../includes/wasm-notavail.rst
|
|
|
|
One class, :class:`HTTPServer`, is a :class:`socketserver.TCPServer` subclass.
|
|
It creates and listens at the HTTP socket, dispatching the requests to a
|
|
handler. Code to create and run the server looks like this::
|
|
|
|
def run(server_class=HTTPServer, handler_class=BaseHTTPRequestHandler):
|
|
server_address = ('', 8000)
|
|
httpd = server_class(server_address, handler_class)
|
|
httpd.serve_forever()
|
|
|
|
|
|
.. class:: HTTPServer(server_address, RequestHandlerClass)
|
|
|
|
This class builds on the :class:`~socketserver.TCPServer` class by storing
|
|
the server address as instance variables named :attr:`server_name` and
|
|
:attr:`server_port`. The server is accessible by the handler, typically
|
|
through the handler's :attr:`server` instance variable.
|
|
|
|
.. class:: ThreadingHTTPServer(server_address, RequestHandlerClass)
|
|
|
|
This class is identical to HTTPServer but uses threads to handle
|
|
requests by using the :class:`~socketserver.ThreadingMixIn`. This
|
|
is useful to handle web browsers pre-opening sockets, on which
|
|
:class:`HTTPServer` would wait indefinitely.
|
|
|
|
.. versionadded:: 3.7
|
|
|
|
|
|
The :class:`HTTPServer` and :class:`ThreadingHTTPServer` must be given
|
|
a *RequestHandlerClass* on instantiation, of which this module
|
|
provides three different variants:
|
|
|
|
.. class:: BaseHTTPRequestHandler(request, client_address, server)
|
|
|
|
This class is used to handle the HTTP requests that arrive at the server. By
|
|
itself, it cannot respond to any actual HTTP requests; it must be subclassed
|
|
to handle each request method (e.g. GET or POST).
|
|
:class:`BaseHTTPRequestHandler` provides a number of class and instance
|
|
variables, and methods for use by subclasses.
|
|
|
|
The handler will parse the request and the headers, then call a method
|
|
specific to the request type. The method name is constructed from the
|
|
request. For example, for the request method ``SPAM``, the :meth:`!do_SPAM`
|
|
method will be called with no arguments. All of the relevant information is
|
|
stored in instance variables of the handler. Subclasses should not need to
|
|
override or extend the :meth:`!__init__` method.
|
|
|
|
:class:`BaseHTTPRequestHandler` has the following instance variables:
|
|
|
|
.. attribute:: client_address
|
|
|
|
Contains a tuple of the form ``(host, port)`` referring to the client's
|
|
address.
|
|
|
|
.. attribute:: server
|
|
|
|
Contains the server instance.
|
|
|
|
.. attribute:: close_connection
|
|
|
|
Boolean that should be set before :meth:`handle_one_request` returns,
|
|
indicating if another request may be expected, or if the connection should
|
|
be shut down.
|
|
|
|
.. attribute:: requestline
|
|
|
|
Contains the string representation of the HTTP request line. The
|
|
terminating CRLF is stripped. This attribute should be set by
|
|
:meth:`handle_one_request`. If no valid request line was processed, it
|
|
should be set to the empty string.
|
|
|
|
.. attribute:: command
|
|
|
|
Contains the command (request type). For example, ``'GET'``.
|
|
|
|
.. attribute:: path
|
|
|
|
Contains the request path. If query component of the URL is present,
|
|
then ``path`` includes the query. Using the terminology of :rfc:`3986`,
|
|
``path`` here includes ``hier-part`` and the ``query``.
|
|
|
|
.. attribute:: request_version
|
|
|
|
Contains the version string from the request. For example, ``'HTTP/1.0'``.
|
|
|
|
.. attribute:: headers
|
|
|
|
Holds an instance of the class specified by the :attr:`MessageClass` class
|
|
variable. This instance parses and manages the headers in the HTTP
|
|
request. The :func:`~http.client.parse_headers` function from
|
|
:mod:`http.client` is used to parse the headers and it requires that the
|
|
HTTP request provide a valid :rfc:`2822` style header.
|
|
|
|
.. attribute:: rfile
|
|
|
|
An :class:`io.BufferedIOBase` input stream, ready to read from
|
|
the start of the optional input data.
|
|
|
|
.. attribute:: wfile
|
|
|
|
Contains the output stream for writing a response back to the
|
|
client. Proper adherence to the HTTP protocol must be used when writing to
|
|
this stream in order to achieve successful interoperation with HTTP
|
|
clients.
|
|
|
|
.. versionchanged:: 3.6
|
|
This is an :class:`io.BufferedIOBase` stream.
|
|
|
|
:class:`BaseHTTPRequestHandler` has the following attributes:
|
|
|
|
.. attribute:: server_version
|
|
|
|
Specifies the server software version. You may want to override this. The
|
|
format is multiple whitespace-separated strings, where each string is of
|
|
the form name[/version]. For example, ``'BaseHTTP/0.2'``.
|
|
|
|
.. attribute:: sys_version
|
|
|
|
Contains the Python system version, in a form usable by the
|
|
:attr:`version_string` method and the :attr:`server_version` class
|
|
variable. For example, ``'Python/1.4'``.
|
|
|
|
.. attribute:: error_message_format
|
|
|
|
Specifies a format string that should be used by :meth:`send_error` method
|
|
for building an error response to the client. The string is filled by
|
|
default with variables from :attr:`responses` based on the status code
|
|
that passed to :meth:`send_error`.
|
|
|
|
.. attribute:: error_content_type
|
|
|
|
Specifies the Content-Type HTTP header of error responses sent to the
|
|
client. The default value is ``'text/html'``.
|
|
|
|
.. attribute:: protocol_version
|
|
|
|
Specifies the HTTP version to which the server is conformant. It is sent
|
|
in responses to let the client know the server's communication
|
|
capabilities for future requests. If set to
|
|
``'HTTP/1.1'``, the server will permit HTTP persistent connections;
|
|
however, your server *must* then include an accurate ``Content-Length``
|
|
header (using :meth:`send_header`) in all of its responses to clients.
|
|
For backwards compatibility, the setting defaults to ``'HTTP/1.0'``.
|
|
|
|
.. attribute:: MessageClass
|
|
|
|
Specifies an :class:`email.message.Message`\ -like class to parse HTTP
|
|
headers. Typically, this is not overridden, and it defaults to
|
|
:class:`http.client.HTTPMessage`.
|
|
|
|
.. attribute:: responses
|
|
|
|
This attribute contains a mapping of error code integers to two-element tuples
|
|
containing a short and long message. For example, ``{code: (shortmessage,
|
|
longmessage)}``. The *shortmessage* is usually used as the *message* key in an
|
|
error response, and *longmessage* as the *explain* key. It is used by
|
|
:meth:`send_response_only` and :meth:`send_error` methods.
|
|
|
|
A :class:`BaseHTTPRequestHandler` instance has the following methods:
|
|
|
|
.. method:: handle()
|
|
|
|
Calls :meth:`handle_one_request` once (or, if persistent connections are
|
|
enabled, multiple times) to handle incoming HTTP requests. You should
|
|
never need to override it; instead, implement appropriate :meth:`!do_\*`
|
|
methods.
|
|
|
|
.. method:: handle_one_request()
|
|
|
|
This method will parse and dispatch the request to the appropriate
|
|
:meth:`!do_\*` method. You should never need to override it.
|
|
|
|
.. method:: handle_expect_100()
|
|
|
|
When an HTTP/1.1 conformant server receives an ``Expect: 100-continue``
|
|
request header it responds back with a ``100 Continue`` followed by ``200
|
|
OK`` headers.
|
|
This method can be overridden to raise an error if the server does not
|
|
want the client to continue. For e.g. server can choose to send ``417
|
|
Expectation Failed`` as a response header and ``return False``.
|
|
|
|
.. versionadded:: 3.2
|
|
|
|
.. method:: send_error(code, message=None, explain=None)
|
|
|
|
Sends and logs a complete error reply to the client. The numeric *code*
|
|
specifies the HTTP error code, with *message* as an optional, short, human
|
|
readable description of the error. The *explain* argument can be used to
|
|
provide more detailed information about the error; it will be formatted
|
|
using the :attr:`error_message_format` attribute and emitted, after
|
|
a complete set of headers, as the response body. The :attr:`responses`
|
|
attribute holds the default values for *message* and *explain* that
|
|
will be used if no value is provided; for unknown codes the default value
|
|
for both is the string ``???``. The body will be empty if the method is
|
|
HEAD or the response code is one of the following: :samp:`1{xx}`,
|
|
``204 No Content``, ``205 Reset Content``, ``304 Not Modified``.
|
|
|
|
.. versionchanged:: 3.4
|
|
The error response includes a Content-Length header.
|
|
Added the *explain* argument.
|
|
|
|
.. method:: send_response(code, message=None)
|
|
|
|
Adds a response header to the headers buffer and logs the accepted
|
|
request. The HTTP response line is written to the internal buffer,
|
|
followed by *Server* and *Date* headers. The values for these two headers
|
|
are picked up from the :meth:`version_string` and
|
|
:meth:`date_time_string` methods, respectively. If the server does not
|
|
intend to send any other headers using the :meth:`send_header` method,
|
|
then :meth:`send_response` should be followed by an :meth:`end_headers`
|
|
call.
|
|
|
|
.. versionchanged:: 3.3
|
|
Headers are stored to an internal buffer and :meth:`end_headers`
|
|
needs to be called explicitly.
|
|
|
|
.. method:: send_header(keyword, value)
|
|
|
|
Adds the HTTP header to an internal buffer which will be written to the
|
|
output stream when either :meth:`end_headers` or :meth:`flush_headers` is
|
|
invoked. *keyword* should specify the header keyword, with *value*
|
|
specifying its value. Note that, after the send_header calls are done,
|
|
:meth:`end_headers` MUST BE called in order to complete the operation.
|
|
|
|
.. versionchanged:: 3.2
|
|
Headers are stored in an internal buffer.
|
|
|
|
.. method:: send_response_only(code, message=None)
|
|
|
|
Sends the response header only, used for the purposes when ``100
|
|
Continue`` response is sent by the server to the client. The headers not
|
|
buffered and sent directly the output stream.If the *message* is not
|
|
specified, the HTTP message corresponding the response *code* is sent.
|
|
|
|
.. versionadded:: 3.2
|
|
|
|
.. method:: end_headers()
|
|
|
|
Adds a blank line
|
|
(indicating the end of the HTTP headers in the response)
|
|
to the headers buffer and calls :meth:`flush_headers()`.
|
|
|
|
.. versionchanged:: 3.2
|
|
The buffered headers are written to the output stream.
|
|
|
|
.. method:: flush_headers()
|
|
|
|
Finally send the headers to the output stream and flush the internal
|
|
headers buffer.
|
|
|
|
.. versionadded:: 3.3
|
|
|
|
.. method:: log_request(code='-', size='-')
|
|
|
|
Logs an accepted (successful) request. *code* should specify the numeric
|
|
HTTP code associated with the response. If a size of the response is
|
|
available, then it should be passed as the *size* parameter.
|
|
|
|
.. method:: log_error(...)
|
|
|
|
Logs an error when a request cannot be fulfilled. By default, it passes
|
|
the message to :meth:`log_message`, so it takes the same arguments
|
|
(*format* and additional values).
|
|
|
|
|
|
.. method:: log_message(format, ...)
|
|
|
|
Logs an arbitrary message to ``sys.stderr``. This is typically overridden
|
|
to create custom error logging mechanisms. The *format* argument is a
|
|
standard printf-style format string, where the additional arguments to
|
|
:meth:`log_message` are applied as inputs to the formatting. The client
|
|
ip address and current date and time are prefixed to every message logged.
|
|
|
|
.. method:: version_string()
|
|
|
|
Returns the server software's version string. This is a combination of the
|
|
:attr:`server_version` and :attr:`sys_version` attributes.
|
|
|
|
.. method:: date_time_string(timestamp=None)
|
|
|
|
Returns the date and time given by *timestamp* (which must be ``None`` or in
|
|
the format returned by :func:`time.time`), formatted for a message
|
|
header. If *timestamp* is omitted, it uses the current date and time.
|
|
|
|
The result looks like ``'Sun, 06 Nov 1994 08:49:37 GMT'``.
|
|
|
|
.. method:: log_date_time_string()
|
|
|
|
Returns the current date and time, formatted for logging.
|
|
|
|
.. method:: address_string()
|
|
|
|
Returns the client address.
|
|
|
|
.. versionchanged:: 3.3
|
|
Previously, a name lookup was performed. To avoid name resolution
|
|
delays, it now always returns the IP address.
|
|
|
|
|
|
.. class:: SimpleHTTPRequestHandler(request, client_address, server, directory=None)
|
|
|
|
This class serves files from the directory *directory* and below,
|
|
or the current directory if *directory* is not provided, directly
|
|
mapping the directory structure to HTTP requests.
|
|
|
|
.. versionchanged:: 3.7
|
|
Added the *directory* parameter.
|
|
|
|
.. versionchanged:: 3.9
|
|
The *directory* parameter accepts a :term:`path-like object`.
|
|
|
|
A lot of the work, such as parsing the request, is done by the base class
|
|
:class:`BaseHTTPRequestHandler`. This class implements the :func:`do_GET`
|
|
and :func:`do_HEAD` functions.
|
|
|
|
The following are defined as class-level attributes of
|
|
:class:`SimpleHTTPRequestHandler`:
|
|
|
|
.. attribute:: server_version
|
|
|
|
This will be ``"SimpleHTTP/" + __version__``, where ``__version__`` is
|
|
defined at the module level.
|
|
|
|
.. attribute:: extensions_map
|
|
|
|
A dictionary mapping suffixes into MIME types, contains custom overrides
|
|
for the default system mappings. The mapping is used case-insensitively,
|
|
and so should contain only lower-cased keys.
|
|
|
|
.. versionchanged:: 3.9
|
|
This dictionary is no longer filled with the default system mappings,
|
|
but only contains overrides.
|
|
|
|
The :class:`SimpleHTTPRequestHandler` class defines the following methods:
|
|
|
|
.. method:: do_HEAD()
|
|
|
|
This method serves the ``'HEAD'`` request type: it sends the headers it
|
|
would send for the equivalent ``GET`` request. See the :meth:`do_GET`
|
|
method for a more complete explanation of the possible headers.
|
|
|
|
.. method:: do_GET()
|
|
|
|
The request is mapped to a local file by interpreting the request as a
|
|
path relative to the current working directory.
|
|
|
|
If the request was mapped to a directory, the directory is checked for a
|
|
file named ``index.html`` or ``index.htm`` (in that order). If found, the
|
|
file's contents are returned; otherwise a directory listing is generated
|
|
by calling the :meth:`list_directory` method. This method uses
|
|
:func:`os.listdir` to scan the directory, and returns a ``404`` error
|
|
response if the :func:`~os.listdir` fails.
|
|
|
|
If the request was mapped to a file, it is opened. Any :exc:`OSError`
|
|
exception in opening the requested file is mapped to a ``404``,
|
|
``'File not found'`` error. If there was a ``'If-Modified-Since'``
|
|
header in the request, and the file was not modified after this time,
|
|
a ``304``, ``'Not Modified'`` response is sent. Otherwise, the content
|
|
type is guessed by calling the :meth:`guess_type` method, which in turn
|
|
uses the *extensions_map* variable, and the file contents are returned.
|
|
|
|
A ``'Content-type:'`` header with the guessed content type is output,
|
|
followed by a ``'Content-Length:'`` header with the file's size and a
|
|
``'Last-Modified:'`` header with the file's modification time.
|
|
|
|
Then follows a blank line signifying the end of the headers, and then the
|
|
contents of the file are output. If the file's MIME type starts with
|
|
``text/`` the file is opened in text mode; otherwise binary mode is used.
|
|
|
|
For example usage, see the implementation of the ``test`` function
|
|
in :source:`Lib/http/server.py`.
|
|
|
|
.. versionchanged:: 3.7
|
|
Support of the ``'If-Modified-Since'`` header.
|
|
|
|
The :class:`SimpleHTTPRequestHandler` class can be used in the following
|
|
manner in order to create a very basic webserver serving files relative to
|
|
the current directory::
|
|
|
|
import http.server
|
|
import socketserver
|
|
|
|
PORT = 8000
|
|
|
|
Handler = http.server.SimpleHTTPRequestHandler
|
|
|
|
with socketserver.TCPServer(("", PORT), Handler) as httpd:
|
|
print("serving at port", PORT)
|
|
httpd.serve_forever()
|
|
|
|
|
|
:class:`SimpleHTTPRequestHandler` can also be subclassed to enhance behavior,
|
|
such as using different index file names by overriding the class attribute
|
|
:attr:`index_pages`.
|
|
|
|
.. _http-server-cli:
|
|
|
|
:mod:`http.server` can also be invoked directly using the :option:`-m`
|
|
switch of the interpreter. Similar to
|
|
the previous example, this serves files relative to the current directory::
|
|
|
|
python -m http.server
|
|
|
|
The server listens to port 8000 by default. The default can be overridden
|
|
by passing the desired port number as an argument::
|
|
|
|
python -m http.server 9000
|
|
|
|
By default, the server binds itself to all interfaces. The option ``-b/--bind``
|
|
specifies a specific address to which it should bind. Both IPv4 and IPv6
|
|
addresses are supported. For example, the following command causes the server
|
|
to bind to localhost only::
|
|
|
|
python -m http.server --bind 127.0.0.1
|
|
|
|
.. versionchanged:: 3.4
|
|
Added the ``--bind`` option.
|
|
|
|
.. versionchanged:: 3.8
|
|
Support IPv6 in the ``--bind`` option.
|
|
|
|
By default, the server uses the current directory. The option ``-d/--directory``
|
|
specifies a directory to which it should serve the files. For example,
|
|
the following command uses a specific directory::
|
|
|
|
python -m http.server --directory /tmp/
|
|
|
|
.. versionchanged:: 3.7
|
|
Added the ``--directory`` option.
|
|
|
|
By default, the server is conformant to HTTP/1.0. The option ``-p/--protocol``
|
|
specifies the HTTP version to which the server is conformant. For example, the
|
|
following command runs an HTTP/1.1 conformant server::
|
|
|
|
python -m http.server --protocol HTTP/1.1
|
|
|
|
.. versionchanged:: 3.11
|
|
Added the ``--protocol`` option.
|
|
|
|
.. class:: CGIHTTPRequestHandler(request, client_address, server)
|
|
|
|
This class is used to serve either files or output of CGI scripts from the
|
|
current directory and below. Note that mapping HTTP hierarchic structure to
|
|
local directory structure is exactly as in :class:`SimpleHTTPRequestHandler`.
|
|
|
|
.. note::
|
|
|
|
CGI scripts run by the :class:`CGIHTTPRequestHandler` class cannot execute
|
|
redirects (HTTP code 302), because code 200 (script output follows) is
|
|
sent prior to execution of the CGI script. This pre-empts the status
|
|
code.
|
|
|
|
The class will however, run the CGI script, instead of serving it as a file,
|
|
if it guesses it to be a CGI script. Only directory-based CGI are used ---
|
|
the other common server configuration is to treat special extensions as
|
|
denoting CGI scripts.
|
|
|
|
The :func:`do_GET` and :func:`do_HEAD` functions are modified to run CGI scripts
|
|
and serve the output, instead of serving files, if the request leads to
|
|
somewhere below the ``cgi_directories`` path.
|
|
|
|
The :class:`CGIHTTPRequestHandler` defines the following data member:
|
|
|
|
.. attribute:: cgi_directories
|
|
|
|
This defaults to ``['/cgi-bin', '/htbin']`` and describes directories to
|
|
treat as containing CGI scripts.
|
|
|
|
The :class:`CGIHTTPRequestHandler` defines the following method:
|
|
|
|
.. method:: do_POST()
|
|
|
|
This method serves the ``'POST'`` request type, only allowed for CGI
|
|
scripts. Error 501, "Can only POST to CGI scripts", is output when trying
|
|
to POST to a non-CGI url.
|
|
|
|
Note that CGI scripts will be run with UID of user nobody, for security
|
|
reasons. Problems with the CGI script will be translated to error 403.
|
|
|
|
.. deprecated-removed:: 3.13 3.15
|
|
|
|
:class:`CGIHTTPRequestHandler` is being removed in 3.15. CGI has not
|
|
been considered a good way to do things for well over a decade. This code
|
|
has been unmaintained for a while now and sees very little practical use.
|
|
Retaining it could lead to further :ref:`security considerations
|
|
<http.server-security>`.
|
|
|
|
:class:`CGIHTTPRequestHandler` can be enabled in the command line by passing
|
|
the ``--cgi`` option::
|
|
|
|
python -m http.server --cgi
|
|
|
|
.. deprecated-removed:: 3.13 3.15
|
|
|
|
:mod:`http.server` command line ``--cgi`` support is being removed
|
|
because :class:`CGIHTTPRequestHandler` is being removed.
|
|
|
|
.. warning::
|
|
|
|
:class:`CGIHTTPRequestHandler` and the ``--cgi`` command line option
|
|
are not intended for use by untrusted clients and may be vulnerable
|
|
to exploitation. Always use within a secure environment.
|
|
|
|
.. _http.server-security:
|
|
|
|
Security Considerations
|
|
-----------------------
|
|
|
|
.. index:: pair: http.server; security
|
|
|
|
:class:`SimpleHTTPRequestHandler` will follow symbolic links when handling
|
|
requests, this makes it possible for files outside of the specified directory
|
|
to be served.
|
|
|
|
Earlier versions of Python did not scrub control characters from the
|
|
log messages emitted to stderr from ``python -m http.server`` or the
|
|
default :class:`BaseHTTPRequestHandler` ``.log_message``
|
|
implementation. This could allow remote clients connecting to your
|
|
server to send nefarious control codes to your terminal.
|
|
|
|
.. versionchanged:: 3.12
|
|
Control characters are scrubbed in stderr logs.
|