BaseRequest.url passes the host and port to URL.build when the port is included in the host header (non-default port) -- fixed in 3.10.7

[bdraco]

request.host can be 127.0.0.1:8123

aiohttp/aiohttp/web_request.py

Line 447 in 0b8be7f

url = URL.build(scheme=self.scheme, host=self.host)

yarl 1.13.0+ caught this because host is now validated via aio-libs/yarl#954

Pinning yarl to < 1.13.0 will also prevent the issue since the validation doesn't happen until that version.

[bdraco]

Fix for Home Assistant is home-assistant/core#126882

[bdraco]

This is messy because downstream expects the port in a lot of places to get the host

tests/components/http/test_forwarded.py:        assert request.host == f"{url.host}:{url.port}"
tests/components/http/test_forwarded.py:        assert request.host == f"{url.host}:{url.port}"
tests/components/http/test_forwarded.py:        assert request.host == f"{url.host}:{url.port}"
tests/components/http/test_forwarded.py:        assert request.host == f"{url.host}:{url.port}"
tests/components/http/test_forwarded.py:        assert request.host == f"{url.host}:{url.port}"
tests/components/http/test_forwarded.py:        assert request.host == f"{url.host}:{url.port}"
tests/components/http/test_forwarded.py:        assert request.host == "example.com"
tests/components/http/test_forwarded.py:        assert request.host == f"{url.host}:{url.port}"

Its also used for X-Forwarded-Host which is also a bit up for debate if it should include the port akka/akka-http#2191 details the struggle

[ffissore]

Should the yarl dependency be pinned to 1.12.1 in https://github.com/aio-libs/aiohttp/blob/master/requirements/runtime-deps.in#L11C1-L11C22 https://github.com/aio-libs/aiohttp/blob/master/setup.cfg#L57 until the issue is solved?

[Dreamsorcerer]

I can't imagine we'll make another release without solving the issue, so updating the pin is not going to help.

[ffissore]

The problem is that, being yarl specified as a range, even those that don't update aiohttp will be affected.
I'm the last one demanding open source devs to "fix this now!", hence my suggestion to pin yarl to buy you time.

[bdraco]

I think we’ll do a new release as soon as we can fix this one. I expect I’ll have time this weekend to make that happen.

[bdraco]

#9318 will fix it for 3.10

The caveat emptor is the fix makes the url call a lot slower so if it matters for you when we ship the fix I'd update yarl to 1.13.1 once its available as it will shave off most of the performance slowdown , however if you aren't fetching the url on every request you'll probably never notice.

At this point everything is worked out and the hold up is waiting on GitHub CI runners

[bdraco]

I was hoping to release this fix today in 3.10.7 but docker registry is down so the release won't publish

https://www.dockerstatus.com/