[Python-modules-team] Bug#899406: requests.Session doesn't properly handle closed keep-alive sessions

Jonathan Lynch jlynch at tenable.com
Wed May 23 21:16:57 BST 2018


Package: python-requests
Version: 2.18.4

When a server reaps a keep-alive session it sends a FIN packet to the
client. Normally, requests handles this fine and rebuilds the session on
the next request. However, there is an edge case involving network latency
that is not properly handled:

If python sends a request at roughly the same time as the server closes the
session, then the server will send a RST (as the session is closed). Python
receives this RST on what it thought was a valid session and throws an
error:

requests.exceptions.ConnectionError: ('Connection aborted.',
RemoteDisconnected('Remote end closed connection without response',))

The reason I consider this a bug is because python received the FIN packet
before it received the RST. As a result, it shouldn't be surprised when the
connection is subsequently aborted. It is an edge case, but the client has
enough information available to it that it could have handled it correctly.

The workaround is to set max_retries on the Session via an HTTPAdaptor, but
I believe the correct behavior when the FIN is received is to rebuild the
session and re-send any requests that were in-flight (rather than throwing
an error). Requests correctly handles the FIN packet if there are no
in-flight requests, but if there are in-flight requests it ignores it and
instead throws an error.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20180523/fc459c0b/attachment-0001.html>


More information about the Python-modules-team mailing list