requests 2.31.0

Requests is a full-featured HTTP utility module for Python. It provides a simple and encompassing API for issuing requests and accessing responses and metadata. Requests supports international domains and IRLs, keep-alive session pools, persistent cookies, SSL/TLS, HTTP authorization (basic and digest token), standard Content-Encoding compression schemes, Unicode content, multipart/* MIME content, connection timeouts, and is thread-safe.

Tags python requests http-client
License Apache
State stable

Recent Releases

2.31.028 Feb 2024 14:00 security: **Security** - Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of `Proxy-Authorization` headers to destination servers when following HTTPS redirects. When proxies are defined with user info (`https://user:pass@proxy:8080`), Requests will construct a `Proxy-Authorization` header that is attached to the request to authenticate with the proxy. In cases where Requests receives a redirect response, it previously reattached the `Proxy-Authorization` header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are *strongly* encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed. Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability. Full details can be read in our Github Security Advisory ( and CVE-2023-32681 (
2.19.013 Jun 2018 16:45 major bugfix: Improvements Warn user about possible slowdown when using cryptography version 1.3.4. Check for invalid host in proxy URL, before forwarding request to adapter. Fragments are now properly maintained across redirects. (RFC7231 7.1.2). Removed use of cgi module to expedite library load time. Added support for SHA-256 and SHA-512 digest auth algorithms. Minor performance improvement to `Request.content`. Migrate to using for 3.7 compatibility. Parsing empty `Link` headers with `parse_header_links()` no longer return one bogus entry. where loading the default certificate bundle from a zip archive would raise an `IOError`. with unexpected `ImportError` on windows system which do not support `winreg` module. DNS resolution in proxy bypass no longer includes the username and password in the request. This also the of DNS queries failing on macOS. Properly normalize adapter prefor url comparison. Passing `None` as a file pointer to the `files` param no longer raises an exception. Calling `copy` on a `RequestsCookieJar` will now preserve the cookie policy correctly. Dependencies. We now support idna v2.7. We now support urllib3 v1.23.
2.18.416 Aug 2017 03:15 minor documentation: Improvements Error messages for invalid headers now include the header name for easier deging. Dependencies. We now support idna v2.6.
2.18.303 Aug 2017 03:15 minor bugfix: Improvements Running ` python -m` now includes the installed version of idna. where Requests would raise `ConnectionError` instead of. `SSLError` when encountering SSL problems when using urllib3 v1.22.
2.18.226 Jul 2017 03:15 minor bugfix: `` no longer fails on Python 2.6 due to the absence of. `ssl.OPENSSL_VERSION_NUMBER`. Dependencies. We now support urllib3 v1.22.
2.18.115 Jun 2017 03:15 minor bugfix: an error in the packaging whereby the *.whl contained incorrect data that. Regressed the in v2.17.3.
2.14.214 May 2017 03:15 minor bugfix: Changed a less-than to an equal-to and an or in the dependency markers to. Widen compatibility with older setuptools releases.
2.13.025 Jan 2017 03:25 major documentation: Features Only load the `idna` library when we've determined we need it. This will save some memory for users. Miscellaneous. Updated bundled urllib3 to 1.20. Updated bundled idna to 2.2.
2.12.415 Dec 2016 03:15 minor bugfix: Regression from 2.12.2 where non-string types were rejected in the. Basic auth parameters. While support for this behaviour has been readded, The behaviour is deprecated and will be removed in the future.
2.12.305 Dec 2016 03:15 minor bugfix: Regression from v2.12.1 for URLs with schemes that begin with "http". These URLs have historically been processed as though they were HTTP-schemed URLs, and so have had parameters added. This was removed in v2.12.2 in an. Overzealous attempt to resolve problems with IDNA-encoding those URLs. This Change was reverted: the other for IDNA-encoding have been judged to be sufficient to return to the behaviour Requests had before v2.12.0.
2.12.201 Dec 2016 03:15 minor bugfix: Several with IDNA-encoding URLs that are technically invalid but. Which are widely accepted. Requests will now attempt to IDNA-encode a URL if it can but, if it fails, and the host contains only ASCII characters, it will be passed through optimistically. This will allow users to opt-in to using IDNA2003 themselves if they want to, and will also allow technically invalid. But still common hostnames. an where URLs with leading whitespace would raise. `InvalidSchema` errors. an where some URLs without the HTTP or HTTPS schemes would still. Have HTTP URL preparation applied to them. an where Unicode strings could not be used in basic auth. an encountered by some Requests plugins where constructing a Response object would cause `Response.content` to raise an. `AttributeError`.
2.12.120 Nov 2016 03:15 minor security: Updated setuptools 'security' extra for the new PyOpenSSL backend in urllib3. Miscellaneous. Updated bundled urllib3 to 1.19.1.
2.12.016 Nov 2016 03:15 major bugfix: Improvements Updated support for internationalized domain names from IDNA2003 to IDNA2008. This updated support is required for several forms of IDNs and is mandatory. domains. Much improved heuristics for guessing content lengths: Requests will no. Longer read an entire `StringIO` into memory. Much improved logic for recalculating `Content-Length` headers for. `PreparedRequest` objects. Improved tolerance for file-like objects that have no `tell` method but do have a `seek` method. Anything that is a subclass of `Mapping` is now treated like a dictionary by the `data=` keyword argument. Requests now tolerates empty passwords in proxy credentials, rather than. Stripping the credentials. If a request is made with a file-like object as the body and that request is. Redirected with a 307 or 308 status code, Requests will now attempt to Rewind the body object so it can be replayed. When calling `response.`, the call to `` will be propagated. Through to non-urllib3 backends. Where the `ALL_PROXY` environment variable would be preferred. Over scheme-specific variables like `HTTP_PROXY`. Where non-UTF8 reason phrases got severely mangled by falling. Back to decoding using ISO 8859-1 instead. a where Requests would not correctly correlate cookies set when. Using custom Host headers if those Host headers did not use the native String type for the platform. Miscellaneous. Updated bundled urllib3 to 1.19. Updated bundled certifi certs to 2016.09.26.
2.11.118 Aug 2016 03:25 minor bugfix: a when using `iter_content` with `decode_unicode=True` for. Streamed bodies would raise `AttributeError`. This was introduced in 2.11. Strip Content-Type and Transfer-Encoding headers from the header block when. Following a redirect that transforms the verb from POST/PUT to GET.
2.11.009 Aug 2016 03:15 major bugfix: Improvements Added support for the `ALL_PROXY` environment variable. Reject header values that contain leading whitespace or newline characters to reduce risk of header smuggling. occasional `TypeError` when attempting to decode a JSON response that occurred in an error case. Now correctly returns a `ValueError`. Requests would incorrectly ignore a non-CIDR IP address in the `NO_PROXY` environment variables: Requests now treats it as a specific IP. a when sending JSON data that could cause us to encounter obscure OpenSSL errors in certain network conditions (yes, really). Added type checks to ensure that `iter_content` only accepts integers and. `None` for chunk sizes. where responses whose body had not been fully consumed would have the underlying connection but not returned to the connection pool, which could cause Requests to hang in situations where the `HTTPAdapter` had been configured to use a blocking connection pool. Miscellaneous. Updated bundled urllib3 to 1.16. Some previous releases accidentally accepted integers as acceptable header values. This release does not.
2.10.030 Apr 2016 03:15 major feature: New Features SOCKS Proxy Support! (requires PySocks; pip install requests socks ). Miscellaneous. Updated bundled urllib3 to 1.15.1.
2.9.122 Dec 2015 03:15 minor bugfix: Resolve regression introduced in 2.9.0 that made it impossible to send binary strings as bodies in Python 3. errors when calculating cookie expiration dates in certain locales. Miscellaneous. Updated bundled urllib3 to 1.13.1.
2.9.016 Dec 2015 03:15 major bugfix: Minor Improvements (Backwards compatible) The `verify` keyword argument now supports being passed a path to a. Directory of CA certificates, not just a single-file bundle. Warnings are now emitted when sending files opened in text mode. Added the 511 Network Authentication Required status code to the status code. Registry. For file-like objects that are not seeked to the very beginning, we now. Send the content length for the number of bytes we will actually read, rather Than the total size of the file, allowing partial file uploads. When uploading file-like objects, if they are empty or have no obvious. Content length we set `Transfer-Encoding: chunked` rather than `Content-Length: 0`. We correctly receive the response in buffered mode when uploading chunked. Bodies. We now handle being passed a query string as a bytestring on Python 3, by. Decoding it as UTF-8. Sessions are now in all cases (exceptional and not) when using the. Functional API rather than leaking and waiting for the garbage collector to Clean them up. Correctly handle digest auth headers with a malformed `qop` directive that. Contains no token, by treating it the same as if no `qop` directive was Provided at all. Minor performance improvements when removing specific cookies by name.
2.8.114 Oct 2015 09:45 minor bugfix: Update certificate bundle to match `certifi` 2015.9.6.2's weak certificate bundle. a in 2.8.0 where requests would raise `ConnectTimeout` instead of. `ConnectionError`. When using the PreparedRequest flow, requests will now correctly respect the. `json` parameter. Broken in 2.8.0. When using the PreparedRequest flow, requests will now correctly handle a Unicode-string method name on Python 2. Broken in 2.8.0.
2.8.006 Oct 2015 03:15 major bugfix: Minor Improvements (Backwards Compatible) Requests now supports per-host proxies. This allows the `proxies`. Dictionary to have entries of the form ` '://': '' `. Host-specific proxies will be used in preference to the previously-supported scheme-specific ones, but the. Previous syntax will continue to work. `Response.raise_for_status` now prints the URL that failed as part of the. Exception message. `requests.utils.get_netrc_auth` now takes an `raise_errors` kwarg. Defaulting to `False`. When `True`, errors parsing `.netrc` files cause Exceptions to be thrown. Change to bundled projects import logic to make it easier to unbundle. Requests downstream. Changed the default User-Agent string to avoid leaking data on Linux: now. Contains only the requests version. The `json` parameter to `post()` and friends will now only be used if. Neither `data` nor `files` are present, consistent with the Documentation. We now ignore empty fields in the `NO_PROXY` enviroment variable. Problem where `httplib.BadStatusLine` would get raised if combining. `stream=True` with `contextlib.closing`. Prevented where we would attempt to return the same connection back to. The connection pool twice when sending a Chunked body. Miscellaneous minor internal changes. Digest Auth support is now thread safe. Updates. Updated urllib3 to 1.12.
2.7.004 May 2015 11:05 documentation bugfix: This is the first release that follows our new release process. For more, see `our documentation. `_. **Bugfixes**. Updated urllib3 to 1.10.4, resolving several bugs involving chunked transfer encoding and response framing.
2.6.123 Apr 2015 09:05 bugfix: **Bugfixes**. Remove VendorAlias import machinery introduced in v2.5.2. Simplify the PreparedRequest.prepare API: We no longer require the user to pass an empty list to the hooks keyword argument. Resolve redirects now receives and forwards all of the original arguments to the adapter. Handle UnicodeDecodeErrors when trying to deal with a unicode URL that cannot be encoded in ASCII. Populate the parsed path of the URI field when performing Digest Authentication. Copy a PreparedRequest's CookieJar more reliably when it is not an instance of RequestsCookieJar.
2.6.015 Mar 2015 03:15 bugfix feature: Bugfixes** Fix handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing. This was disclosed privately by Matthew Daley of `BugFuzz `_. An CVE identifier has not yet been assigned for this. This affects all versions of requests from v2.1.0 to v2.5.3 . Fix error when requests is an ``install_requires`` dependency and ``python test`` is run. Fix error when urllib3 is unbundled and requests continues to use the vendored import location. Include fixes to ``urllib3``'s header handling. Requests' handling of unvendored dependencies is now more restrictive. Features and Improvements** Support bytearrays when passed as parameters in the ``files`` argument. Avoid data duplication when creating a request with ``str``, ``bytes``, or bytearray`` input to the ``files`` argument.
2.5.224 Feb 2015 16:25 security bugfix: Features and Improvements: Add sha256 fingerprint support. Improve the performance of headers. Bugfixes: Copy pip's import machinery. When downstream redistributors remove requests.packages.urllib3 the import machinery will continue to let those same symbols work. Example usage in requests' documentation and 3rd-party libraries relying on the vendored copies of urllib3 will work without having to fallback to the system urllib3. Attempt to quote parts of the URL on redirect if unquoting and then quoting fails. Fix filename type check for multipart form-data uploads. Properly handle the case where a server issuing digest authentication challenges provides both auth and auth-int qop-values. Fix a socket leak. Fix multiple ``Set-Cookie`` headers properly. Disable the built-in hostname verification. Fix the behaviour of decoding an exhausted stream. Security: Pulled in an updated ``cacert.pem``. Drop RC4 from the default cipher list.
2.5.124 Dec 2014 13:25 bugfix: Behavioural Changes** Only catch HTTPErrors in raise_for_status Bugfixes** Handle LocationParseError from urllib3 Handle file-like object filenames that are not strings Unbreak HTTPDigestAuth handler. Allow new nonces to be negotiated
2.5.002 Dec 2014 18:45 bugfix documentation: Improvements** Allow usage of urllib3's Retry object with HTTPAdapters The ``iter_lines`` method on a response now accepts a delimiter with which to split the content Behavioural Changes** Add deprecation warnings to functions in requests.utils that will be removed in 3.0 Sessions used by the functional API are always closed Restrict requests to HTTP/1.1 and HTTP/1.0 Bugfixes** Only parse the URL once Allow Content-Length header to always be overriden Properly handle files in HTTPDigestAuth Cap redirect_cache size to prevent memory abuse Fix HTTPDigestAuth handling of redirects after authenticating successfully Fix crash with custom method parameter to Session.request Fix how Link headers are parsed using the regular expression library Documentation** Add more references for interlinking Update CSS for theme Update width of buttons and sidebar Replace references of Gittip with Gratipay Add link to changelog in sidebar
2.4.206 Oct 2014 03:16 bugfix documentation: Improvements** FINALLY! Add json parameter for uploads! Support for bytestring URLs on Python 3.x Bugfixes** Avoid getting stuck in a loop Multiple calls to iter* fail with unhelpful error. Automatically defrag authentication schemes from host/pass URIs. Documentation** Correct redirection introduction Added example of how to send multiple files in one request. Clarify how to pass a custom set of CAs
2.4.110 Sep 2014 03:15 security security bugfix: Now has a "security" package extras set, `` pip install requests`` Requests will now use Certifi if it is available. Capture and re-raise urllib3 ProtocolError Bugfix for responses that attempt to redirect to themselves forever .
2.4.030 Aug 2014 03:15 minor feature: Behavioral Changes** Connection: keep-alive`` header is now sent automatically. Improvements** Support for connect timeouts! Timeout now accepts a tuple which is used to set individual connect and read timeouts. Allow copying of PreparedRequests without headers/cookies. Updated bundled urllib3 version. Refactored settings loading from environment new `Session.merge_environment_settings`. Handle socket errors in iter_content.