Security Issue: Update h11 Package in httpx to >=0.16.0 Due to Malformed Chunked-Encoding Vulnerability

[aashrithavelpuri]

Summary:
It has come to my attention that httpx currently uses an outdated version of the h11 package, which is vulnerable to malformed Chunked-Encoding bodies. This vulnerability has been addressed in h11 version >=0.16.0 and poses a security risk.

According to the advisory GHSA-vqfr-h8mv-ghfj, the earlier versions of h11 are vulnerable to malformed Chunked-Encoding bodies.

Current Situation:

httpcore (which httpx depends on) has already upgraded its dependency on h11 to >=0.16.0, addressing the issue.

However, httpx has not yet upgraded to a safe version of h11.

Suggested Approach:
I suggest updating the h11 dependency in the httpx package to >=0.16.0, which will resolve this vulnerability and bring it in line with httpcore.

Impact:

The issue is marked as a security vulnerability, and this update is critical for ensuring the safety and integrity of httpx users.

Failing to upgrade may expose applications using httpx to potential exploits due to the Chunked-Encoding vulnerability in earlier versions of h11.

Additional Information:

httpcore already uses httpx, which in turn uses h11. httpcore has successfully upgraded to h11 >=0.16.0.

httpx should follow suit to ensure compatibility and security.

Please consider marking this issue as important and addressing it with a high priority, given the security implications.

[lovelydinosaur]

This has been raised. We're open to serious conversations only.

[lovelydinosaur]

This user account is now blocked.

Again... we have a zero-tolerance policy toward attention spamming / social DDOSing attempts.

[nbciccarello]

Any updates on this?

[zanieb]

There's nothing to be done here. You should just upgrade the dependency? httpx shouldn't be enforcing dependency constraints for you.

See #3564 (comment)