Skip to content

Fix: AsyncTunnelHTTPConnection leaks connection on handshake failure #1056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
drshvik wants to merge 4 commits into
base: master
Choose a base branch
from
+276 −166
Open

Fix: AsyncTunnelHTTPConnection leaks connection on handshake failure #1056

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d127987
Fix: Pass timeout to SOCKS5 handshake to prevent hanging
drshvik Jan 30, 2026
3d39b82
Fix: Apply ruff formatting
drshvik Jan 30, 2026
794bc96
Fix: Run unasync and ruff formatting
drshvik Jan 30, 2026
eb9b818
Fix: AsyncTunnelHTTPConnection leaks connection on handshake failure
drshvik Jan 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 58 additions & 50 deletions httpcore/_async/http_proxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,61 +285,69 @@ async def handle_async_request(self, request: Request) -> Response:
headers=connect_headers,
extensions=request.extensions,
)
connect_response = await self._connection.handle_async_request(
connect_request
)

if connect_response.status < 200 or connect_response.status > 299:
reason_bytes = connect_response.extensions.get("reason_phrase", b"")
reason_str = reason_bytes.decode("ascii", errors="ignore")
msg = "%d %s" % (connect_response.status, reason_str)
await self._connection.aclose()
raise ProxyError(msg)

stream = connect_response.extensions["network_stream"]

# Upgrade the stream to SSL
ssl_context = (
default_ssl_context()
if self._ssl_context is None
else self._ssl_context
)
alpn_protocols = ["http/1.1", "h2"] if self._http2 else ["http/1.1"]
ssl_context.set_alpn_protocols(alpn_protocols)

kwargs = {
"ssl_context": ssl_context,
"server_hostname": self._remote_origin.host.decode("ascii"),
"timeout": timeout,
}
async with Trace("start_tls", logger, request, kwargs) as trace:
stream = await stream.start_tls(**kwargs)
trace.return_value = stream

# Determine if we should be using HTTP/1.1 or HTTP/2
ssl_object = stream.get_extra_info("ssl_object")
http2_negotiated = (
ssl_object is not None
and ssl_object.selected_alpn_protocol() == "h2"
)

# Create the HTTP/1.1 or HTTP/2 connection
if http2_negotiated or (self._http2 and not self._http1):
from .http2 import AsyncHTTP2Connection
try:
connect_response = await self._connection.handle_async_request(
connect_request
)

self._connection = AsyncHTTP2Connection(
origin=self._remote_origin,
stream=stream,
keepalive_expiry=self._keepalive_expiry,
if connect_response.status < 200 or connect_response.status > 299:
reason_bytes = connect_response.extensions.get(
"reason_phrase", b""
)
reason_str = reason_bytes.decode("ascii", errors="ignore")
msg = "%d %s" % (connect_response.status, reason_str)
await self._connection.aclose()
raise ProxyError(msg)

stream = connect_response.extensions["network_stream"]

# Upgrade the stream to SSL
ssl_context = (
default_ssl_context()
if self._ssl_context is None
else self._ssl_context
)
else:
self._connection = AsyncHTTP11Connection(
origin=self._remote_origin,
stream=stream,
keepalive_expiry=self._keepalive_expiry,
alpn_protocols = ["http/1.1", "h2"] if self._http2 else ["http/1.1"]
ssl_context.set_alpn_protocols(alpn_protocols)

kwargs = {
"ssl_context": ssl_context,
"server_hostname": self._remote_origin.host.decode("ascii"),
"timeout": timeout,
}
async with Trace("start_tls", logger, request, kwargs) as trace:
stream = await stream.start_tls(**kwargs)
trace.return_value = stream

# Determine if we should be using HTTP/1.1 or HTTP/2
ssl_object = stream.get_extra_info("ssl_object")
http2_negotiated = (
ssl_object is not None
and ssl_object.selected_alpn_protocol() == "h2"
)

self._connected = True
# Create the HTTP/1.1 or HTTP/2 connection
if http2_negotiated or (self._http2 and not self._http1):
from .http2 import AsyncHTTP2Connection

self._connection = AsyncHTTP2Connection(
origin=self._remote_origin,
stream=stream,
keepalive_expiry=self._keepalive_expiry,
)
else:
self._connection = AsyncHTTP11Connection(
origin=self._remote_origin,
stream=stream,
keepalive_expiry=self._keepalive_expiry,
)

self._connected = True
except Exception:
await self._connection.aclose()
raise

return await self._connection.handle_async_request(request)

def can_handle_request(self, origin: Origin) -> bool:
Expand Down
47 changes: 14 additions & 33 deletions httpcore/_async/socks_proxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ async def _init_socks5_connection(
host: bytes,
port: int,
auth: tuple[bytes, bytes] | None = None,
timeout: float | None = None, # <--- FIX 1: Add timeout argument
) -> None:
conn = socksio.socks5.SOCKS5Connection()

Expand All @@ -56,10 +57,12 @@ async def _init_socks5_connection(
)
conn.send(socksio.socks5.SOCKS5AuthMethodsRequest([auth_method]))
outgoing_bytes = conn.data_to_send()
await stream.write(outgoing_bytes)
await stream.write(outgoing_bytes, timeout=timeout) # <--- FIX 2: Pass timeout

# Auth method response
incoming_bytes = await stream.read(max_bytes=4096)
incoming_bytes = await stream.read(
max_bytes=4096, timeout=timeout
) # <--- FIX 3: Pass timeout
response = conn.receive_data(incoming_bytes)
assert isinstance(response, socksio.socks5.SOCKS5AuthReply)
if response.method != auth_method:
Expand All @@ -75,10 +78,12 @@ async def _init_socks5_connection(
username, password = auth
conn.send(socksio.socks5.SOCKS5UsernamePasswordRequest(username, password))
outgoing_bytes = conn.data_to_send()
await stream.write(outgoing_bytes)
await stream.write(outgoing_bytes, timeout=timeout) # <--- FIX 4: Pass timeout

# Username/password response
incoming_bytes = await stream.read(max_bytes=4096)
incoming_bytes = await stream.read(
max_bytes=4096, timeout=timeout
) # <--- FIX 5: Pass timeout
response = conn.receive_data(incoming_bytes)
assert isinstance(response, socksio.socks5.SOCKS5UsernamePasswordReply)
if not response.success:
Expand All @@ -91,10 +96,12 @@ async def _init_socks5_connection(
)
)
outgoing_bytes = conn.data_to_send()
await stream.write(outgoing_bytes)
await stream.write(outgoing_bytes, timeout=timeout) # <--- FIX 6: Pass timeout

# Connect response
incoming_bytes = await stream.read(max_bytes=4096)
incoming_bytes = await stream.read(
max_bytes=4096, timeout=timeout
) # <--- FIX 7: Pass timeout
response = conn.receive_data(incoming_bytes)
assert isinstance(response, socksio.socks5.SOCKS5Reply)
if response.reply_code != socksio.socks5.SOCKS5ReplyCode.SUCCEEDED:
Expand Down Expand Up @@ -122,33 +129,6 @@ def __init__(
) -> None:
"""
A connection pool for making HTTP requests.

Parameters:
proxy_url: The URL to use when connecting to the proxy server.
For example `"http://127.0.0.1:8080/"`.
ssl_context: An SSL context to use for verifying connections.
If not specified, the default `httpcore.default_ssl_context()`
will be used.
max_connections: The maximum number of concurrent HTTP connections that
the pool should allow. Any attempt to send a request on a pool that
would exceed this amount will block until a connection is available.
max_keepalive_connections: The maximum number of idle HTTP connections
that will be maintained in the pool.
keepalive_expiry: The duration in seconds that an idle HTTP connection
may be maintained for before being expired from the pool.
http1: A boolean indicating if HTTP/1.1 requests should be supported
by the connection pool. Defaults to True.
http2: A boolean indicating if HTTP/2 requests should be supported by
the connection pool. Defaults to False.
retries: The maximum number of retries when trying to establish
a connection.
local_address: Local address to connect from. Can also be used to
connect using a particular address family. Using
`local_address="0.0.0.0"` will connect using an `AF_INET` address
(IPv4), while using `local_address="::"` will connect using an
`AF_INET6` address (IPv6).
uds: Path to a Unix Domain Socket to use instead of TCP sockets.
network_backend: A backend instance to use for handling network I/O.
"""
super().__init__(
ssl_context=ssl_context,
Expand Down Expand Up @@ -237,6 +217,7 @@ async def handle_async_request(self, request: Request) -> Response:
"host": self._remote_origin.host.decode("ascii"),
"port": self._remote_origin.port,
"auth": self._proxy_auth,
"timeout": timeout, # <--- FIX 8: Pass timeout argument
}
async with Trace(
"setup_socks5_connection", logger, request, kwargs
Expand Down
108 changes: 58 additions & 50 deletions httpcore/_sync/http_proxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,61 +285,69 @@ def handle_request(self, request: Request) -> Response:
headers=connect_headers,
extensions=request.extensions,
)
connect_response = self._connection.handle_request(
connect_request
)

if connect_response.status < 200 or connect_response.status > 299:
reason_bytes = connect_response.extensions.get("reason_phrase", b"")
reason_str = reason_bytes.decode("ascii", errors="ignore")
msg = "%d %s" % (connect_response.status, reason_str)
self._connection.close()
raise ProxyError(msg)

stream = connect_response.extensions["network_stream"]

# Upgrade the stream to SSL
ssl_context = (
default_ssl_context()
if self._ssl_context is None
else self._ssl_context
)
alpn_protocols = ["http/1.1", "h2"] if self._http2 else ["http/1.1"]
ssl_context.set_alpn_protocols(alpn_protocols)

kwargs = {
"ssl_context": ssl_context,
"server_hostname": self._remote_origin.host.decode("ascii"),
"timeout": timeout,
}
with Trace("start_tls", logger, request, kwargs) as trace:
stream = stream.start_tls(**kwargs)
trace.return_value = stream

# Determine if we should be using HTTP/1.1 or HTTP/2
ssl_object = stream.get_extra_info("ssl_object")
http2_negotiated = (
ssl_object is not None
and ssl_object.selected_alpn_protocol() == "h2"
)

# Create the HTTP/1.1 or HTTP/2 connection
if http2_negotiated or (self._http2 and not self._http1):
from .http2 import HTTP2Connection
try:
connect_response = self._connection.handle_request(
connect_request
)

self._connection = HTTP2Connection(
origin=self._remote_origin,
stream=stream,
keepalive_expiry=self._keepalive_expiry,
if connect_response.status < 200 or connect_response.status > 299:
reason_bytes = connect_response.extensions.get(
"reason_phrase", b""
)
reason_str = reason_bytes.decode("ascii", errors="ignore")
msg = "%d %s" % (connect_response.status, reason_str)
self._connection.close()
raise ProxyError(msg)

stream = connect_response.extensions["network_stream"]

# Upgrade the stream to SSL
ssl_context = (
default_ssl_context()
if self._ssl_context is None
else self._ssl_context
)
else:
self._connection = HTTP11Connection(
origin=self._remote_origin,
stream=stream,
keepalive_expiry=self._keepalive_expiry,
alpn_protocols = ["http/1.1", "h2"] if self._http2 else ["http/1.1"]
ssl_context.set_alpn_protocols(alpn_protocols)

kwargs = {
"ssl_context": ssl_context,
"server_hostname": self._remote_origin.host.decode("ascii"),
"timeout": timeout,
}
with Trace("start_tls", logger, request, kwargs) as trace:
stream = stream.start_tls(**kwargs)
trace.return_value = stream

# Determine if we should be using HTTP/1.1 or HTTP/2
ssl_object = stream.get_extra_info("ssl_object")
http2_negotiated = (
ssl_object is not None
and ssl_object.selected_alpn_protocol() == "h2"
)

self._connected = True
# Create the HTTP/1.1 or HTTP/2 connection
if http2_negotiated or (self._http2 and not self._http1):
from .http2 import HTTP2Connection

self._connection = HTTP2Connection(
origin=self._remote_origin,
stream=stream,
keepalive_expiry=self._keepalive_expiry,
)
else:
self._connection = HTTP11Connection(
origin=self._remote_origin,
stream=stream,
keepalive_expiry=self._keepalive_expiry,
)

self._connected = True
except Exception:
self._connection.close()
raise

return self._connection.handle_request(request)

def can_handle_request(self, origin: Origin) -> bool:
Expand Down
Loading