Reject HTTP/1.1 requests without Host header

[Cycloctane]

What do these changes do?

• Make http parser raise BadHttpMessage when a HTTP/1.1 request does not set host header
• Add test
• Fix existing tests

Are there changes in behavior for the user?

Is it a substantial burden for the maintainers to support this?

Related issue number

Fixes #10600

Checklist

• I think the code is well written
• Unit tests for the changes exist
• Documentation reflects the changes
• If you provide code modification, please add yourself to CONTRIBUTORS.txt
• Add a new news fragment into the CHANGES/ folder

[codspeed-hq]

Merging this PR will degrade performance by 21.87%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

❌ 1 (👁 1) regressed benchmark
✅ 60 untouched benchmarks
⏩ 4 skipped benchmarks¹

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
👁	test_ten_streamed_responses_iter_chunks[pyloop]	119.6 ms	153.1 ms	-21.87%

---

_{Comparing Cycloctane:reject-requests-without-host-header (a5b1563) with master (bec74bb)}

Footnotes

1. 4 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.92%. Comparing base (bec74bb) to head (a5b1563).
⚠️ Report is 1 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #12264   +/-   ##
=======================================
  Coverage   98.92%   98.92%           
=======================================
  Files         133      133           
  Lines       46551    46563   +12     
  Branches     2423     2424    +1     
=======================================
+ Hits        46049    46061   +12     
  Misses        373      373           
  Partials      129      129           

Flag	Coverage Δ
CI-GHA	98.98% <100.00%> (-0.01%)	⬇️
OS-Linux	98.72% <100.00%> (+<0.01%)	⬆️
OS-Windows	96.98% <100.00%> (+<0.01%)	⬆️
OS-macOS	97.89% <100.00%> (+<0.01%)	⬆️
Py-3.10.11	97.39% <100.00%> (-0.01%)	⬇️
Py-3.10.20	97.86% <100.00%> (+<0.01%)	⬆️
Py-3.11.15	98.11% <100.00%> (+<0.01%)	⬆️
Py-3.11.9	97.65% <100.00%> (+<0.01%)	⬆️
Py-3.12.10	97.73% <100.00%> (-0.01%)	⬇️
Py-3.12.13	98.20% <100.00%> (-0.01%)	⬇️
Py-3.13.12	98.44% <100.00%> (+<0.01%)	⬆️
Py-3.14.3	98.50% <100.00%> (+<0.01%)	⬆️
Py-3.14.4t	97.51% <100.00%> (+<0.01%)	⬆️
Py-pypy3.11.15-7.3.21	97.34% <98.96%> (+<0.01%)	⬆️
VM-macos	97.89% <100.00%> (+<0.01%)	⬆️
VM-ubuntu	98.72% <100.00%> (+<0.01%)	⬆️
VM-windows	96.98% <100.00%> (+<0.01%)	⬆️
cython-coverage	38.23% <97.02%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Vizonex]

@Cycloctane If it helps you any I'm also bringing this conversation up with llhttp since I believe this is something that llhttp should be able to block at it's level if a flag for it is set. nodejs/llhttp#816

[patchback]

Backport to 3.14: 💔 cherry-picking failed — conflicts found

❌ Failed to cleanly apply af05010 on top of patchback/backports/3.14/af05010f61ca9be00a98a0885c8ae213adf4cf45/pr-12264

Backporting merged PR #12264 into master

1. Ensure you have a local repo clone of your fork. Unless you cloned it
   from the upstream, this would be your origin remote.
2. Make sure you have an upstream repo added as a remote too. In these
   instructions you'll refer to it by the name upstream. If you don't
   have it, here's how you can add it:

   $ git remote add upstream https://github.com/aio-libs/aiohttp.git

3. Ensure you have the latest copy of upstream and prepare a branch
   that will hold the backported code:

   $ git fetch upstream
   $ git checkout -b patchback/backports/3.14/af05010f61ca9be00a98a0885c8ae213adf4cf45/pr-12264 upstream/3.14

4. Now, cherry-pick PR Reject HTTP/1.1 requests without Host header #12264 contents into that branch:

   $ git cherry-pick -x af05010f61ca9be00a98a0885c8ae213adf4cf45

   If it'll yell at you with something like fatal: Commit af05010f61ca9be00a98a0885c8ae213adf4cf45 is a merge but no -m option was given., add -m 1 as follows instead:

   $ git cherry-pick -m1 -x af05010f61ca9be00a98a0885c8ae213adf4cf45

5. At this point, you'll probably encounter some merge conflicts. You must
   resolve them in to preserve the patch from PR Reject HTTP/1.1 requests without Host header #12264 as close to the
   original as possible.
6. Push this branch to your fork on GitHub:

   $ git push origin patchback/backports/3.14/af05010f61ca9be00a98a0885c8ae213adf4cf45/pr-12264

7. Create a PR, ensure that the CI is green. If it's not — update it so that
   the tests and any other checks pass. This is it!
   Now relax and wait for the maintainers to process your pull request
   when they have some cycles to do reviews. Don't worry — they'll tell you if
   any improvements are necessary when the time comes!

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.