Security: Silent Exception Swallowing in Server Request Handler Factory

[barttran2k]

Problem

The Server.__call__ method catches TypeError broadly and silently retries handler creation with filtered kwargs. This could mask legitimate configuration errors or security-relevant misconfigurations, making debugging difficult and potentially allowing the server to start with an insecure or unexpected configuration.

Severity: low
File: aiohttp/web_server.py

Solution

Log a warning when falling back to the failsafe creation path so that misconfiguration is visible to operators. Consider narrowing the exception handling or deprecating this failsafe behavior.

Changes

• aiohttp/web_server.py (modified)

Testing

• Existing tests pass
• Manual review completed
• No new warnings/errors introduced

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.92%. Comparing base (47558a3) to head (7589f2f).
⚠️ Report is 13 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #12332      +/-   ##
==========================================
- Coverage   99.11%   98.92%   -0.20%     
==========================================
  Files         130      133       +3     
  Lines       45609    46565     +956     
  Branches     2405     2424      +19     
==========================================
+ Hits        45207    46063     +856     
- Misses        272      373     +101     
+ Partials      130      129       -1     

Flag	Coverage Δ
CI-GHA	98.98% <100.00%> (+<0.01%)	⬆️
OS-Linux	98.72% <100.00%> (+<0.01%)	⬆️
OS-Windows	96.98% <100.00%> (+0.02%)	⬆️
OS-macOS	97.88% <100.00%> (+<0.01%)	⬆️
Py-3.10.11	97.39% <100.00%> (-0.04%)	⬇️
Py-3.10.20	97.86% <100.00%> (-0.04%)	⬇️
Py-3.11.15	98.11% <100.00%> (+0.01%)	⬆️
Py-3.11.9	97.65% <100.00%> (+0.01%)	⬆️
Py-3.12.10	97.73% <100.00%> (+0.01%)	⬆️
Py-3.12.13	98.20% <100.00%> (+<0.01%)	⬆️
Py-3.13.12	98.45% <100.00%> (+<0.01%)	⬆️
Py-3.14.3	98.51% <100.00%> (+<0.01%)	⬆️
Py-3.14.3t	?
Py-3.14.4t	97.51% <100.00%> (?)
Py-pypy3.11.15-7.3.21	97.34% <100.00%> (-0.04%)	⬇️
VM-macos	97.88% <100.00%> (+<0.01%)	⬆️
VM-ubuntu	98.72% <100.00%> (+<0.01%)	⬆️
VM-windows	96.98% <100.00%> (+0.02%)	⬆️
cython-coverage	38.22% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codspeed-hq]

Merging this PR will not alter performance

✅ 61 untouched benchmarks
⏩ 4 skipped benchmarks¹

---

_{Comparing barttran2k:contribai/fix/security/silent-exception-swallowing-in-server-re (7589f2f) with master (07bd8c1)}

Footnotes

1. 4 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[patchback]

Backport to 3.14: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.14/06e510b2be211f2a1e3a37ed7bea0a3b5cf2906e/pr-12332

Backported as #12370

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.