Update http from 3.14.3

[ShaharNaveh]

Summary by CodeRabbit

• Bug Fixes
  • Improved SSL password handling to correctly accept an explicitly missing password value and avoid misclassification.
  • Updated error message to clearly indicate valid password types.
  • No public API or signature changes—no breaking changes for integrators.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 95821d1 and 5037f97.

📒 Files selected for processing (1)

• crates/stdlib/src/ssl.rs

🚧 Files skipped from review as they are similar to previous changes (1)

• crates/stdlib/src/ssl.rs

---

📝 Walkthrough

Walkthrough

Explicit None handling added to SSL password parsing: when the password argument is present but None, the function returns (None, None) immediately. Existing branches for string/bytes-like and callable passwords remain; the invalid-type error message was simplified to require "string or callable".

Changes

Cohort / File(s)	Summary
SSL Password Handling crates/stdlib/src/ssl.rs	Added explicit early-return for present-but-None password arguments; preserved string/bytes-like and callable branches (None-check moved earlier); changed invalid input error text from "password should be a string, bytes, or callable" to "password should be a string or callable".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 I nudged a None out of the way,
So passwords skip the needless fray.
Branches tidy, messages light,
SSL hops on, snug and bright. ✨🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The pull request title mentions updating 'http' from 3.14.3, but the actual changes are in crates/stdlib/src/ssl.rs related to password argument handling. The title does not reflect the actual SSL password handling modifications in the changeset.	Update the title to accurately reflect the actual changes, such as 'Fix SSL password argument handling to properly handle None values' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Library Dependencies

The following Lib/ modules were modified. Here are their dependencies:

[x] lib: cpython/Lib/http
[x] test: cpython/Lib/test/test_httplib.py (TODO: 2)
[x] test: cpython/Lib/test/test_http_cookiejar.py
[ ] test: cpython/Lib/test/test_http_cookies.py
[x] test: cpython/Lib/test/test_httpservers.py (TODO: 1)

dependencies:

• http

dependent tests: (23 tests)

• http: test_docxmlrpc test_genericalias test_hashlib test_http_cookiejar test_http_cookies test_httplib test_httpservers test_logging test_robotparser test_ssl test_ucn test_unicodedata test_urllib test_urllib2 test_urllib2_localnet test_wsgiref test_xml_dom_xmlbuilder test_xmlrpc
  • urllib.request: test_pathlib test_pydoc test_site test_urllib2net test_urllibnet

Legend:

• [+] path exists in CPython
• [x] up-to-date, [ ] outdated

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@crates/stdlib/src/ssl.rs`:
- Around line 2024-2035: The password-handling branch currently accepts UTF-8
strings, bytes-like via ArgBytesLike::try_from_object, or a callable
(p.is_callable), but the error raised in the final Err uses "password should be
a string or callable"; update that error text to list all accepted types (e.g.,
"password should be str, bytes, bytearray, or callable") so callers see the
correct allowed types; locate the matching match/if chain around
ArgBytesLike::try_from_object and the p.is_callable branch and change the
vm.new_type_error message accordingly (refer to ArgBytesLike::try_from_object,
the String::from_utf8 branch, and p.is_callable).

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 457d328 and 95821d1.

⛔ Files ignored due to path filters (9)

• Lib/http/__init__.py is excluded by !Lib/**
• Lib/http/client.py is excluded by !Lib/**
• Lib/http/cookiejar.py is excluded by !Lib/**
• Lib/http/cookies.py is excluded by !Lib/**
• Lib/http/server.py is excluded by !Lib/**
• Lib/test/test_http_cookiejar.py is excluded by !Lib/**
• Lib/test/test_http_cookies.py is excluded by !Lib/**
• Lib/test/test_httplib.py is excluded by !Lib/**
• Lib/test/test_httpservers.py is excluded by !Lib/**

📒 Files selected for processing (1)

• crates/stdlib/src/ssl.rs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

rg -n "password should be a string or callable|password should be a string, bytes|load_cert_chain|password callback" crates/stdlib/src/ssl.rs

Repository: RustPython/RustPython

Length of output: 714

---

🌐 Web query:

CPython 3.14 ssl.SSLContext.load_cert_chain password parameter accepted types TypeError message

💡 Result:

In CPython 3.14, ssl.SSLContext.load_cert_chain(certfile, keyfile=None, password=None) accepts password as: str, bytes, bytearray, or a callable (called with no arguments) that returns str, bytes, or bytearray; str is UTF-8 encoded before use. [1]

If you pass an invalid password object (e.g. True), CPython raises TypeError with an error message matching "should be a string" (per the stdlib tests). [2] Historically / in source, this error is phrased like **"password should be a string or callable" (wording may vary by version). [3]

If you pass a callable but it returns a wrong type (e.g. 9), CPython raises TypeError with an error message matching "must return a string" (per the stdlib tests). [2]

Sources: Python 3.14.2 ssl docs [1], CPython test_ssl.py expectations [2], CPython _ssl source example wording [3].

[1] (docs.python.org)
[2] (fossies.org)
[3] (gist.github.com)

Citations:

• 1: https://docs.python.org/es/3.14/library/ssl.html?utm_source=openai
• 2: https://fossies.org/linux/Python/Lib/test/test_ssl.py?utm_source=openai
• 3: https://gist.github.com/Lh4cKg/fc6f1b6d6e6d285f51d6?utm_source=openai

---

Update error message to reflect accepted password types.

Line 2024-2028 accepts bytes-like passwords via ArgBytesLike::try_from_object, but the error message at line 2034 only mentions "string or callable". The message should be updated to accurately reflect all accepted types:

Fix

-                        Err(vm.new_type_error("password should be a string or callable"))
+                        Err(vm.new_type_error("password should be a string, bytes, or callable"))

This aligns with CPython 3.14's ssl.SSLContext.load_cert_chain(), which also accepts str, bytes, bytearray, or a callable.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	else if let Ok(pwd_bytes_like) = ArgBytesLike::try_from_object(vm, p.clone())
	{
	let pwd = String::from_utf8(pwd_bytes_like.borrow_buf().to_vec()).map_err(
	|_| vm.new_type_error("password bytes must be valid UTF-8".to_owned()),
	)?;
	let pwd = String::from_utf8(pwd_bytes_like.borrow_buf().to_vec())
	.map_err(|_| vm.new_type_error("password bytes must be valid UTF-8"))?;
	Ok((Some(pwd), None))
	}
	// Try callable
	else if p.is_callable() {
	Ok((None, Some(p.clone())))
	} else {
	Err(vm.new_type_error(
	"password should be a string, bytes, or callable".to_owned(),
	))
	Err(vm.new_type_error("password should be a string or callable"))
	}
	else if let Ok(pwd_bytes_like) = ArgBytesLike::try_from_object(vm, p.clone())
	{
	let pwd = String::from_utf8(pwd_bytes_like.borrow_buf().to_vec())
	.map_err(|_| vm.new_type_error("password bytes must be valid UTF-8"))?;
	Ok((Some(pwd), None))
	}
	// Try callable
	else if p.is_callable() {
	Ok((None, Some(p.clone())))
	} else {
	Err(vm.new_type_error("password should be a string, bytes, or callable"))
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/stdlib/src/ssl.rs` around lines 2024 - 2035, The password-handling
branch currently accepts UTF-8 strings, bytes-like via
ArgBytesLike::try_from_object, or a callable (p.is_callable), but the error
raised in the final Err uses "password should be a string or callable"; update
that error text to list all accepted types (e.g., "password should be str,
bytes, bytearray, or callable") so callers see the correct allowed types; locate
the matching match/if chain around ArgBytesLike::try_from_object and the
p.is_callable branch and change the vm.new_type_error message accordingly (refer
to ArgBytesLike::try_from_object, the String::from_utf8 branch, and
p.is_callable).