Relax HTTP method validation in UrlDispatcher.

[wolfhechel]

What do these changes do?

This pull request changes the HTTP method validation procedure in AbstractRoute.
Previously only "safe HTTP methods" were allowed which made developing unusual
services communicating over HTTP with custom methods (such as WebDAV and UPnP)
impossible without monkey-patching.

The new method AbstractRoute.validate_method() matches the method against a regex compliant with the RFC 2616 specification of a "token".

Are there changes in behavior for the user?

The only change in behavior is what input raises a ValueError now, this has not been documented anywhere as far as I could tell hence no changes has been documented in the end-user API docs.

Related issue number

#951

Checklist

• I think the code is well written
• Unit tests for the changes exist
• Documentation reflects the changes

Previously the validation only compared against "safe HTTP methods",
now we validate against the allowed character-set defined in
RFC 2616 section 5.1.1.

[wolfhechel]

Okay so I got the object name wrong, the change was in AbstractRoute, not in UrlDispatcher.
Sorry about that!

[coveralls]

Coverage increased (+0.0006%) to 97.942% when pulling 6a58c57 on wolfhechel:relax_http_method_validation into 8f0a5ea on KeepSafe:master.

[asvetlov]

Cool!
Would you relax client validation as well?

[asvetlov]

Hmm. After rethinking I've decided to remove validate_method() and inline regexp check.

The reason is: I don't want to expose yet another hook and don't want to document it.
I doubt we will find many usages for stricter validations: users may override method for relaxing validation rules but never do it for making system stronger.

Fixed by df7b41b

[wolfhechel]

It's cool, it's just a habit of mine to separate this kind of logical step in case in the future additional checks not coverable by a single line is required.

Out of curiosity, do you document "protected" methods as well?

Although I realise the naming of the method does not indicate it being protected.

[wolfhechel]

Where does the client validation live by the way? As far as I can tell there's no such validation.
Also while digging in the code I noticed, there doesn't seem to be a user-exposed way to perform arbitrary HTTP requests anyway.
The only methods allowed to be sent are the ones exposed through get, post, delete etc. methods from ClientSession.

I think there should be a request() method as well which allows the user to form his/her requests manually. Or did I miss this completely?

[lock]

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.