encode · cdeler · Oct 30, 2020 · Oct 14, 2020 · Oct 16, 2020 · Oct 17, 2020
diff --git a/httpcore/_async/http_proxy.py b/httpcore/_async/http_proxy.py
@@ -207,41 +207,51 @@ async def _tunnel_request(
             connect_url = self.proxy_origin + (target,)
             connect_headers = [(b"Host", target), (b"Accept", b"*/*")]
             connect_headers = merge_headers(connect_headers, self.proxy_headers)
-            (proxy_status_code, _, proxy_stream, _) = await proxy_connection.arequest(
-                b"CONNECT", connect_url, headers=connect_headers, ext=ext
-            )
 
-            proxy_reason = get_reason_phrase(proxy_status_code)
-            logger.trace(
-                "tunnel_response proxy_status_code=%r proxy_reason=%r ",
-                proxy_status_code,
-                proxy_reason,
-            )
-            # Read the response data without closing the socket
-            async for _ in proxy_stream:
-                pass
-
-            # See if the tunnel was successfully established.
-            if proxy_status_code < 200 or proxy_status_code > 299:
-                msg = "%d %s" % (proxy_status_code, proxy_reason)
-                raise ProxyError(msg)
-
-            # Upgrade to TLS if required
-            # We assume the target speaks TLS on the specified port
-            if scheme == b"https":
-                await proxy_connection.start_tls(host, timeout)
-
-            # The CONNECT request is successful, so we have now SWITCHED PROTOCOLS.
-            # This means the proxy connection is now unusable, and we must create
-            # a new one for regular requests, making sure to use the same socket to
-            # retain the tunnel.
-            connection = AsyncHTTPConnection(
-                origin=origin,
-                http2=self._http2,
-                ssl_context=self._ssl_context,
-                socket=proxy_connection.socket,
-            )
-            await self._add_to_pool(connection, timeout)
+            try:
+                (
+                    proxy_status_code,
+                    _,
+                    proxy_stream,
+                    _,
+                ) = await proxy_connection.arequest(
+                    b"CONNECT", connect_url, headers=connect_headers, ext=ext
+                )
+
+                proxy_reason = get_reason_phrase(proxy_status_code)
+                logger.trace(
+                    "tunnel_response proxy_status_code=%r proxy_reason=%r ",
+                    proxy_status_code,
+                    proxy_reason,
+                )
+                # Read the response data without closing the socket
+                async for _ in proxy_stream:
+                    pass
+
+                # See if the tunnel was successfully established.
+                if proxy_status_code < 200 or proxy_status_code > 299:
+                    msg = "%d %s" % (proxy_status_code, proxy_reason)
+                    raise ProxyError(msg)
+
+                # Upgrade to TLS if required
+                # We assume the target speaks TLS on the specified port
+                if scheme == b"https":
+                    await proxy_connection.start_tls(host, timeout)
+
+                # The CONNECT request is successful, so we have now SWITCHED PROTOCOLS.
+                # This means the proxy connection is now unusable, and we must create
+                # a new one for regular requests, making sure to use the same socket to
+                # retain the tunnel.
+                connection = AsyncHTTPConnection(
+                    origin=origin,
+                    http2=self._http2,
+                    ssl_context=self._ssl_context,
+                    socket=proxy_connection.socket,
+                )
+                await self._add_to_pool(connection, timeout)
+            except Exception:
+                await proxy_connection.aclose()
+                raise
 
         # Once the connection has been established we can send requests on
         # it as normal.

diff --git a/httpcore/_sync/http_proxy.py b/httpcore/_sync/http_proxy.py
@@ -207,41 +207,51 @@ def _tunnel_request(
             connect_url = self.proxy_origin + (target,)
             connect_headers = [(b"Host", target), (b"Accept", b"*/*")]
             connect_headers = merge_headers(connect_headers, self.proxy_headers)
-            (proxy_status_code, _, proxy_stream, _) = proxy_connection.request(
-                b"CONNECT", connect_url, headers=connect_headers, ext=ext
-            )
 
-            proxy_reason = get_reason_phrase(proxy_status_code)
-            logger.trace(
-                "tunnel_response proxy_status_code=%r proxy_reason=%r ",
-                proxy_status_code,
-                proxy_reason,
-            )
-            # Read the response data without closing the socket
-            for _ in proxy_stream:
-                pass
-
-            # See if the tunnel was successfully established.
-            if proxy_status_code < 200 or proxy_status_code > 299:
-                msg = "%d %s" % (proxy_status_code, proxy_reason)
-                raise ProxyError(msg)
-
-            # Upgrade to TLS if required
-            # We assume the target speaks TLS on the specified port
-            if scheme == b"https":
-                proxy_connection.start_tls(host, timeout)
-
-            # The CONNECT request is successful, so we have now SWITCHED PROTOCOLS.
-            # This means the proxy connection is now unusable, and we must create
-            # a new one for regular requests, making sure to use the same socket to
-            # retain the tunnel.
-            connection = SyncHTTPConnection(
-                origin=origin,
-                http2=self._http2,
-                ssl_context=self._ssl_context,
-                socket=proxy_connection.socket,
-            )
-            self._add_to_pool(connection, timeout)
+            try:
+                (
+                    proxy_status_code,
+                    _,
+                    proxy_stream,
+                    _,
+                ) = proxy_connection.request(
+                    b"CONNECT", connect_url, headers=connect_headers, ext=ext
+                )
+
+                proxy_reason = get_reason_phrase(proxy_status_code)
+                logger.trace(
+                    "tunnel_response proxy_status_code=%r proxy_reason=%r ",
+                    proxy_status_code,
+                    proxy_reason,
+                )
+                # Read the response data without closing the socket
+                for _ in proxy_stream:
+                    pass
+
+                # See if the tunnel was successfully established.
+                if proxy_status_code < 200 or proxy_status_code > 299:
+                    msg = "%d %s" % (proxy_status_code, proxy_reason)
+                    raise ProxyError(msg)
+
+                # Upgrade to TLS if required
+                # We assume the target speaks TLS on the specified port
+                if scheme == b"https":
+                    proxy_connection.start_tls(host, timeout)
+
+                # The CONNECT request is successful, so we have now SWITCHED PROTOCOLS.
+                # This means the proxy connection is now unusable, and we must create
+                # a new one for regular requests, making sure to use the same socket to
+                # retain the tunnel.
+                connection = SyncHTTPConnection(
+                    origin=origin,
+                    http2=self._http2,
+                    ssl_context=self._ssl_context,
+                    socket=proxy_connection.socket,
+                )
+                self._add_to_pool(connection, timeout)
+            except Exception:
+                proxy_connection.close()
+                raise
 
         # Once the connection has been established we can send requests on
         # it as normal.

diff --git a/tests/async_tests/test_interfaces.py b/tests/async_tests/test_interfaces.py
@@ -191,6 +191,36 @@ async def test_http_proxy(
         assert ext == {"http_version": "HTTP/1.1", "reason": "OK"}
 
 
+@pytest.mark.parametrize("proxy_mode", ["DEFAULT", "FORWARD_ONLY", "TUNNEL_ONLY"])
+@pytest.mark.parametrize("protocol,port", [(b"http", 80), (b"https", 443)])
+@pytest.mark.trio
+async def test_proxy_socket_does_not_leak_when_the_connection_hasnt_been_added_to_pool(
+    proxy_server: URL,
+    server: Server,
+    proxy_mode: str,
+    protocol: bytes,
+    port: int,
+):
+    method = b"GET"
+    url = (protocol, b"example.com", port, b"/")
+    headers = [(b"host", b"example.org")]
+
+    with pytest.warns(None) as recorded_warnings:
+        async with httpcore.AsyncHTTPProxy(proxy_server, proxy_mode=proxy_mode) as http:
+            for _ in range(100):
+                try:
+                    _ = await http.arequest(method, url, headers)
+                except httpcore.RemoteProtocolError:
+                    pass
+
+    # have to filter out https://github.com/encode/httpx/issues/825 from other tests
+    warnings_list = [
+        *filter(lambda warn: "asyncio" not in warn.filename, recorded_warnings.list)
+    ]
+
+    assert len(warnings_list) == 0
+
+
 @pytest.mark.anyio
 async def test_http_request_local_address(backend: str, server: Server) -> None:
     if backend == "auto" and lookup_async_backend() == "trio":

diff --git a/tests/sync_tests/test_interfaces.py b/tests/sync_tests/test_interfaces.py
@@ -191,6 +191,36 @@ def test_http_proxy(
         assert ext == {"http_version": "HTTP/1.1", "reason": "OK"}
 
 
+@pytest.mark.parametrize("proxy_mode", ["DEFAULT", "FORWARD_ONLY", "TUNNEL_ONLY"])
+@pytest.mark.parametrize("protocol,port", [(b"http", 80), (b"https", 443)])
+
+def test_proxy_socket_does_not_leak_when_the_connection_hasnt_been_added_to_pool(
+    proxy_server: URL,
+    server: Server,
+    proxy_mode: str,
+    protocol: bytes,
+    port: int,
+):
+    method = b"GET"
+    url = (protocol, b"example.com", port, b"/")
+    headers = [(b"host", b"example.org")]
+
+    with pytest.warns(None) as recorded_warnings:
+        with httpcore.SyncHTTPProxy(proxy_server, proxy_mode=proxy_mode) as http:
+            for _ in range(100):
+                try:
+                    _ = http.request(method, url, headers)
+                except httpcore.RemoteProtocolError:
+                    pass
+
+    # have to filter out https://github.com/encode/httpx/issues/825 from other tests
+    warnings_list = [
+        *filter(lambda warn: "asyncio" not in warn.filename, recorded_warnings.list)
+    ]
+
+    assert len(warnings_list) == 0
+
+
 
 def test_http_request_local_address(backend: str, server: Server) -> None:
     if backend == "sync" and lookup_sync_backend() == "trio":

diff --git a/tests/utils.py b/tests/utils.py
@@ -1,8 +1,9 @@
 import contextlib
 import socket
 import subprocess
+import tempfile
 import time
-from typing import Tuple
+from typing import List, Tuple
 
 import sniffio
 
@@ -48,13 +49,34 @@ def host_header(self) -> Tuple[bytes, bytes]:
 def http_proxy_server(proxy_host: str, proxy_port: int):
 
     proc = None
-    try:
-        command = ["pproxy", "-l", f"http://{proxy_host}:{proxy_port}/"]
-        proc = subprocess.Popen(command)
 
-        _wait_can_connect(proxy_host, proxy_port)
+    with create_proxy_block_file(["example.com"]) as block_file_name:
+        try:
+            command = [
+                "pproxy",
+                "-b",
+                block_file_name,
+                "-l",
+                f"http://{proxy_host}:{proxy_port}/",
+            ]
+            proc = subprocess.Popen(command)
+
+            _wait_can_connect(proxy_host, proxy_port)
+
+            yield b"http", proxy_host.encode(), proxy_port, b"/"
+        finally:
+            if proc is not None:
+                proc.kill()
+
+
+@contextlib.contextmanager
+def create_proxy_block_file(blocked_domains: List[str]):
+    with tempfile.NamedTemporaryFile(delete=True, mode="w+") as file:
+
+        for domain in blocked_domains:
+            file.write(domain)
+            file.write("\n")
+
+        file.flush()
 
-        yield b"http", proxy_host.encode(), proxy_port, b"/"
-    finally:
-        if proc is not None:
-            proc.kill()
+        yield file.name