Bump to 4.1.1

Merge pull request #4746 from minrk/411
changelog for 4.1.1
2025-10-07 18:14:10 +00:00 · 2024-03-23 17:16:49 +01:00 · 2024-03-23 17:16:34 +01:00 · 2024-03-23 16:03:30 +01:00 · 2024-03-23 16:01:00 +01:00 · 2024-03-23 00:00:04 +01:00
5 changed files with 60 additions and 12 deletions
--- a/docs/source/_static/rest-api.yml
+++ b/docs/source/_static/rest-api.yml
@@ -6,7 +6,7 @@ info:
  description: The REST API for JupyterHub
  license:
    name: BSD-3-Clause
-  version: 4.1.0
+  version: 4.1.1
 servers:
  - url: /hub/api
 security:
--- a/docs/source/reference/changelog.md
+++ b/docs/source/reference/changelog.md
@@ -10,7 +10,27 @@ command line for details.

 ## 4.1

-### 4.1.0 - 2024-03
+### 4.1.1 - 2024-03-23
+
+4.1.1 fixes a compatibility regression in 4.1.0 for some extensions,
+particularly jupyter-server-proxy.
+
+([full changelog](https://github.com/jupyterhub/jupyterhub/compare/4.1.0...4.1.1))
+
+#### Bugs fixed
+
+- allow subclasses to override xsrf check [#4745](https://github.com/jupyterhub/jupyterhub/pull/4745) ([@minrk](https://github.com/minrk), [@consideRatio](https://github.com/consideRatio))
+
+#### Contributors to this release
+
+The following people contributed discussions, new ideas, code and documentation contributions, and review.
+See [our definition of contributors](https://github-activity.readthedocs.io/en/latest/#how-does-this-tool-define-contributions-in-the-reports).
+
+([GitHub contributors page for this release](https://github.com/jupyterhub/jupyterhub/graphs/contributors?from=2024-03-20&to=2024-03-23&type=c))
+
+@consideRatio ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3AconsideRatio+updated%3A2024-03-20..2024-03-23&type=Issues)) | @minrk ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyterhub+involves%3Aminrk+updated%3A2024-03-20..2024-03-23&type=Issues))
+
+### 4.1.0 - 2024-03-20

 JupyterHub 4.1 is a security release, fixing [CVE-2024-28233].
 All JupyterHub deployments are encouraged to upgrade,
--- a/jupyterhub/_version.py
+++ b/jupyterhub/_version.py
@@ -3,7 +3,7 @@
 # Copyright (c) Jupyter Development Team.
 # Distributed under the terms of the Modified BSD License.
 # version_info updated by running `tbump`
-version_info = (4, 1, 0, "", "")
+version_info = (4, 1, 1, "", "")

 # pep 440 version: no dot before beta/rc, but before .dev
 # 0.1.0rc1
--- a/jupyterhub/services/auth.py
+++ b/jupyterhub/services/auth.py
@@ -880,13 +880,39 @@ class HubOAuth(HubAuth):

    def _patch_xsrf(self, handler):
        """Patch handler to inject JuptyerHub xsrf token behavior"""
-        handler._xsrf_token_id = self._get_xsrf_token_id(handler)
-        # override xsrf_token property on class,
-        # so it's still a getter, not invoked immediately
-        handler.__class__.xsrf_token = property(
-            partial(get_xsrf_token, cookie_path=self.base_url)
-        )
-        handler.check_xsrf_cookie = partial(self.check_xsrf_cookie, handler)
+        if isinstance(handler, HubAuthenticated):
+            # doesn't need patch
+            return
+
+        # patch in our xsrf token handling
+        # overrides tornado and jupyter_server defaults,
+        # but not others.
+        # subclasses will still inherit our overridden behavior,
+        # but their overrides (if any) will take precedence over ours
+        # such as jupyter-server-proxy
+        for cls in handler.__class__.__mro__:
+            # search for the nearest parent class defined
+            # in one of the 'base' Handler-defining packages.
+            # In current implementations, this will
+            # generally be jupyter_server.base.handlers.JupyterHandler
+            # or tornado.web.RequestHandler,
+            # but doing it this way ensures consistent results
+            if (cls.__module__ or '').partition('.')[0] not in {
+                "jupyter_server",
+                "notebook",
+                "tornado",
+            }:
+                continue
+            # override check_xsrf_cookie where it's defined
+            if "check_xsrf_cookie" in cls.__dict__:
+                if "_get_xsrf_token_id" in cls.__dict__:
+                    # already patched
+                    return
+                cls._xsrf_token_id = property(self._get_xsrf_token_id)
+                cls.xsrf_token = property(
+                    partial(get_xsrf_token, cookie_path=self.base_url)
+                )
+                cls.check_xsrf_cookie = lambda handler: self.check_xsrf_cookie(handler)

    def check_xsrf_cookie(self, handler):
        """check_xsrf_cookie patch
@@ -931,8 +957,10 @@ class HubOAuth(HubAuth):
        token = self._get_token_cookie(handler)
        session_id = self.get_session_id(handler)
        if token and self._needs_check_xsrf(handler):
+            # call handler.check_xsrf_cookie instead of self.check_xsrf_cookie
+            # to allow subclass overrides
            try:
-                self.check_xsrf_cookie(handler)
+                handler.check_xsrf_cookie()
            except HTTPError as e:
                self.log.error(
                    f"Not accepting cookie auth on {handler.request.method} {handler.request.path}: {e}"
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -43,7 +43,7 @@ target_version = [
 github_url = "https://github.com/jupyterhub/jupyterhub"

 [tool.tbump.version]
-current = "4.1.0"
+current = "4.1.1"

 # Example of a semver regexp.
 # Make sure this matches current_version before
Author	SHA1	Message	Date
Min RK	b7b2558ab7	Bump to 4.1.1	2024-03-23 17:16:49 +01:00
Min RK	a77e57290e	Merge pull request #4746 from minrk/411 changelog for 4.1.1	2024-03-23 17:16:34 +01:00
Min RK	506f931f15	changelog for 4.1.1	2024-03-23 16:03:30 +01:00
Min RK	b094381f79	Merge pull request #4745 from minrk/inject-xsrf allow subclasses to override xsrf check	2024-03-23 16:01:00 +01:00
Min RK	e6e85eebc1	allow subclasses to override xsrf check need to inject our override into the base class, rather than at the instance level, to avoid clobbering any overrides in extensions like jupyter-server-proxy	2024-03-23 00:00:04 +01:00