fix: reject unsupported HTTP methods early in session manager#2191
Open
Br1an67 wants to merge 2 commits intomodelcontextprotocol:mainfrom
Open
fix: reject unsupported HTTP methods early in session manager#2191Br1an67 wants to merge 2 commits intomodelcontextprotocol:mainfrom
Br1an67 wants to merge 2 commits intomodelcontextprotocol:mainfrom
Conversation
HEAD and other unsupported HTTP methods (PUT, PATCH, OPTIONS, etc.) sent to the StreamableHTTP endpoint now return 405 Method Not Allowed immediately in StreamableHTTPSessionManager.handle_request(), before any transport or background server task is created. Previously, in stateless mode, unsupported methods would flow through the full transport lifecycle: a new StreamableHTTPServerTransport was created, a background run_stateless_server task was spawned (starting the message router), the 405 response was sent, and then terminate() closed the streams while the message router was still running. This caused a ClosedResourceError that crashed the server. Fixes modelcontextprotocol#1269
2 tasks
Remove the unused lifespan context manager (httpx.ASGITransport does not trigger ASGI lifespan events) and the caplog loop assertion (loop body never executes when no errors are logged). The early-return guard rejects unsupported methods before checking _task_group, so the session manager does not need to be running.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
HEAD and other unsupported HTTP methods (PUT, PATCH, OPTIONS, etc.) sent to the StreamableHTTP endpoint now return
405 Method Not Allowedimmediately inStreamableHTTPSessionManager.handle_request(), before any transport or background server task is created.Fixes #1269
Problem
In stateless mode, a HEAD request to
/mcpwould:StreamableHTTPServerTransportrun_stateless_servertask (starting the message router)handle_request()→_handle_unsupported_request()→ send 405terminate(), closing all streamsasync for write_stream_reader, would resume on a closed stream →ClosedResourceError→ server crashFix
Move the HTTP method check into
StreamableHTTPSessionManager.handle_request()so unsupported methods are rejected before any transport is instantiated or background task is spawned. This is a single early-return guard that applies to both stateless and stateful modes.Changes
src/mcp/server/streamable_http_manager.py: Added early method check before transport creationtests/issues/test_1269_head_request_crash.py: Tests for HEAD, PUT, PATCH, OPTIONS in both stateless and stateful modes — verifies 405 response and noClosedResourceErrorin logs