Security: Silent Exception Swallowing in Server Request Handler Factory

[barttran2k]

Problem

The Server.__call__ method catches TypeError broadly and silently retries handler creation with filtered kwargs. This could mask legitimate configuration errors or security-relevant misconfigurations, making debugging difficult and potentially allowing the server to start with an insecure or unexpected configuration.

Severity: low
File: aiohttp/web_server.py

Solution

Log a warning when falling back to the failsafe creation path so that misconfiguration is visible to operators. Consider narrowing the exception handling or deprecating this failsafe behavior.

Changes

• aiohttp/web_server.py (modified)

Testing

• Existing tests pass
• Manual review completed
• No new warnings/errors introduced

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.10%. Comparing base (47558a3) to head (58a10cf).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #12332      +/-   ##
==========================================
- Coverage   99.11%   99.10%   -0.01%     
==========================================
  Files         130      130              
  Lines       45609    45612       +3     
  Branches     2405     2405              
==========================================
- Hits        45207    45206       -1     
- Misses        272      275       +3     
- Partials      130      131       +1     

Flag	Coverage Δ
CI-GHA	98.96% <100.00%> (-0.01%)	⬇️
OS-Linux	98.71% <100.00%> (-0.01%)	⬇️
OS-Windows	96.96% <100.00%> (+<0.01%)	⬆️
OS-macOS	97.88% <100.00%> (+<0.01%)	⬆️
Py-3.10.11	97.42% <100.00%> (+<0.01%)	⬆️
Py-3.10.20	97.89% <100.00%> (+<0.01%)	⬆️
Py-3.11.15	98.10% <100.00%> (+<0.01%)	⬆️
Py-3.11.9	97.63% <100.00%> (+<0.01%)	⬆️
Py-3.12.10	97.72% <100.00%> (+<0.01%)	⬆️
Py-3.12.13	98.20% <100.00%> (+<0.01%)	⬆️
Py-3.13.12	98.44% <100.00%> (-0.01%)	⬇️
Py-3.14.3	98.50% <100.00%> (-0.01%)	⬇️
Py-3.14.3t	97.50% <100.00%> (+<0.01%)	⬆️
Py-pypy3.11.15-7.3.21	97.38% <100.00%> (+<0.01%)	⬆️
VM-macos	97.88% <100.00%> (+<0.01%)	⬆️
VM-ubuntu	98.71% <100.00%> (-0.01%)	⬇️
VM-windows	96.96% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codspeed-hq]

Merging this PR will not alter performance

✅ 59 untouched benchmarks

---

_{Comparing barttran2k:contribai/fix/security/silent-exception-swallowing-in-server-re (58a10cf) with master (47558a3)}