test: add failing fixtures for forbidden trailer fields

This commit is contained in:
Benoit Chesneau 2026-04-19 11:38:05 +02:00
parent ba8776d3fc
commit 3b3752eb90
6 changed files with 56 additions and 0 deletions

View File

@ -0,0 +1,9 @@
POST /p HTTP/1.1\r\n
Host: example.com\r\n
Transfer-Encoding: chunked\r\n
\r\n
5\r\n
hello\r\n
0\r\n
Content-Length: 99\r\n
\r\n

View File

@ -0,0 +1,9 @@
#
# This file is part of gunicorn released under the MIT license.
# See the NOTICE for more information.
# RFC 9110 section 6.5.1: Content-Length in trailers is a classic
# smuggling vector; origin must reject.
from gunicorn.http.errors import InvalidHeaderName
request = InvalidHeaderName
python_only = True

View File

@ -0,0 +1,9 @@
POST /p HTTP/1.1\r\n
Host: example.com\r\n
Transfer-Encoding: chunked\r\n
\r\n
5\r\n
hello\r\n
0\r\n
Host: evil.example.com\r\n
\r\n

View File

@ -0,0 +1,11 @@
#
# This file is part of gunicorn released under the MIT license.
# See the NOTICE for more information.
# RFC 9110 section 6.5.1: certain header fields must not be sent in
# trailers because they alter routing or message framing (e.g. Host,
# Content-Length, Transfer-Encoding). Accepting them enables smuggling.
from gunicorn.http.errors import InvalidHeaderName
request = InvalidHeaderName
# The C parser (gunicorn_h1c) does not yet enforce this rule.
python_only = True

View File

@ -0,0 +1,9 @@
POST /p HTTP/1.1\r\n
Host: example.com\r\n
Transfer-Encoding: chunked\r\n
\r\n
5\r\n
hello\r\n
0\r\n
Transfer-Encoding: chunked\r\n
\r\n

View File

@ -0,0 +1,9 @@
#
# This file is part of gunicorn released under the MIT license.
# See the NOTICE for more information.
# RFC 9110 section 6.5.1: Transfer-Encoding in trailers alters framing
# and must not be accepted.
from gunicorn.http.errors import InvalidHeaderName
request = InvalidHeaderName
python_only = True