diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.http b/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.http new file mode 100644 index 00000000..7562e1a8 --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.http @@ -0,0 +1,9 @@ +POST /p HTTP/1.1\r\n +Host: example.com\r\n +Transfer-Encoding: chunked\r\n +\r\n +5\r\n +hello\r\n +0\r\n +Content-Length: 99\r\n +\r\n diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.py b/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.py new file mode 100644 index 00000000..b0f8ccae --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.py @@ -0,0 +1,9 @@ +# +# This file is part of gunicorn released under the MIT license. +# See the NOTICE for more information. + +# RFC 9110 section 6.5.1: Content-Length in trailers is a classic +# smuggling vector; origin must reject. +from gunicorn.http.errors import InvalidHeaderName +request = InvalidHeaderName +python_only = True diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.http b/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.http new file mode 100644 index 00000000..348082e7 --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.http @@ -0,0 +1,9 @@ +POST /p HTTP/1.1\r\n +Host: example.com\r\n +Transfer-Encoding: chunked\r\n +\r\n +5\r\n +hello\r\n +0\r\n +Host: evil.example.com\r\n +\r\n diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.py b/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.py new file mode 100644 index 00000000..fe897329 --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.py @@ -0,0 +1,11 @@ +# +# This file is part of gunicorn released under the MIT license. +# See the NOTICE for more information. + +# RFC 9110 section 6.5.1: certain header fields must not be sent in +# trailers because they alter routing or message framing (e.g. Host, +# Content-Length, Transfer-Encoding). Accepting them enables smuggling. +from gunicorn.http.errors import InvalidHeaderName +request = InvalidHeaderName +# The C parser (gunicorn_h1c) does not yet enforce this rule. +python_only = True diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.http b/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.http new file mode 100644 index 00000000..e5c98d16 --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.http @@ -0,0 +1,9 @@ +POST /p HTTP/1.1\r\n +Host: example.com\r\n +Transfer-Encoding: chunked\r\n +\r\n +5\r\n +hello\r\n +0\r\n +Transfer-Encoding: chunked\r\n +\r\n diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.py b/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.py new file mode 100644 index 00000000..caa2f5ac --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.py @@ -0,0 +1,9 @@ +# +# This file is part of gunicorn released under the MIT license. +# See the NOTICE for more information. + +# RFC 9110 section 6.5.1: Transfer-Encoding in trailers alters framing +# and must not be accepted. +from gunicorn.http.errors import InvalidHeaderName +request = InvalidHeaderName +python_only = True