From 3b3752eb90c2782aec7b054f68569f2fef794597 Mon Sep 17 00:00:00 2001 From: Benoit Chesneau Date: Sun, 19 Apr 2026 11:38:05 +0200 Subject: [PATCH] test: add failing fixtures for forbidden trailer fields --- .../invalid/rfc9110_trailer_forbidden_cl_01.http | 9 +++++++++ .../invalid/rfc9110_trailer_forbidden_cl_01.py | 9 +++++++++ .../invalid/rfc9110_trailer_forbidden_host_01.http | 9 +++++++++ .../invalid/rfc9110_trailer_forbidden_host_01.py | 11 +++++++++++ .../invalid/rfc9110_trailer_forbidden_te_01.http | 9 +++++++++ .../invalid/rfc9110_trailer_forbidden_te_01.py | 9 +++++++++ 6 files changed, 56 insertions(+) create mode 100644 tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.http create mode 100644 tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.py create mode 100644 tests/requests/invalid/rfc9110_trailer_forbidden_host_01.http create mode 100644 tests/requests/invalid/rfc9110_trailer_forbidden_host_01.py create mode 100644 tests/requests/invalid/rfc9110_trailer_forbidden_te_01.http create mode 100644 tests/requests/invalid/rfc9110_trailer_forbidden_te_01.py diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.http b/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.http new file mode 100644 index 00000000..7562e1a8 --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.http @@ -0,0 +1,9 @@ +POST /p HTTP/1.1\r\n +Host: example.com\r\n +Transfer-Encoding: chunked\r\n +\r\n +5\r\n +hello\r\n +0\r\n +Content-Length: 99\r\n +\r\n diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.py b/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.py new file mode 100644 index 00000000..b0f8ccae --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_cl_01.py @@ -0,0 +1,9 @@ +# +# This file is part of gunicorn released under the MIT license. +# See the NOTICE for more information. + +# RFC 9110 section 6.5.1: Content-Length in trailers is a classic +# smuggling vector; origin must reject. +from gunicorn.http.errors import InvalidHeaderName +request = InvalidHeaderName +python_only = True diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.http b/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.http new file mode 100644 index 00000000..348082e7 --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.http @@ -0,0 +1,9 @@ +POST /p HTTP/1.1\r\n +Host: example.com\r\n +Transfer-Encoding: chunked\r\n +\r\n +5\r\n +hello\r\n +0\r\n +Host: evil.example.com\r\n +\r\n diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.py b/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.py new file mode 100644 index 00000000..fe897329 --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_host_01.py @@ -0,0 +1,11 @@ +# +# This file is part of gunicorn released under the MIT license. +# See the NOTICE for more information. + +# RFC 9110 section 6.5.1: certain header fields must not be sent in +# trailers because they alter routing or message framing (e.g. Host, +# Content-Length, Transfer-Encoding). Accepting them enables smuggling. +from gunicorn.http.errors import InvalidHeaderName +request = InvalidHeaderName +# The C parser (gunicorn_h1c) does not yet enforce this rule. +python_only = True diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.http b/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.http new file mode 100644 index 00000000..e5c98d16 --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.http @@ -0,0 +1,9 @@ +POST /p HTTP/1.1\r\n +Host: example.com\r\n +Transfer-Encoding: chunked\r\n +\r\n +5\r\n +hello\r\n +0\r\n +Transfer-Encoding: chunked\r\n +\r\n diff --git a/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.py b/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.py new file mode 100644 index 00000000..caa2f5ac --- /dev/null +++ b/tests/requests/invalid/rfc9110_trailer_forbidden_te_01.py @@ -0,0 +1,9 @@ +# +# This file is part of gunicorn released under the MIT license. +# See the NOTICE for more information. + +# RFC 9110 section 6.5.1: Transfer-Encoding in trailers alters framing +# and must not be accepted. +from gunicorn.http.errors import InvalidHeaderName +request = InvalidHeaderName +python_only = True