mirror of
https://github.com/frappe/gunicorn.git
synced 2026-07-04 03:31:29 +08:00
chore: require gunicorn_h1c >=0.6.4 and drop python_only markers
gunicorn_h1c 0.6.4 ships the RFC 9110/9112 hardening added in h1c #4, #6, and #7: control chars in header values, request-target form/method pairing, and forbidden trailer field-names. All the corresponding fixtures now pass against the C parser, so their python_only markers are removed. The CL list form fixture stays marked — the C parser does not yet reject Content-Length: "5, 5".
This commit is contained in:
parent
a635b957c5
commit
408b1f0517
@ -53,7 +53,7 @@ tornado = ["tornado>=6.5.0"]
|
||||
gthread = []
|
||||
setproctitle = ["setproctitle"]
|
||||
http2 = ["h2>=4.1.0"]
|
||||
fast = ["gunicorn_h1c>=0.6.3"]
|
||||
fast = ["gunicorn_h1c>=0.6.4"]
|
||||
testing = [
|
||||
"gevent>=24.10.1",
|
||||
"eventlet>=0.40.3",
|
||||
|
||||
@ -3,4 +3,4 @@ coverage
|
||||
pytest>=7.2.0
|
||||
pytest-cov
|
||||
pytest-asyncio
|
||||
gunicorn_h1c>=0.6.2
|
||||
gunicorn_h1c>=0.6.4
|
||||
|
||||
@ -7,4 +7,3 @@
|
||||
# appear, to prevent log/response injection and parser confusion.
|
||||
from gunicorn.http.errors import InvalidHeader
|
||||
request = InvalidHeader
|
||||
python_only = True
|
||||
|
||||
@ -6,4 +6,3 @@
|
||||
# it must not appear in a field-value.
|
||||
from gunicorn.http.errors import InvalidHeader
|
||||
request = InvalidHeader
|
||||
python_only = True
|
||||
|
||||
@ -6,4 +6,3 @@
|
||||
# smuggling vector; origin must reject.
|
||||
from gunicorn.http.errors import InvalidHeaderName
|
||||
request = InvalidHeaderName
|
||||
python_only = True
|
||||
|
||||
@ -7,5 +7,3 @@
|
||||
# Content-Length, Transfer-Encoding). Accepting them enables smuggling.
|
||||
from gunicorn.http.errors import InvalidHeaderName
|
||||
request = InvalidHeaderName
|
||||
# The C parser (gunicorn_h1c) does not yet enforce this rule.
|
||||
python_only = True
|
||||
|
||||
@ -6,4 +6,3 @@
|
||||
# and must not be accepted.
|
||||
from gunicorn.http.errors import InvalidHeaderName
|
||||
request = InvalidHeaderName
|
||||
python_only = True
|
||||
|
||||
@ -7,5 +7,3 @@
|
||||
# rejected as an ill-formed request-line.
|
||||
from gunicorn.http.errors import InvalidRequestLine
|
||||
request = InvalidRequestLine
|
||||
# The C parser (gunicorn_h1c) does not yet enforce this rule.
|
||||
python_only = True
|
||||
|
||||
@ -6,5 +6,3 @@
|
||||
# the CONNECT method. Any other method carrying it must be rejected.
|
||||
from gunicorn.http.errors import InvalidRequestLine
|
||||
request = InvalidRequestLine
|
||||
# The C parser (gunicorn_h1c) does not yet enforce this rule.
|
||||
python_only = True
|
||||
|
||||
@ -7,5 +7,3 @@
|
||||
# like "foo/bar" matches none of these and must be rejected.
|
||||
from gunicorn.http.errors import InvalidRequestLine
|
||||
request = InvalidRequestLine
|
||||
# The C parser (gunicorn_h1c) does not yet enforce this rule.
|
||||
python_only = True
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user