chore: require gunicorn_h1c >=0.6.4 and drop python_only markers

gunicorn_h1c 0.6.4 ships the RFC 9110/9112 hardening added in h1c #4,
#6, and #7: control chars in header values, request-target form/method
pairing, and forbidden trailer field-names. All the corresponding
fixtures now pass against the C parser, so their python_only markers
are removed.

The CL list form fixture stays marked — the C parser does not yet
reject Content-Length: "5, 5".
This commit is contained in:
Benoit Chesneau 2026-04-19 23:40:58 +02:00
parent a635b957c5
commit 408b1f0517
10 changed files with 2 additions and 14 deletions

View File

@ -53,7 +53,7 @@ tornado = ["tornado>=6.5.0"]
gthread = []
setproctitle = ["setproctitle"]
http2 = ["h2>=4.1.0"]
fast = ["gunicorn_h1c>=0.6.3"]
fast = ["gunicorn_h1c>=0.6.4"]
testing = [
"gevent>=24.10.1",
"eventlet>=0.40.3",

View File

@ -3,4 +3,4 @@ coverage
pytest>=7.2.0
pytest-cov
pytest-asyncio
gunicorn_h1c>=0.6.2
gunicorn_h1c>=0.6.4

View File

@ -7,4 +7,3 @@
# appear, to prevent log/response injection and parser confusion.
from gunicorn.http.errors import InvalidHeader
request = InvalidHeader
python_only = True

View File

@ -6,4 +6,3 @@
# it must not appear in a field-value.
from gunicorn.http.errors import InvalidHeader
request = InvalidHeader
python_only = True

View File

@ -6,4 +6,3 @@
# smuggling vector; origin must reject.
from gunicorn.http.errors import InvalidHeaderName
request = InvalidHeaderName
python_only = True

View File

@ -7,5 +7,3 @@
# Content-Length, Transfer-Encoding). Accepting them enables smuggling.
from gunicorn.http.errors import InvalidHeaderName
request = InvalidHeaderName
# The C parser (gunicorn_h1c) does not yet enforce this rule.
python_only = True

View File

@ -6,4 +6,3 @@
# and must not be accepted.
from gunicorn.http.errors import InvalidHeaderName
request = InvalidHeaderName
python_only = True

View File

@ -7,5 +7,3 @@
# rejected as an ill-formed request-line.
from gunicorn.http.errors import InvalidRequestLine
request = InvalidRequestLine
# The C parser (gunicorn_h1c) does not yet enforce this rule.
python_only = True

View File

@ -6,5 +6,3 @@
# the CONNECT method. Any other method carrying it must be rejected.
from gunicorn.http.errors import InvalidRequestLine
request = InvalidRequestLine
# The C parser (gunicorn_h1c) does not yet enforce this rule.
python_only = True

View File

@ -7,5 +7,3 @@
# like "foo/bar" matches none of these and must be rejected.
from gunicorn.http.errors import InvalidRequestLine
request = InvalidRequestLine
# The C parser (gunicorn_h1c) does not yet enforce this rule.
python_only = True