jingrow/gunicorn
1
0
Fork 0
mirror of https://github.com/frappe/gunicorn.git synced 2026-01-14 11:09:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

forbid lone CR/LF and NUL in headers (docs)

Browse Source
This commit is contained in:
Paul J. Dorn 2024-07-31 17:39:13 +02:00
parent eda9d456d3
commit 70a1e437b5
1 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
docs/source/settings.rst
View File

@ -1410,7 +1410,7 @@ Strip spaces present between the header name and the the ``:``.
This is known to induce vulnerabilities and is not compliant with the HTTP/1.1 standard.
See https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn.
Use with care and only if necessary. May be removed in a future version.
Use with care and only if necessary. Deprecated; scheduled for removal in 25.0.0
.. versionadded:: 20.0.1
@ -1429,9 +1429,13 @@ This permits request methods of length less than 3 or more than 20,
methods with lowercase characters or methods containing the # character.
HTTP methods are case sensitive by definition, and merely uppercase by convention.
This option is provided to diagnose backwards-incompatible changes.
If unset, Gunicorn will apply nonstandard restrictions and cause 400 response status
in cases where otherwise 501 status is expected. While this option does modify that
behaviour, it should not be depended upon to guarantee standards-compliant behaviour.
Rather, it is provided temporarily, to assist in diagnosing backwards-incompatible
changes around the incomplete application of those restrictions.
Use with care and only if necessary. May be removed in a future version.
Use with care and only if necessary. Temporary; scheduled for removal in 24.0.0
.. versionadded:: 22.0.0
@ -1450,7 +1454,8 @@ This disables the refusal of likely malformed request lines.
It is unusual to specify HTTP 1 versions other than 1.0 and 1.1.
This option is provided to diagnose backwards-incompatible changes.
Use with care and only if necessary. May be removed in a future version.
Use with care and only if necessary. Temporary; the precise effect of this option may
change in a future version, or it may be removed altogether.
.. versionadded:: 22.0.0
@ -1469,7 +1474,7 @@ HTTP methods are case sensitive by definition, and merely uppercase by conventio
This option is provided because previous versions of gunicorn defaulted to this behaviour.
Use with care and only if necessary. May be removed in a future version.
Use with care and only if necessary. Deprecated; scheduled for removal in 24.0.0
.. versionadded:: 22.0.0
@ -1512,9 +1517,18 @@ Process requests with both Transfer-Encoding and Content-Length
This is known to induce vulnerabilities, but not strictly forbidden by RFC9112.
Use with care and only if necessary. May be removed in a future version.
In any case, the connection is closed after the malformed request,
as it is unclear if and at which boundary additional requests start.
Use with care and only if necessary.
Temporary; will be changed or removed in a future version.
.. versionadded:: 22.0.0
.. versionchanged: 22.1.0
The newly added rejection of invalid and dangerous characters CR, LF and NUL in
header field values is also controlled with this setting. rfc9110 permits both
rejecting and SP-replacing. With this option set, Gunicorn passes the field value
unchanged. With this option unset, Gunicorn rejects the request.
Server Socket
-------------