diff --git a/docs/source/settings.rst b/docs/source/settings.rst index a5bd51c5..ec1d2b45 100644 --- a/docs/source/settings.rst +++ b/docs/source/settings.rst @@ -1410,7 +1410,7 @@ Strip spaces present between the header name and the the ``:``. This is known to induce vulnerabilities and is not compliant with the HTTP/1.1 standard. See https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn. -Use with care and only if necessary. May be removed in a future version. +Use with care and only if necessary. Deprecated; scheduled for removal in 25.0.0 .. versionadded:: 20.0.1 @@ -1429,9 +1429,13 @@ This permits request methods of length less than 3 or more than 20, methods with lowercase characters or methods containing the # character. HTTP methods are case sensitive by definition, and merely uppercase by convention. -This option is provided to diagnose backwards-incompatible changes. +If unset, Gunicorn will apply nonstandard restrictions and cause 400 response status +in cases where otherwise 501 status is expected. While this option does modify that +behaviour, it should not be depended upon to guarantee standards-compliant behaviour. +Rather, it is provided temporarily, to assist in diagnosing backwards-incompatible +changes around the incomplete application of those restrictions. -Use with care and only if necessary. May be removed in a future version. +Use with care and only if necessary. Temporary; scheduled for removal in 24.0.0 .. versionadded:: 22.0.0 @@ -1450,7 +1454,8 @@ This disables the refusal of likely malformed request lines. It is unusual to specify HTTP 1 versions other than 1.0 and 1.1. This option is provided to diagnose backwards-incompatible changes. -Use with care and only if necessary. May be removed in a future version. +Use with care and only if necessary. Temporary; the precise effect of this option may +change in a future version, or it may be removed altogether. .. versionadded:: 22.0.0 @@ -1469,7 +1474,7 @@ HTTP methods are case sensitive by definition, and merely uppercase by conventio This option is provided because previous versions of gunicorn defaulted to this behaviour. -Use with care and only if necessary. May be removed in a future version. +Use with care and only if necessary. Deprecated; scheduled for removal in 24.0.0 .. versionadded:: 22.0.0 @@ -1512,9 +1517,18 @@ Process requests with both Transfer-Encoding and Content-Length This is known to induce vulnerabilities, but not strictly forbidden by RFC9112. -Use with care and only if necessary. May be removed in a future version. +In any case, the connection is closed after the malformed request, +as it is unclear if and at which boundary additional requests start. + +Use with care and only if necessary. +Temporary; will be changed or removed in a future version. .. versionadded:: 22.0.0 +.. versionchanged: 22.1.0 + The newly added rejection of invalid and dangerous characters CR, LF and NUL in + header field values is also controlled with this setting. rfc9110 permits both + rejecting and SP-replacing. With this option set, Gunicorn passes the field value + unchanged. With this option unset, Gunicorn rejects the request. Server Socket -------------