test: codify rejection of Content-Length list form (RFC 9112 section 6.3)

This commit is contained in:
Benoit Chesneau 2026-04-19 20:49:32 +02:00
parent 4da46edac0
commit 73e64364ca
2 changed files with 17 additions and 0 deletions

View File

@ -0,0 +1,5 @@
POST /p HTTP/1.1\r\n
Host: example.com\r\n
Content-Length: 5, 5\r\n
\r\n
hello

View File

@ -0,0 +1,12 @@
#
# This file is part of gunicorn released under the MIT license.
# See the NOTICE for more information.
# RFC 9112 section 6.3 allows Content-Length list form when all values
# match, but gunicorn takes the safer strict view and rejects any list
# form outright to avoid proxy/origin desync. PortSwigger HTTP Desync,
# CL list variant.
from gunicorn.http.errors import InvalidHeader
request = InvalidHeader
# The C parser (gunicorn_h1c) does not yet enforce this rule.
python_only = True