diff --git a/tests/requests/invalid/rfc9112_smuggle_cl_list_form_01.http b/tests/requests/invalid/rfc9112_smuggle_cl_list_form_01.http new file mode 100644 index 00000000..42254715 --- /dev/null +++ b/tests/requests/invalid/rfc9112_smuggle_cl_list_form_01.http @@ -0,0 +1,5 @@ +POST /p HTTP/1.1\r\n +Host: example.com\r\n +Content-Length: 5, 5\r\n +\r\n +hello diff --git a/tests/requests/invalid/rfc9112_smuggle_cl_list_form_01.py b/tests/requests/invalid/rfc9112_smuggle_cl_list_form_01.py new file mode 100644 index 00000000..1248f585 --- /dev/null +++ b/tests/requests/invalid/rfc9112_smuggle_cl_list_form_01.py @@ -0,0 +1,12 @@ +# +# This file is part of gunicorn released under the MIT license. +# See the NOTICE for more information. + +# RFC 9112 section 6.3 allows Content-Length list form when all values +# match, but gunicorn takes the safer strict view and rejects any list +# form outright to avoid proxy/origin desync. PortSwigger HTTP Desync, +# CL list variant. +from gunicorn.http.errors import InvalidHeader +request = InvalidHeader +# The C parser (gunicorn_h1c) does not yet enforce this rule. +python_only = True