mirror of
https://github.com/frappe/gunicorn.git
synced 2026-07-02 18:51:31 +08:00
fix: reject authority-form request-target outside CONNECT (RFC 9112 section 3.2.3)
Detect authority-form as a request-target that is neither origin-form (starts with "/"), absolute-form (contains "://"), nor asterisk; reject it for any method other than CONNECT. Both WSGI and ASGI Python parsers.
This commit is contained in:
parent
e7fd6a104f
commit
882e636208
@ -460,6 +460,13 @@ class PythonProtocol:
|
|||||||
if self.path == b'*' and self.method != b'OPTIONS':
|
if self.path == b'*' and self.method != b'OPTIONS':
|
||||||
raise InvalidRequestLine("Invalid request line")
|
raise InvalidRequestLine("Invalid request line")
|
||||||
|
|
||||||
|
# RFC 9112 section 3.2.3: authority-form is only valid with CONNECT.
|
||||||
|
if (self.method != b'CONNECT'
|
||||||
|
and self.path != b'*'
|
||||||
|
and not self.path.startswith(b'/')
|
||||||
|
and b'://' not in self.path):
|
||||||
|
raise InvalidRequestLine("Invalid request line")
|
||||||
|
|
||||||
# Parse version
|
# Parse version
|
||||||
version = parts[2]
|
version = parts[2]
|
||||||
if version == b'HTTP/1.1':
|
if version == b'HTTP/1.1':
|
||||||
|
|||||||
@ -811,6 +811,15 @@ class Request(Message):
|
|||||||
if self.uri == "*" and self.method != "OPTIONS":
|
if self.uri == "*" and self.method != "OPTIONS":
|
||||||
raise InvalidRequestLine(bytes_to_str(line_bytes))
|
raise InvalidRequestLine(bytes_to_str(line_bytes))
|
||||||
|
|
||||||
|
# RFC 9112 section 3.2.3: authority-form ("host:port") is only valid
|
||||||
|
# with CONNECT. origin-form starts with "/"; absolute-form contains
|
||||||
|
# "://". Anything else on a non-CONNECT request is authority-form.
|
||||||
|
if (self.method != "CONNECT"
|
||||||
|
and self.uri != "*"
|
||||||
|
and not self.uri.startswith("/")
|
||||||
|
and "://" not in self.uri):
|
||||||
|
raise InvalidRequestLine(bytes_to_str(line_bytes))
|
||||||
|
|
||||||
try:
|
try:
|
||||||
parts = split_request_uri(self.uri)
|
parts = split_request_uri(self.uri)
|
||||||
except ValueError:
|
except ValueError:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user