strict: header field validation: stop casefolding

* refusing lowercase and ASCII 0x23 (#) had been partially enforced before * do not casefold by default, HTTP methods are case sensitive
2026-01-14 11:09:11 +08:00 · 2023-12-07 18:46:31 +01:00 · 2023-12-07 18:46:31 +01:00 · b2846783d7
commit b2846783d7
parent 42dd4190ac
11 changed files with 105 additions and 8 deletions
--- a/gunicorn/config.py
+++ b/gunicorn/config.py
@ -2254,5 +2254,49 @@ class StripHeaderSpaces(Setting):
        This is known to induce vulnerabilities and is not compliant with the HTTP/1.1 standard.
        See https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn.
-        Use with care and only if necessary.
+        Use with care and only if necessary. May be removed in a future version.
        .. versionadded:: 20.0.1
        """
 class PermitUnconventionalHTTPMethod(Setting):
    name = "permit_unconventional_http_method"
    section = "Server Mechanics"
    cli = ["--permit-unconventional-http-method"]
    validator = validate_bool
    action = "store_true"
    default = False
    desc = """\
        Permit HTTP methods not matching conventions, such as IANA registration guidelines
        This permits request methods of length less than 3 or more than 20,
        methods with lowercase characters or methods containing the # character.
        HTTP methods are case sensitive by definition, and merely uppercase by convention.
        This option is provided to diagnose backwards-incompatible changes.
        Use with care and only if necessary. May be removed in a future version.
        .. versionadded:: 22.0.0
        """
 class CasefoldHTTPMethod(Setting):
    name = "casefold_http_method"
    section = "Server Mechanics"
    cli = ["--casefold-http-method"]
    validator = validate_bool
    action = "store_true"
    default = False
    desc = """\
         Transform received HTTP methods to uppercase
         HTTP methods are case sensitive by definition, and merely uppercase by convention.
         This option is provided because previous versions of gunicorn defaulted to this behaviour.
         Use with care and only if necessary. May be removed in a future version.
         .. versionadded:: 22.0.0
         """
--- a/gunicorn/http/message.py
+++ b/gunicorn/http/message.py
@ -21,7 +21,10 @@ MAX_REQUEST_LINE = 8190
 MAX_HEADERS = 32768
 DEFAULT_MAX_HEADERFIELD_SIZE = 8190
-TOKEN_RE = re.compile(r"[!#$%&'*+\-.\^_`|~0-9a-zA-Z]+")
+# verbosely on purpose, avoid backslash ambiguity
 RFC9110_5_6_2_TOKEN_SPECIALS = r"!#$%&'*+-.^_`|~"
 TOKEN_RE = re.compile(r"[%s0-9a-zA-Z]+" % (re.escape(RFC9110_5_6_2_TOKEN_SPECIALS)))
 METHOD_BADCHAR_RE = re.compile("[a-z#]")
 VERSION_RE = re.compile(r"HTTP/(\d+)\.(\d+)")
@ -331,10 +334,23 @@ class Request(Message):
        if len(bits) != 3:
            raise InvalidRequestLine(bytes_to_str(line_bytes))
-        # Method
+        # Method: RFC9110 Section 9
-        if not TOKEN_RE.fullmatch(bits[0]):
+        self.method = bits[0]
-            raise InvalidRequestMethod(bits[0])
+
-        self.method = bits[0].upper()
+        # nonstandard restriction, suitable for all IANA registered methods
        # partially enforced in previous gunicorn versions
        if not self.cfg.permit_unconventional_http_method:
            if METHOD_BADCHAR_RE.search(self.method):
                raise InvalidRequestMethod(self.method)
            if not 3 <= len(bits[0]) <= 20:
                raise InvalidRequestMethod(self.method)
        # standard restriction: RFC9110 token
        if not TOKEN_RE.fullmatch(self.method):
            raise InvalidRequestMethod(self.method)
        # nonstandard and dangerous
        # methods are merely uppercase by convention, no case-insensitive treatment is intended
        if self.cfg.casefold_http_method:
            self.method = self.method.upper()
        # URI
        self.uri = bits[1]
--- a/tests/requests/invalid/003b.http
+++ b/tests/requests/invalid/003b.http
@ -0,0 +1,2 @@
 bla:rgh /foo HTTP/1.1\r\n
 \r\n
--- a/tests/requests/invalid/003b.py
+++ b/tests/requests/invalid/003b.py
@ -0,0 +1,2 @@
 from gunicorn.http.errors import InvalidRequestMethod
 request = InvalidRequestMethod
--- a/tests/requests/invalid/003c.http
+++ b/tests/requests/invalid/003c.http
@ -0,0 +1,2 @@
 -bl /foo HTTP/1.1\r\n
 \r\n
--- a/tests/requests/invalid/003c.py
+++ b/tests/requests/invalid/003c.py
@ -0,0 +1,2 @@
 from gunicorn.http.errors import InvalidRequestMethod
 request = InvalidRequestMethod
--- a/tests/requests/valid/031.http
+++ b/tests/requests/valid/031.http
@ -1,2 +1,2 @@
-blargh /foo HTTP/1.1\r\n
+-BLARGH /foo HTTP/1.1\r\n
 \r\n
--- a/tests/requests/valid/031compat.http
+++ b/tests/requests/valid/031compat.http
@ -0,0 +1,2 @@
 -blargh /foo HTTP/1.1\r\n
 \r\n
--- a/tests/requests/valid/031compat.py
+++ b/tests/requests/valid/031compat.py
@ -0,0 +1,13 @@
 from gunicorn.config import Config
 cfg = Config()
 cfg.set("permit_unconventional_http_method", True)
 cfg.set("casefold_http_method", True)
 request = {
    "method": "-BLARGH",
    "uri": uri("/foo"),
    "version": (1, 1),
    "headers": [],
    "body": b""
 }
--- a/tests/requests/valid/031compat2.http
+++ b/tests/requests/valid/031compat2.http
@ -0,0 +1,2 @@
 -blargh /foo HTTP/1.1\r\n
 \r\n
--- a/tests/requests/valid/031compat2.py
+++ b/tests/requests/valid/031compat2.py
@ -0,0 +1,12 @@
 from gunicorn.config import Config
 cfg = Config()
 cfg.set("permit_unconventional_http_method", True)
 request = {
    "method": "-blargh",
    "uri": uri("/foo"),
    "version": (1, 1),
    "headers": [],
    "body": b""
 }
		`@ -0,0 +1,2 @@`
							`from gunicorn.http.errors import InvalidRequestMethod`
							`request = InvalidRequestMethod`
`@ -1,2 +1,2 @@`
	`-blargh /foo HTTP/1.1\r\n`	`-BLARGH /foo HTTP/1.1\r\n`
	`\r\n`	`\r\n`