34 Commits

Author SHA1 Message Date
Benoit Chesneau
201df19a80 chore: remove eventlet worker; add h2 and uvloop to test deps
Eventlet was deprecated for 26.0 and is now removed:
- Delete gunicorn/workers/geventlet.py and its registry entry
- Drop eventlet from config help text, HTTP/2 unsupported-worker
  messages, and the dirty client docstring
- Drop the eventlet optional-dependency, the eventlet entry in the
  testing extra, and the eventlet-only filterwarnings ignore
- Drop the EventletWorkerAlpn test class
- Drop the freebsd CI ignore for the (now non-existent) test_geventlet.py
- Drop eventlet from the issue-triage discussion template
- Drop eventlet from README, install/design/http2/settings/news docs;
  rewrite the news.md entry from 'deprecated' to 'removed in this release'

Add h2 and uvloop to requirements_test.txt so a plain
'pip install -r requirements_test.txt' run reaches feature parity with
'pip install .[testing]' for those two deps. The container suite
previously skipped 87 HTTP/2 tests for missing h2 and 1 for uvloop;
the in-process suite skips drop from 67 to 40.
2026-05-05 00:36:46 +02:00
Benoit Chesneau
98eac0b04e chore: require gunicorn_h1c >=0.6.5 and drop last python_only marker
gunicorn_h1c 0.6.5 ships the Content-Length list-form rejection
(h1c #8). The last python_only marker can now come off
rfc9112_smuggle_cl_list_form_01.
2026-04-20 07:29:47 +02:00
Benoit Chesneau
408b1f0517 chore: require gunicorn_h1c >=0.6.4 and drop python_only markers
gunicorn_h1c 0.6.4 ships the RFC 9110/9112 hardening added in h1c #4,
#6, and #7: control chars in header values, request-target form/method
pairing, and forbidden trailer field-names. All the corresponding
fixtures now pass against the C parser, so their python_only markers
are removed.

The CL list form fixture stays marked — the C parser does not yet
reject Content-Length: "5, 5".
2026-04-19 23:40:58 +02:00
Benoit Chesneau
d40a374547 Fix pytest-asyncio configuration and treq_asgi hex escapes
- Add asyncio_mode = "auto" to pytest configuration for async tests
- Update treq_asgi.py badrequest class to support hex escapes
2026-03-26 17:59:40 +01:00
Benoit Chesneau
b00f125755 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
Update to gunicorn_h1c >= 0.6.3 which adds InvalidChunkExtension
validation for rejecting chunk extensions with bare CR bytes per
RFC 9112.

Changes:
- Update pyproject.toml to require gunicorn_h1c >= 0.6.3
- Add InvalidChunkExtension exception to gunicorn/asgi/parser.py
- Handle InvalidChunkExtension from both Python and C parsers in protocol.py
- Add chunk extension validation tests
- Update treq.py badrequest class to support hex escapes
2026-03-26 15:46:51 +01:00
Benoit Chesneau
d43acb8fe0 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
- Use asgi_headers property (lowercase names) from fast parser
- Bump version to 25.3.0
- Update changelog with all changes for this release
2026-03-26 15:45:11 +01:00
Benoit Chesneau
389438fb5a Require gunicorn_h1c >= 0.6.0 for finish() method support
Update minimum version requirement for the fast HTTP parser to 0.6.0
which includes the finish() method for EOF handling in chunked encoding.
2026-03-26 14:12:50 +01:00
Benoit Chesneau
03cc85ef48 Integrate gunicorn_h1c 0.4.1 exception types and limit parameters
Require gunicorn_h1c >= 0.4.1 for fast parser mode. Add new exception
types and limit parameters to PythonProtocol for parity with C parser.
Update tests to parametrize across both parser implementations.
2026-03-22 13:43:18 +01:00
Benoit Chesneau
23c7210b67 Bump gunicorn_h1c to 0.2.0 for callback parser 2026-03-21 23:24:38 +01:00
Benoit Chesneau
b833a9b6df Add optional fast HTTP parser for ASGI workers
- Add http_parser config setting (auto/fast/python)
- Add gunicorn_h1c as optional dependency [fast]
- Add unified HttpParser class with fallback to pure Python
- Parser tries gunicorn_h1c in 'auto' mode, falls back gracefully
- 'fast' mode requires gunicorn_h1c, 'python' forces pure Python

Install with: pip install gunicorn[fast]
2026-03-21 09:19:41 +01:00
Benoit Chesneau
a57507c4e5 feat(ctl): add gunicornc control interface
Add a control socket server and CLI client for runtime management
of Gunicorn instances, similar to birdc for BIRD routing daemon.

Features:
- Control socket server running in arbiter process (asyncio/threaded)
- gunicornc CLI with interactive and single-command modes
- JSON protocol with length-prefixed framing
- Commands: show workers/stats/config/listeners/dirty, worker add/remove/kill,
  dirty add/remove, reload, reopen, shutdown
- Stats tracking (uptime, workers spawned/killed, reloads)
- Configurable socket path and permissions

New config options:
- control_socket: Unix socket path (default: gunicorn.ctl)
- control_socket_mode: Socket permissions (default: 0o600)
- --no-control-socket: Disable control socket
2026-02-13 01:38:17 +01:00
Benoit Chesneau
7ff671bca3 chore: replace README.rst with README.md, remove modernization-plan.md 2026-02-01 09:18:11 +01:00
Benoit Chesneau
780e2cf055 Add HTTP/2 tests
Unit tests for HTTP/2 implementation:
- test_http2_stream.py: Stream state management tests
- test_http2_request.py: Request interface tests
- test_http2_connection.py: Connection handling tests
- test_http2_async_connection.py: Async connection tests
- test_http2_config.py: Configuration tests
- test_http2_alpn.py: ALPN negotiation tests
- test_http2_errors.py: Error handling tests
- test_http2_integration.py: Integration tests

Docker integration tests:
- Full HTTP/2 testing environment with nginx proxy
- Direct connection tests and proxy tests
- Concurrent stream tests
- Protocol behavior tests
- Error handling tests
- Header handling tests
- Performance tests
2026-01-27 09:57:32 +01:00
Benoit Chesneau
c711d9fb6f Add HTTP/2 dependency and configuration
- Add optional h2 dependency for HTTP/2 support
- Add http2 module skeleton with availability check and errors
- Add HTTP/2 configuration settings (max_concurrent_streams,
  initial_window_size, max_frame_size, max_header_list_size)
- Add ALPN support to SSL context for HTTP/2 negotiation
2026-01-27 09:57:01 +01:00
Benoit Chesneau
b67ff0b31d test: fix warnings and flaky tests in dirty arbiter tests
- Close coroutines in mocked asyncio.run to prevent "never awaited" warning
- Fix flaky integration tests with proper async cleanup and try/finally
- Add uvloop to testing dependencies so uvloop test runs
- Add pytest warning filter for eventlet/asyncio incompatibility
2026-01-25 10:23:25 +01:00
Benoit Chesneau
7894d1c170 release: prepare 24.1.0
- Bump version to 24.1.0
- Add PROXY protocol v2 documentation to deploy guide
- Add 24.1.0 changelog with new features and bug fixes
- Update all docs.gunicorn.org URLs to gunicorn.org
2026-01-23 18:47:17 +01:00
Benoit Chesneau
f9df39f600 gevent: Require gevent 24.10.1+ to address CVE-2024-3219 2026-01-23 00:59:51 +01:00
Benoit Chesneau
db3b0819dc build: Update license config to PEP 639 format for uv compatibility 2026-01-23 00:51:32 +01:00
Benoit Chesneau
086dadfa1e testing: Pin gevent and eventlet minimum versions 2026-01-23 00:26:35 +01:00
Benoit Chesneau
4062a82ba7 eventlet: Require eventlet 0.40.3+ for security fixes
Upgrade minimum eventlet version to 0.40.3 to address security
vulnerabilities:

- CVE-2021-21419 (Moderate 6.9): Websocket memory exhaustion via
  large/compressed frames (fixed in 0.31.0)
- CVE-2025-58068 (Moderate 6.3): HTTP Request Smuggling via improper
  trailer handling (fixed in 0.40.3)

Also restructure module to call monkey_patch() at import time for
better patching coverage, while keeping hubs.use_hub() in the worker's
patch() method since it creates OS resources that don't survive fork.

Add comprehensive tests for the eventlet worker.
2026-01-23 00:25:50 +01:00
Benoit Chesneau
543854c123 gevent: Require gevent 23.9.0+ for security fixes
Address CVE-2023-41419 (Critical - remote privilege escalation via
WSGIServer) by requiring gevent 23.9.0 or higher.

Changes:
- Update minimum gevent version from 1.4.0 to 23.9.0
- Remove legacy server.kill() code path (gevent < 1.0)
- Update documentation to reflect new version requirement
- Add comprehensive tests for gevent worker
2026-01-23 00:14:11 +01:00
Benoit Chesneau
4b9d787c93 tornado: Require Tornado 6.5.0+ for security fixes
Update minimum Tornado version to 6.5.0 to address:
- CVE-2024-52804 (Medium): HTTP Cookie Parsing DoS
- CVE-2025-47287 (High 7.5): Multipart/Form-Data Parser DoS

This simplifies the tornado worker by removing legacy code paths
for Tornado < 5.0 and < 6.0, reducing the codebase by ~30%.

Changes:
- pyproject.toml: Update tornado requirement to >=6.5.0
- gtornado.py: Remove TORNADO5 constant and legacy code paths
- tornadoapp.py: Update example to use async/await syntax
- test_gtornado.py: Add comprehensive test suite
2026-01-23 00:02:01 +01:00
Benoit Chesneau
99ffa0cc6b tests: Exclude docker tests from regular pytest runs
- Add tests/docker to norecursedirs in pyproject.toml to prevent
  docker tests from running during regular test suite (they require
  docker and the requests library)
- Add -p no:cov to docker integration workflow to disable coverage
  plugin since pytest-cov is not installed in that environment
2026-01-22 19:24:30 +01:00
Benoit Chesneau
ae1eea8108 asgi: Add native ASGI worker with HTTP and WebSocket support
Add a new ASGI worker type that provides native async support using
gunicorn's own HTTP parsing infrastructure adapted for asyncio.

Features:
- HTTP/1.1 with keepalive support
- WebSocket connections (RFC 6455)
- ASGI lifespan protocol for startup/shutdown hooks
- Optional uvloop support for improved performance
- Full proxy protocol support (inherited from gunicorn)

New configuration options:
- --asgi-loop: Event loop selection (auto/asyncio/uvloop)
- --asgi-lifespan: Lifespan protocol control (auto/on/off)
- --root-path: ASGI root path for reverse proxy setups

Usage: gunicorn -k asgi myapp:app
2026-01-22 17:05:29 +01:00
Benoit Chesneau
56b5ad87f8
Restore Python 3.10 and 3.11 support (#3425)
This change extends Python support back to 3.10 and 3.11, which are
still actively maintained by the PSF:
- Python 3.10: Security support until Oct 2026
- Python 3.11: Active support (latest feature release)
- Python 3.12: Active support
- Python 3.13: Latest stable release

The previous change to support only 3.12+ was too restrictive as many
users are still on Python 3.10 and 3.11 in production environments.

Changes:
- Updated pyproject.toml to set minimum Python to 3.10
- Added Python 3.10, 3.11, and PyPy 3.10 to CI matrix
- Updated all documentation to reflect Python 3.10+ requirement
- Maintained compatibility with latest pylint for Python 3.12+
2025-10-05 22:45:21 +02:00
Benoit Chesneau
1dc4ce9d59
Update to support only Python 3.12 and 3.13 (#3422)
* Update CI and project to support only Python N (3.13) and N-1 (3.12)

- Update GitHub Actions workflows to test only Python 3.12 and 3.13
- Update pyproject.toml to require Python >= 3.12
- Update tox.ini to test only py312 and py313
- Update documentation to reflect Python 3.12+ requirement
- Clean up AppVeyor configuration for Python 3.12
* Update pylint to 3.3.2 for Python 3.12 compatibility
* Disable new pylint warnings for pre-existing issues
2025-10-05 19:55:32 +02:00
David Huggins-Daines
0243ec39ef fix(deps): exclude eventlet 0.36.0 2024-03-26 10:15:11 -04:00
Thomas Grainger
5e30bfa6b1 add changelog to project.urls (updated for PEP621) 2023-12-29 05:12:08 +01:00
Paul J. Dorn
c2e48b3014 Merge #3085 2023-12-29 05:10:42 +01:00
Paul J. Dorn
09ee579f44 Merge #3083 2023-12-29 05:09:19 +01:00
Paul J. Dorn
611746edc9 CI: check entry points
Fixes: fdd23e82926d7d10ec4a8e65e42b5184a4ee20ce
2023-12-07 21:12:38 +01:00
Paul J. Dorn
c3396b9786 github actions: cache and test run_module (-m) 2023-12-07 20:02:55 +01:00
Mathieu Dupuy
7acd83bfb6
pyproject.toml: fix license-files field 2023-12-02 11:03:13 +01:00
Mathieu Dupuy
fdd23e8292
migrate to pyproject.toml 2023-09-12 00:43:37 +02:00