22 Commits

Author SHA1 Message Date
Benoit Chesneau
8e25cb2400 fix: tighten keepalive gate and scope finish_body byte cap
- ASGI keepalive gate now keys on receiver._complete only. _closed is
  overloaded across transport disconnect and receive timeout; treating
  either as 'message complete' would re-enable the smuggling vector
  the previous PR was meant to close.
- Parser.finish_body's 64 KiB byte cap now applies only when an explicit
  deadline is given. Default invocations (notably __next__, used by
  base_async / sync workers) regain the prior unbounded drain so a
  partial drain does not silently desync the next request.
2026-05-03 18:37:45 +02:00
Benoit Chesneau
6f9ed30d23 lint: use dict literal and hoist mock import 2026-05-03 18:23:45 +02:00
Benoit Chesneau
e90b1c2c1e fix: address six WSGI/ASGI parser and protocol findings
- WSGI fast parser now applies the same per-header policy as the Python
  parser (Expect, secure_scheme_headers, forwarded_allow_ips trust gate,
  forwarder_headers / header_map). Shared helpers extracted on Message.

- ASGI keepalive no longer resets the parser when the previous request
  body was not fully framed; the connection closes instead, preventing
  request smuggling on pipelined connections.

- BodyReceiver._wait_for_data timeout flips _closed and yields
  http.disconnect rather than synthesizing more_body=False. Timeout
  honors cfg.timeout.

- ASGI chunked encoding now skips HEAD, 204, and 304 (matches
  Response.is_chunked in the WSGI path) via a small helper.

- _setup_callback_parser passes proxy_protocol to PythonProtocol; auto
  falls back to the Python parser when proxy_protocol != off (the C
  parser does not implement PROXY framing). _effective_peername swaps
  the transport peer with the PROXY-supplied client address.

- Parser.finish_body accepts a deadline and a 64KiB byte cap; gthread
  passes a deadline and abandons keepalive on incomplete drain so a
  stalled client cannot tie up a worker thread.
2026-05-03 18:19:08 +02:00
r266-tech
f8fca7a72f
fix: add __iter__ and __next__ to FileWrapper for PEP 3333 compliance (#3550)
* fix: add __iter__ and __next__ to FileWrapper for PEP 3333 compliance

The WSGI spec (PEP 3333) requires that wsgi.file_wrapper return an
iterable object. Gunicorn's FileWrapper only implemented __getitem__,
which technically makes it iterable via old-style iteration but breaks
code that explicitly relies on the iterator protocol (e.g., calling
iter() or using next()).

This adds __iter__ (returning self) and __next__ to make FileWrapper
a proper iterator, maintaining backward compatibility with existing
__getitem__-based usage.

Fixes #3396

* Fix lint: move imports to top of file

---------

Co-authored-by: contributor <noreply@users.noreply.github.com>
Co-authored-by: Benoit Chesneau <bchesneau@gmail.com>
2026-03-24 22:38:16 +01:00
Benoit Chesneau
95b7ffeeaa chore: prepare release 25.0.2
- Bump version to 25.0.2
- Update copyright year to 2026 in LICENSE and NOTICE
- Add license headers to all Python source files
- Add changelog entry for 25.0.2
2026-02-06 08:21:18 +01:00
Benoit Chesneau
56abeaf105 fix: unreader.unread() now prepends data to buffer
The unread method was incorrectly appending data to the end of the
buffer instead of prepending it to the beginning. This caused issues
when reading partial data and then unreading it.

Closes #2915
Closes #2346
2026-01-23 11:39:05 +01:00
Benoit Chesneau
e75c3533e3
Merge pull request #3189 from pajod/patch-py36
chore: eat Python 2 leftovers
2024-08-10 10:40:40 +02:00
Vaclav Rehak
97f87ec13e Fix InvalidHTTPVersion exception str method
Fixes: #3195
2024-04-26 13:58:10 +02:00
Paul J. Dorn
4323027b1e drop long-default - coding: utf-8 2024-04-22 03:33:14 +02:00
Paul J. Dorn
42dd4190ac test: verify TOKEN_RE against common HTTP Methods 2023-12-15 13:33:31 +01:00
unknown
48d670f087 update pylint version, and fix linter issues 2023-05-17 18:45:59 +03:00
Masashi SHIBATA
b15712924f Import unittest.mock unconditionally (#2050) 2019-05-28 16:09:44 +03:00
Brett Randall
879651bb6f Header values are encoded using latin-1, not ascii.
This commit reverts one aspect changed by 5f4ebd2eb2b08783a5fbefe79d09fcb3fc1fbc73 (#1151);
header-values are again encoded as latin-1 and not ascii. Test is restored but uses
a latin-1-mappable test-character, not a general utf8 character.

Fixed #1778.

Signed-off-by: Brett Randall <javabrett@gmail.com>
2019-04-18 04:23:19 +03:00
Hugo
e974f30517 Drop support for Python 2
Co-Authored-By: Dustin Ingram <di@users.noreply.github.com>
Co-Authored-By: Berker Peksag <berker.peksag@gmail.com>
2018-08-01 15:31:17 +03:00
Berker Peksag
76eaa0805b Fix various warnings and errors reported by pylint 2018-01-11 09:59:31 +03:00
Eugene Obukhov
a04b5f0975 Add tests for reader classes (#1241)
* Fix FakeSocket.recv method

* Add tests for Unreader and its subclasses

* Add tests for EOFReader and LengthReader
2016-04-15 00:49:00 +03:00
Berker Peksag
31fd844333 Fix test_http on Python 2 2016-03-20 08:16:05 +02:00
Berker Peksag
b17f1bc305 Fix typo in test name 2016-03-20 07:52:59 +02:00
Berker Peksag
33924a8649 Use more pytest.raises() in test_http.py
Signed-off-by: Berker Peksag <berker.peksag@gmail.com>
2016-03-20 07:52:13 +02:00
benoitc
1e10a02e73 check if the header contains control characters
fix #1227
2016-03-19 19:16:59 +01:00
benoitc
09e0d4c7fc encode fix test 2015-11-25 14:11:54 +01:00
Jochen Wersdörfer
338721ac56 encode http headers as latin1 RFC 2616 2015-08-29 11:16:58 +02:00