Benoit Chesneau
3b3752eb90
test: add failing fixtures for forbidden trailer fields
2026-04-19 11:38:05 +02:00
Benoit Chesneau
ba8776d3fc
Merge pull request #3596 from benoitc/test/rfc9112-relative-target-fixture
...
test: codify rejection of relative-reference request-target (RFC 9112 §3.2)
2026-04-19 11:36:57 +02:00
Benoit Chesneau
62252223e0
test: codify rejection of relative-reference request-target (RFC 9112 section 3.2)
2026-04-19 11:23:00 +02:00
Benoit Chesneau
37771e8a44
Merge pull request #3595 from benoitc/fix/rfc9112-reject-authority-form-non-connect
...
fix: reject authority-form request-target outside CONNECT (RFC 9112 §3.2.3)
2026-04-19 11:22:11 +02:00
Benoit Chesneau
882e636208
fix: reject authority-form request-target outside CONNECT (RFC 9112 section 3.2.3)
...
Detect authority-form as a request-target that is neither origin-form
(starts with "/"), absolute-form (contains "://"), nor asterisk; reject
it for any method other than CONNECT. Both WSGI and ASGI Python parsers.
2026-04-19 11:11:42 +02:00
Benoit Chesneau
e7fd6a104f
test: add failing fixture for authority-form with non-CONNECT method
2026-04-19 11:09:29 +02:00
Benoit Chesneau
e3ba1e07fa
Merge pull request #3594 from benoitc/fix/rfc9112-reject-asterisk-form-non-options
...
fix: reject asterisk-form request-target outside OPTIONS (RFC 9112 §3.2.4)
2026-04-19 11:08:44 +02:00
Benoit Chesneau
82d33d4c71
fix: reject asterisk-form request-target outside OPTIONS (RFC 9112 section 3.2.4)
...
The Python WSGI and ASGI parsers both accepted `GET *` and similar; RFC
9112 restricts asterisk-form to OPTIONS. Both now raise InvalidRequestLine.
The fast (C) parser in gunicorn_h1c does not yet enforce this, so the
fixture is marked python_only via a new sidecar flag honored by the WSGI
and ASGI invalid-request harnesses.
2026-04-19 10:43:01 +02:00
Benoit Chesneau
2c57071675
test: add failing fixture for asterisk-form with non-OPTIONS method
2026-04-19 10:37:14 +02:00
Benoit Chesneau
b90626c21e
Merge pull request #3592 from benoitc/test/rfc9112-compliance-corpus-phase2a
...
test: codify absolute-form and IPv6 authority vectors (phase 2A)
2026-04-19 10:36:45 +02:00
Benoit Chesneau
e896a653a4
test: codify absolute-form and IPv6 authority request-target vectors (phase 2A)
2026-04-19 10:15:39 +02:00
Benoit Chesneau
369b8d7d2c
Merge pull request #3591 from benoitc/test/rfc9112-compliance-corpus-phase1
...
test: codify RFC 9112 request-target and TE/CL vectors (phase 1)
2026-04-19 10:12:33 +02:00
Benoit Chesneau
5de593708f
Merge pull request #3590 from benoitc/fix/graceful-connection-close
...
fix: drain connection on close per RFC 9112 section 9.6
2026-04-19 09:57:16 +02:00
Benoit Chesneau
f1c204626f
test: codify RFC 9112 request-target and TE/CL vectors (phase 1)
...
Six treq fixtures covering gaps: absolute-form, asterisk-form (OPTIONS *),
authority-form (CONNECT), TE codings stacking (gzip/identity before chunked),
and the CL + TE:chunked smuggling vector.
Phase 1 of a staged corpus expansion; fixtures only, no parser changes.
2026-04-19 09:52:15 +02:00
Benoit Chesneau
9d422c3ef0
fix: drain connection on close per RFC 9112 section 9.6
...
Avoids TCP RST truncating the response tail when unread request data
(body, pipelined bytes, trailers) sits in the kernel recv buffer at
close time. Half-closes write, linger-reads (bounded 2s / 64 KB),
then closes.
2026-04-19 09:41:07 +02:00
Benoit Chesneau
e5c30b4bc2
Merge pull request #3588 from eddieran/fix/early-hints-header-validation
...
fix: add header validation to early_hints callback
2026-04-19 09:16:10 +02:00
Ran
38ea12629f
Pass only the header name to InvalidHeader exception
...
Per @pajod review: the invalid header value may carry sensitive
content, and raising it through the exception could leak it
across security boundaries (browsers/proxies handling response
splitting errors). Pass just the name instead.
2026-04-17 06:11:57 +08:00
ran
7ae6503dea
fix: validate headers in early_hints callback to match process_headers
...
The early_hints callback constructs 103 Early Hints responses without
any header validation, while process_headers validates against TOKEN_RE
and HEADER_VALUE_RE for normal responses. This inconsistency means a
WSGI app passing unsanitized data to wsgi.early_hints could enable
HTTP response splitting via CRLF injection.
Apply the same TOKEN_RE/HEADER_VALUE_RE checks from process_headers to
the early_hints callback for defense-in-depth consistency.
Closes #3585
2026-04-13 17:21:24 +08:00
Benoit Chesneau
9aa54703f4
Update ASGI compatibility grid to 438/444 (98%)
2026-04-04 03:15:44 +02:00
Benoit Chesneau
8cf10ec79e
Merge pull request #3579 from benoitc/asgi-framework-compat-tests
...
Fix RFC 9110 section reference: 8.6 not 15.2
2026-04-04 03:15:01 +02:00
Benoit Chesneau
3936905c3f
Fix RFC 9110 section reference: 8.6 not 15.2
2026-04-04 03:10:52 +02:00
Benoit Chesneau
d607372482
Merge pull request #3578 from benoitc/asgi-framework-compat-tests
...
Add ASGI framework compatibility E2E test suite
2026-04-04 03:03:01 +02:00
Benoit Chesneau
97fcc6f1ee
Update ASGI compatibility grid - 438/444 tests passing
2026-04-04 03:00:41 +02:00
Benoit Chesneau
06e59d252b
Fix Litestar request handling - use raw ASGI receive for body/headers
...
Litestar internally caches request.body() and request.headers which
caused stale data to be returned on subsequent requests over keep-alive
connections. Access body via receive callable and headers directly from
scope to avoid this caching behavior.
2026-04-04 02:27:57 +02:00
Benoit Chesneau
db9030b7bc
Fix Quart headers endpoint - normalize keys to lowercase
...
HTTP headers are case-insensitive. Normalize to lowercase for consistency
with tests and other frameworks.
2026-04-03 23:53:09 +02:00
Benoit Chesneau
725c03e8ff
Fix WebSocket binary send when text key is None
...
ASGI allows websocket.send messages to contain both text and bytes
keys where one is None. Check for truthy values instead of key existence.
2026-04-03 23:53:03 +02:00
Benoit Chesneau
746cc049d0
Skip HTTP 100 Continue test - invalid per RFC 7231
...
HTTP 100 Continue is an informational response that must be followed
by a final response. Testing it as a final response is invalid HTTP.
2026-04-03 23:13:27 +02:00
Benoit Chesneau
9c2bedceb7
Fix Litestar HTTP endpoints for compatibility tests
...
- Echo endpoint: add explicit status_code=200 (Litestar defaults to 201)
- Status endpoint: handle 204 No Content with empty body per HTTP spec
2026-04-03 23:13:22 +02:00
Benoit Chesneau
cbba5cb302
Fix Quart WebSocket close test app - add missing accept()
...
WebSocket connections must be accepted before they can be closed.
Added await websocket.accept() before await websocket.close(code).
2026-04-03 23:12:25 +02:00
Benoit Chesneau
65ba40b243
Update Docker setup to install gunicorn from local source
...
This allows testing local changes to gunicorn in the E2E test suite.
Previously containers were installing from GitHub master branch.
Also updates compatibility grid with latest test results (417/444, 93%).
2026-04-03 22:03:39 +02:00
Benoit Chesneau
cf92b2317a
Fix duplicate Transfer-Encoding header for BlackSheep streaming
...
When frameworks like BlackSheep set Transfer-Encoding: chunked on
streaming responses, gunicorn was adding a second header without
checking if one already exists. This caused httpcore to reject the
response with "multiple Transfer-Encoding headers" error.
Fix checks for existing Transfer-Encoding header before adding one,
while still enabling chunked body encoding when the framework sets it.
2026-04-03 21:10:23 +02:00
Benoit Chesneau
51d350a212
Close transport after WebSocket close handshake completes
2026-04-03 16:34:18 +02:00
Benoit Chesneau
3fc9a2f002
Fix WebSocket close handshake to comply with RFC 6455
...
- Add _close_sent, _close_received, _close_event state variables
- Server now waits for client's close frame response before marking
connection as closed (5s timeout)
- Update _read_frames loop to continue reading after sending close
- Fix tests to simulate client close frame response
2026-04-03 14:53:36 +02:00
Benoit Chesneau
47bd20a7cb
Fix HTTP 100 Continue adding Transfer-Encoding: chunked
...
Skip adding Transfer-Encoding: chunked for 1xx informational
responses per RFC 9110 Section 15.2.
2026-04-03 13:57:49 +02:00
Benoit Chesneau
136a124674
Add unit tests reproducing ASGI framework compatibility failures
...
Tests expose HTTP 100 Continue bug: gunicorn incorrectly adds
Transfer-Encoding: chunked to 1xx responses, violating RFC 9110.
Test results:
- 2 FAILED: HTTP 100 Continue (confirms bug)
- 20 PASSED: WebSocket close/binary/handshake
Coverage: websocket.py 62%, protocol.py 29%
2026-04-03 12:11:32 +02:00
Benoit Chesneau
26ae6e6f47
Add ASGI framework compatibility E2E test suite
...
Docker-based test suite validating gunicorn's ASGI worker against:
- Django + Channels
- FastAPI
- Starlette
- Quart
- Litestar
- BlackSheep
Tests cover HTTP scope, HTTP messages, WebSocket, lifespan protocol,
and streaming responses. Includes compatibility grid generator.
Results: 403/444 tests passed (90%)
2026-04-03 11:10:00 +02:00
Benoit Chesneau
1c82d4b518
Add ASGI test suite enhancement with 134 new tests
...
New test files covering areas identified as gaps compared to
Daphne and Uvicorn test coverage:
- test_asgi_header_security.py: Header validation, normalization,
injection prevention
- test_asgi_error_handling.py: Application errors, body receiver
errors, graceful shutdown
- test_asgi_protocol_http.py: HTTP connection management, chunked
encoding, methods, scope building
- test_asgi_websocket_enhanced.py: WebSocket message limits,
connection rejection, subprotocols
- test_asgi_lifespan.py: Lifespan message formats and behavior
- test_asgi_forwarded_headers.py: X-Forwarded-* and proxy header
handling
2026-04-03 09:09:16 +02:00
Benoit Chesneau
72138b3631
Merge pull request #3573 from benoitc/dependabot/github_actions/docker/metadata-action-6
...
chore(deps): bump docker/metadata-action from 5 to 6
2026-04-03 01:56:38 +02:00
Benoit Chesneau
aefbd3254c
Merge pull request #3572 from benoitc/dependabot/github_actions/docker/setup-buildx-action-4
...
chore(deps): bump docker/setup-buildx-action from 3 to 4
2026-04-03 01:56:13 +02:00
dependabot[bot]
4dad439b30
chore(deps): bump docker/setup-buildx-action from 3 to 4
...
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action ) from 3 to 4.
- [Release notes](https://github.com/docker/setup-buildx-action/releases )
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-02 23:55:21 +00:00
Benoit Chesneau
4d56a2001f
Merge pull request #3571 from benoitc/dependabot/github_actions/docker/login-action-4
...
chore(deps): bump docker/login-action from 3 to 4
2026-04-03 01:54:47 +02:00
Benoit Chesneau
387ed995c6
Merge pull request #3570 from benoitc/dependabot/github_actions/docker/build-push-action-7
...
chore(deps): bump docker/build-push-action from 6 to 7
2026-04-03 01:54:21 +02:00
Benoit Chesneau
88c5e9af18
Merge pull request #3569 from benoitc/dependabot/github_actions/docker/setup-qemu-action-4
...
chore(deps): bump docker/setup-qemu-action from 3 to 4
2026-04-03 01:53:59 +02:00
Benoit Chesneau
4e9db71aeb
Merge pull request #3568 from benleembruggen/fix/h2-stream-ended-body-complete
...
fix: HTTP/2 ASGI body duplication in async_connection.py
2026-04-03 01:51:02 +02:00
Benoit Chesneau
7263de9b63
Merge pull request #3575 from benoitc/asgi-disconnect-regression-tests
...
Fix ASGI disconnect handling for Django-style apps
2026-04-03 01:47:29 +02:00
Benoit Chesneau
7953c2585b
Fix ASGI disconnect handling for Django-style apps
...
BodyReceiver.receive() now blocks after body is finished until actual
disconnect, instead of returning http.disconnect immediately. This fixes
Django's listen_for_disconnect task thinking client disconnected early.
Adds regression tests for the fix.
Fixes #3484
2026-04-02 23:55:27 +02:00
dependabot[bot]
22b8b926be
chore(deps): bump docker/metadata-action from 5 to 6
...
Bumps [docker/metadata-action](https://github.com/docker/metadata-action ) from 5 to 6.
- [Release notes](https://github.com/docker/metadata-action/releases )
- [Commits](https://github.com/docker/metadata-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/metadata-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-02 02:11:23 +00:00
dependabot[bot]
229da6b1ec
chore(deps): bump docker/login-action from 3 to 4
...
Bumps [docker/login-action](https://github.com/docker/login-action ) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](https://github.com/docker/login-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/login-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-02 02:11:16 +00:00
dependabot[bot]
cba82e3eec
chore(deps): bump docker/build-push-action from 6 to 7
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v6...v7 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-02 02:11:12 +00:00
dependabot[bot]
cd9fecff8a
chore(deps): bump docker/setup-qemu-action from 3 to 4
...
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action ) from 3 to 4.
- [Release notes](https://github.com/docker/setup-qemu-action/releases )
- [Commits](https://github.com/docker/setup-qemu-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-02 02:11:09 +00:00