jingrow/gunicorn
1
0
Fork 0
mirror of https://github.com/frappe/gunicorn.git synced 2026-01-14 11:09:11 +08:00
Code Issues Packages Projects Releases Wiki Activity
3,119 Commits 1 Branch 0 Tags
Commit Graph

3119 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Benoit Chesneau
5c0e1571dc
Merge pull request #3255 from pajod/patch-refuse-empty-request-target 
refuse empty request-target in HTTP request
 2024-08-06 18:26:47 +02:00
Benoit Chesneau
26c22af2e7
Merge pull request #2336 from elendiastarman/gevent-statsd-fix 
Fixed two bugs related to gevent + gunicorn + statsd.
 2024-08-06 18:08:18 +02:00
Benoit Chesneau
5e39f88622
Update tornadoapp.py 2024-08-06 17:50:16 +02:00
Benoit Chesneau
7f559886cb
Merge pull request #3258 from pajod/patch-empty-chunksize 
gracefully handle chunked encoding missing size
 2024-08-06 13:20:52 +02:00
Paul J. Dorn
cabc666277 chunked encoding: example invalid requests 2024-07-31 19:21:07 +02:00
Paul J. Dorn
a3d130ae51 gracefully handle chunked encoding missing size 
Treat it the same as invalid characters where size should be.
 2024-07-31 18:32:02 +02:00
Paul J. Dorn
9ca4f1fdfc refuse empty request-target in HTTP request 
A single slash is valid, but nothing at all can be safely refused.

Python stdlib explicitly tells us it will not perform validation.
https://docs.python.org/3/library/urllib.parse.html#url-parsing-security
There are *four* `request-target` forms in rfc9112, none of them can be empty.
 2024-07-31 02:14:35 +02:00
Benoit Chesneau
79b9a52cc8
Merge pull request #3196 from washeck/3195-http-version-error 
Fix InvalidHTTPVersion exception str method
 2024-07-04 15:13:43 +02:00
Benoit Chesneau
405c3ca35e
Merge pull request #3211 from pajod/patch-macos14-no-eol-python 
CI: revert macos-14 runners, migrate to tox v4-exclusive settings, add Python 3.13
 2024-07-04 15:11:57 +02:00
Benoit Chesneau
9802e21f77
Merge pull request #3214 from boxydog/doc_prefork 
Document server hooks in a custom application
 2024-05-22 04:21:04 +02:00
boxydog
0f20019113
Document server hooks in a custom application 2024-05-18 14:20:42 -05:00
Paul J. Dorn
8fe034ef7c CI: run entry point tests without deps, run lint without package build steps 2024-05-13 01:09:16 +02:00
Paul J. Dorn
9949e34e96 CI: also try Python 3.13 (at this time beta 1) 2024-05-13 01:04:50 +02:00
Paul J. Dorn
3d00696397 CI: revert macos-14 for Github runners 2024-05-13 00:50:20 +02:00
Vaclav Rehak
97f87ec13e Fix InvalidHTTPVersion exception str method 
Fixes: #3195
 2024-04-26 13:58:10 +02:00
benoitc
5b68c17b17 fix license year 2024-04-17 01:13:23 +02:00
benoitc
f63d59e4d7 bump to 22.0 2024-04-17 00:44:14 +02:00
Benoit Chesneau
4ac81e0a10
Merge pull request #3175 from e-kwsm/typo 
chore: fix typos
 2024-04-17 00:34:39 +02:00
Benoit Chesneau
401cecfaed
Merge pull request #3179 from dhdaines/exclude-eventlet-0360 
fix(deps): exclude eventlet 0.36.0 to avoid WebSocket bug
 2024-04-17 00:26:51 +02:00
David Huggins-Daines
0243ec39ef fix(deps): exclude eventlet 0.36.0 2024-03-26 10:15:11 -04:00
Eisuke Kawashima
628a0bcb61
chore: fix typos 2024-03-25 08:31:59 +09:00
Benoit Chesneau
88fc4a4315
Merge pull request #3131 from pajod/patch-py12-rebased 
CI: add CPython 3.12 and PyPy3.10, stop promising untested versions
 2024-01-05 09:24:01 +01:00
Paul J. Dorn
deae2fc4c5 CI: back off the agressive timeout 
Precise number does not matter that much, so lets not stop potentially working tests.
The point was to cut off well before 6 hours, so any small number will do.
 2023-12-29 05:35:32 +01:00
Paul J. Dorn
f4703824c3 docs: promise 3.12 compat 2023-12-29 05:12:08 +01:00
Thomas Grainger
5e30bfa6b1 add changelog to project.urls (updated for PEP621) 2023-12-29 05:12:08 +01:00
Paul J. Dorn
481c3f9522 remove setup.cfg - overridden by pyproject.toml 2023-12-29 05:12:08 +01:00
Paul J. Dorn
89dcc5c578 CI: stop testing EoL PyPy 2023-12-29 05:12:07 +01:00
Paul J. Dorn
184e36f9da skip eventlet, not yet supported on python 3.12 
will work again,
should still be reverted when stdlib conflict resolved in eventlet
 2023-12-29 05:11:18 +01:00
Paul J. Dorn
b39c5b7ebb CI: style 2023-12-29 05:11:17 +01:00
Paul J. Dorn
0bb96d17c5 CI: tests may hang on PyPy 2023-12-29 05:10:44 +01:00
Paul J. Dorn
c2e48b3014 Merge #3085 2023-12-29 05:10:42 +01:00
Paul J. Dorn
09ee579f44 Merge #3083 2023-12-29 05:09:19 +01:00
Randall Leeds
660fd8d850 Fix references to non-existent 20.2 version in configuration settings 
Close #3043.
 2023-12-28 19:57:14 -08:00
Randall Leeds
f9e61b11c7
Merge pull request #3108 from pajod/patch-githubactions 
restore, and from now on CI-test for entry point
 2023-12-28 18:54:52 -08:00
Randall Leeds
b5d78e8bc7
Merge pull request #1967 from skytoup/master 
Fix #1965: About gunicorn [CRITICAL] Worker Timeout
 2023-12-27 16:19:15 -08:00
Randall Leeds
fd809184c3
Merge branch 'master' into master 2023-12-27 16:16:21 -08:00
Randall Leeds
bd734c573a
Merge pull request #3123 from pajod/patch-1 
Typo and email address in Security.md
 2023-12-25 14:08:28 -08:00
Paul J. Dorn
e0c3390f1e
Typo and email in Security.md 
Fixes: 13027ef797edba55967f366ec958a9a03b3d345b
email duplicated from docs/source/community.rst
 2023-12-25 18:39:18 +00:00
Benoit Chesneau
0b4c939527
Merge pull request #3113 from pajod/patch-security 
Fix numerous message parsing issues (v2)
 2023-12-25 18:26:20 +01:00
Paul J. Dorn
e710393d14 HTTP parser: stricter chunk-ext OBS handling 
chunk extensions are silently ignored before and after this change;
its just the whitespace handling for the case without extensions that matters
applying same strip(WS)->rstrip(BWS) replacement as already done in related cases

half-way fix: could probably reject all BWS cases, rejecting only misplaced ones
 2023-12-17 17:46:56 +01:00
Paul J. Dorn
b6c7414fd0 briefly document security fixes in 2023 news 
further information to be published in security advisories, published out of tree on Github
 2023-12-15 13:33:31 +01:00
Paul J. Dorn
7ebe442d08 strict HTTP version validation 
Note: This is unrelated to a reverse proxy potentially talking HTTP/3 to clients.
This is about the HTTP protocol version spoken to Gunicorn, which is HTTP/1.0 or HTTP/1.1.

Little legitimate need for processing HTTP 1 requests with ambiguous version numbers.
Broadly refuse.

Co-authored-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
 2023-12-15 13:33:31 +01:00
Paul J. Dorn
f5501111a2 strict HTTP header field name validation 
Do the validation on the original, not the result from unicode case folding.

Background:
latin-1 0xDF is traditionally uppercased 0x53+0x53 which puts it back in ASCII
 2023-12-15 13:33:31 +01:00
Paul J. Dorn
fd67112f40 Ignore secure_scheme_headers in Trailer section 
In common configuration unlikely a big security problem in itself
you are just fooling the remote about https.
However, it is offers an oracle for otherwise invisible proxy request headers,
so it might help exploiting other vulnerabilities.
 2023-12-15 13:33:31 +01:00
Paul J. Dorn
ac29c9b0a7 fail-safe on unsupported request framing 
If we promise wsgi.input_terminated, we better get it right - or not at all.
* chunked encoding on HTTP <= 1.1
* chunked not last transfer coding
* multiple chinked codings
* any unknown codings (yes, this too! because we do not detect unusual syntax that is still chunked)
* empty coding (plausibly harmless, but not see in real life anyway - refused, for the moment)
 2023-12-15 13:33:31 +01:00
Paul J. Dorn
0b10cbab1d unconditionally log request error 
Somehow exception logging was conditional on successful request uri parsing.
Add it back for the other branch.
 2023-12-15 13:33:31 +01:00
Paul J. Dorn
72b8970dbf silently drop or refuse header names w/ underscore 
Ambiguous mappings open a bottomless pit of "what is user input and what is proxy input" confusion.
Default to what everyone else has been doing for years now, silently drop.

see also https://nginx.org/r/underscores_in_headers
 2023-12-15 13:33:31 +01:00
Paul J. Dorn
b2846783d7 strict: header field validation: stop casefolding 
* refusing lowercase and ASCII 0x23 (#) had been partially enforced before
* do not casefold by default, HTTP methods are case sensitive
 2023-12-15 13:33:31 +01:00
Paul J. Dorn
42dd4190ac test: verify TOKEN_RE against common HTTP Methods 2023-12-15 13:33:31 +01:00
Paul J. Dorn
13027ef797 Create SECURITY.md 2023-12-15 13:33:31 +01:00