348 Commits

Author SHA1 Message Date
Benoit Chesneau
5c0e1571dc
Merge pull request #3255 from pajod/patch-refuse-empty-request-target
refuse empty request-target in HTTP request
2024-08-06 18:26:47 +02:00
Paul J. Dorn
a3d130ae51 gracefully handle chunked encoding missing size
Treat it the same as invalid characters where size should be.
2024-07-31 18:32:02 +02:00
Paul J. Dorn
9ca4f1fdfc refuse empty request-target in HTTP request
A single slash is valid, but nothing at all can be safely refused.

Python stdlib explicitly tells us it will not perform validation.
https://docs.python.org/3/library/urllib.parse.html#url-parsing-security
There are *four* `request-target` forms in rfc9112, none of them can be empty.
2024-07-31 02:14:35 +02:00
Vaclav Rehak
97f87ec13e Fix InvalidHTTPVersion exception str method
Fixes: #3195
2024-04-26 13:58:10 +02:00
Eisuke Kawashima
628a0bcb61
chore: fix typos 2024-03-25 08:31:59 +09:00
Paul J. Dorn
e710393d14 HTTP parser: stricter chunk-ext OBS handling
chunk extensions are silently ignored before and after this change;
its just the whitespace handling for the case without extensions that matters
applying same strip(WS)->rstrip(BWS) replacement as already done in related cases

half-way fix: could probably reject all BWS cases, rejecting only misplaced ones
2023-12-17 17:46:56 +01:00
Paul J. Dorn
7ebe442d08 strict HTTP version validation
Note: This is unrelated to a reverse proxy potentially talking HTTP/3 to clients.
This is about the HTTP protocol version spoken to Gunicorn, which is HTTP/1.0 or HTTP/1.1.

Little legitimate need for processing HTTP 1 requests with ambiguous version numbers.
Broadly refuse.

Co-authored-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
2023-12-15 13:33:31 +01:00
Paul J. Dorn
f5501111a2 strict HTTP header field name validation
Do the validation on the original, not the result from unicode case folding.

Background:
latin-1 0xDF is traditionally uppercased 0x53+0x53 which puts it back in ASCII
2023-12-15 13:33:31 +01:00
Paul J. Dorn
fd67112f40 Ignore secure_scheme_headers in Trailer section
In common configuration unlikely a big security problem in itself
you are just fooling the remote about https.
However, it is offers an oracle for otherwise invisible proxy request headers,
so it might help exploiting other vulnerabilities.
2023-12-15 13:33:31 +01:00
Paul J. Dorn
ac29c9b0a7 fail-safe on unsupported request framing
If we promise wsgi.input_terminated, we better get it right - or not at all.
* chunked encoding on HTTP <= 1.1
* chunked not last transfer coding
* multiple chinked codings
* any unknown codings (yes, this too! because we do not detect unusual syntax that is still chunked)
* empty coding (plausibly harmless, but not see in real life anyway - refused, for the moment)
2023-12-15 13:33:31 +01:00
Paul J. Dorn
72b8970dbf silently drop or refuse header names w/ underscore
Ambiguous mappings open a bottomless pit of "what is user input and what is proxy input" confusion.
Default to what everyone else has been doing for years now, silently drop.

see also https://nginx.org/r/underscores_in_headers
2023-12-15 13:33:31 +01:00
Paul J. Dorn
b2846783d7 strict: header field validation: stop casefolding
* refusing lowercase and ASCII 0x23 (#) had been partially enforced before
* do not casefold by default, HTTP methods are case sensitive
2023-12-15 13:33:31 +01:00
Tomi Belan
f0c91cca48 Check SCRIPT_NAME is at the request path's beginning 2023-12-15 13:33:31 +01:00
Ben Kallus
72238fcf8d RFC compliant request line and header parsing
- Unify HEADER_RE and METH_RE
- Replace CRLF with SP during obs-fold processing (See RFC 9112 Section 5.2, last paragraph)
- Stop stripping header names.
- Remove HTAB in OWS in header values that use obs-fold (See RFC 9112 Section 5.2, last paragraph)
- Use fullmatch instead of search, which has problems with empty strings. (See GHSA-68xg-gqqm-vgj8)
- Split proxy protocol line on space only. (See proxy protocol Section 2.1, bullet 3)
- Use fullmatch for method and version (Thank you to Paul Dorn for noticing this.)
- Replace calls to str.strip() with str.strip(' \t')
- Split request line on SP only.

Co-authored-by: Paul Dorn <pajod@users.noreply.github.com>
2023-12-15 13:33:31 +01:00
Ben Kallus
735e9e867a Disallow empty header names. 2023-12-15 13:33:31 +01:00
Ben Kallus
2dbe49de99 RFC compliant header field+chunk validation
* update HEADER_RE and HEADER_VALUE_RE to match the RFCs
* update chunk length parsing to disallow 0x prefix and digit-separating underscores.
2023-12-15 13:33:31 +01:00
Jason Myers
fa94f70529 Updating Content-Length Handling
Signed-off-by: Jason Myers <jmyers@syntellis.com>
2023-05-30 20:42:13 -05:00
unknown
48d670f087 update pylint version, and fix linter issues 2023-05-17 18:45:59 +03:00
Benoit Chesneau
8fa57d0884
Merge pull request #2928 from samypr100/pycodestyle-fixup
Fixing errors reported by pycodestyle
2023-01-26 22:34:51 +01:00
samypr100
2ea4699fe7
Fixing errors reported by pycodestyle 2023-01-22 21:20:11 -05:00
benoitc
30baeebf33
Revert "get address from tuple"
This reverts commit c9d01c801967596f66636cfc0c47660339d32631.
2023-01-22 12:47:07 -05:00
Benoit Chesneau
00de6d9d79
Merge pull request #2687 from vytas7/fix-sendfile-offset
Fix sendfile behaviour for open files with non-zero offset
2022-10-15 21:02:35 +02:00
Benoit Chesneau
d35ef47db8
Merge pull request #2827 from zffocussss/master
add attribute remote_addr to req object
2022-10-15 20:51:06 +02:00
Vytautas Liuolia
7209ea3ccb
Merge branch 'master' into fix-sendfile-offset 2022-08-29 18:58:38 +02:00
Benoit Chesneau
0b953b8037
Merge pull request #2773 from hazho/master
Solving issue #2692
2022-08-25 14:19:45 +02:00
focus zheng
c9d01c8019 get address from tuple 2022-07-14 10:19:18 +08:00
focus zheng
69bf1d0cf4 remove changes by isort and lint 2022-07-13 15:44:30 +08:00
Hazh. M. Adam
7d8f68c1a7
Solving issue #2692
ValueError: count must be a positive integer (got 0)
2022-04-04 12:27:55 +08:00
Vytautas Liuolia
f639128bd7 Fix sendfile behaviour for open files with non-zero offset. 2021-11-12 21:39:10 +01:00
Paul Miller
e3b0b1f91a
integral? that took me a while to figure out
integral: "In mathematics, an integral assigns numbers to functions in a way that describes displacement, area, volume, and other concepts that arise by combining infinitesimal data."

integer: an int type
2021-10-08 21:04:12 -04:00
Randall Leeds
3573fd38d0 Capture peer name from accept
Avoid calls to getpeername by capturing the peer name returned by
accept.
2020-12-17 22:13:02 -05:00
Benoit Chesneau
b3f9815aba fix: don't enforce the content length
we were trying to enforce the content length when the websocket
key was received but we should instead rely on the headers provided in
the request. Enforcing the expectation of the content length should be
done by the client side not by us.

Changes:

* remove content-length header enforcing in message.p when the
"Sec-WebSocket-Key1" header was found
2020-08-26 10:56:04 +02:00
Benoit Chesneau
dcfd0f04e8 fix SERVER_SOFTWARE property
WSGI spec requires the SERVER_SOFTWARE property containing the name and version. This change fix it and separate the version header from SERVER_SOFTWARE property. We expose the SERVER variable so custom installations can change it in one place without looking much when needed.
2020-01-10 13:50:53 +01:00
Jason Madden
2d40e6dace
Use socket.sendfile() instead of os.sendfile().
Fixes #2223.

Unfortunately, eventlet doesn't implement GreenSocket.sendfile, so we have to do it for it.

Add gevent and eventlet to tox.ini and add tests to make sure we can at least import the workers. Some tests that this actually functions would be nice...

Update the gevent and eventlet setup extras to require the versions that are enforced in their worker modules.
2020-01-04 06:31:25 -06:00
Takuya Noguchi
ed901637ff Enable pycodestyle 2019-11-28 19:30:38 +09:00
benoitc
8a270c9329 wsgi.input_terminated is always true
As spotted by @tilgovi Gunicorn always ensure the reader terminate. So set wsgi.input_terminated to true to signal it to the application.
2019-11-21 18:13:55 +01:00
benoitc
0d8a022791 Revert "fix wsgi.input_terminated"
This reverts commit 265e58f9e82f64e003015fb25823f5a983be8c27.
2019-11-21 18:11:17 +01:00
benoitc
265e58f9e8 fix wsgi.input_terminated
Sometimes both TRANSFER-ENCODING=chunked and CONTENT_LENGTH are set. Since gunicorn prioritise (following the HTTP1.1 spec) chunked encoding we should make sure in this case to signal to th application that the input is terminated by the server.

Without the change gunicorn were always setting wsg.input_terminated to False when a CONTENT_LENGTH header was present ignoring that Gunicorn was afaik handling the termination.
2019-11-20 23:07:14 +01:00
Emile Fugulin
ddf5e66ac8 Remove strict check of Transfer-Encoding 2019-11-20 12:25:39 -05:00
Emile Fugulin
f74324bd75 Handle multiple transfer-encoding 2019-11-18 22:29:02 -05:00
Emile Fugulin
bd8670b4db Handle duplicate content-length 2019-11-18 21:16:12 -05:00
Emile Fugulin
b798412444 Remove default strip of header name 2019-11-18 19:44:01 -05:00
Hasan Ramezani
e7890d8d1b
Fix lint errors (#2123) 2019-10-27 11:57:16 +01:00
Jeff Brooks
ad6ed3f4c8 Implement check and exception for str type on value in Response process_headers method. 2019-10-15 09:03:44 -05:00
Jeff Brooks
54c820feb3 Ensure header value is string before conducting regex search on it. 2019-10-10 10:41:22 -05:00
Benoit Chesneau
ce03c192f4 fix formatting 2019-09-27 01:45:03 +02:00
Benoit Chesneau
cf8ac37ce4
Merge pull request #1969 from benoitc/wsgi_input_terminated
handle `wsgi.input_terminated` extension
2019-04-29 13:58:05 +02:00
Brett Randall
879651bb6f Header values are encoded using latin-1, not ascii.
This commit reverts one aspect changed by 5f4ebd2eb2b08783a5fbefe79d09fcb3fc1fbc73 (#1151);
header-values are again encoded as latin-1 and not ascii. Test is restored but uses
a latin-1-mappable test-character, not a general utf8 character.

Fixed #1778.

Signed-off-by: Brett Randall <javabrett@gmail.com>
2019-04-18 04:23:19 +03:00
Marat
a8963ef1a5 Remove redundant super() arguments 2019-03-16 15:00:07 -07:00
Benoit Chesneau
e5141a1c5a handle wsgi.input_terminated extension
fix #1653
2019-01-24 15:47:15 +01:00