371 Commits

Author SHA1 Message Date
Paul J. Dorn
88d503ba1c HTTP/1.0 - ignore Expect: 100-continue
* ignore on HTTP/1.0 (would possibly confuse a client or proxy)
* refuse requests with unknown expectations

https://datatracker.ietf.org/doc/html/rfc9110#section-10.1.1
2026-01-24 21:59:02 +01:00
Benoit Chesneau
e9a3f30a0f
fix: keep forwarded_allow_ips as strings for backward compatibility (#3459)
The CIDR network support added in 24.1.0 changed forwarded_allow_ips
and proxy_allow_ips from string lists to ipaddress.ip_network objects.
This broke external tools like uvicorn that expect strings.

This fix validates IP/CIDR format during config parsing but keeps the
string representation. Network objects are cached in Config methods
(forwarded_allow_networks() and proxy_allow_networks()) for efficient
IP checking without repeated conversions.

Also uses strict mode for ip_network validation to detect mistakes like
192.168.1.1/24 where host bits are set (should be 192.168.1.0/24).

Fixes #3458
2026-01-23 23:51:25 +01:00
Benoit Chesneau
f3190f84cc
feat: add PROXY protocol v2 support with version selection (#3451)
Extend --proxy-protocol to accept version values (off, v1, v2, auto) instead
of being boolean-only. This allows explicit control over which PROXY protocol
versions are accepted.

Changes:
- Add InvalidProxyHeader exception for v2 binary header errors
- Add validate_proxy_protocol() validator with backwards compatibility
- Update ProxyProtocol setting with nargs="?" and const="auto"
- Add PROXY v2 constants (PP_V2_SIGNATURE, PPCommand, PPFamily, PPProtocol)
- Add _parse_proxy_protocol_v1() and _parse_proxy_protocol_v2() methods
- Update both sync (message.py) and async (asgi/message.py) parsers
- Add hex escape handling in treq.py for v2 binary test data
- Add test cases for v2 TCPv4 and TCPv6

Backwards compatible: --proxy-protocol alone (or True) maps to "auto".

Closes #2912
2026-01-23 18:40:44 +01:00
Benoit Chesneau
f95ac41b8f fix: use smaller buffer in finish_body for faster timeout
Reduce buffer size from 8192 to 1024 bytes when discarding unread
body data, allowing timeouts to trigger more quickly on slow or
stalled connections.
2026-01-23 14:46:40 +01:00
Benoit Chesneau
e52ac46e29 feat: support CIDR networks in forwarded_allow_ips and proxy_allow_ips
Use Python's ipaddress module to support IP networks in allow lists.
Individual IP addresses are converted to /32 (IPv4) or /128 (IPv6)
networks. CIDR notation (e.g., 192.168.0.0/16) is now supported.

Fixes #1485
Closes #2390
2026-01-23 11:39:05 +01:00
Benoit Chesneau
56abeaf105 fix: unreader.unread() now prepends data to buffer
The unread method was incorrectly appending data to the end of the
buffer instead of prepending it to the beginning. This caused issues
when reading partial data and then unreading it.

Closes #2915
Closes #2346
2026-01-23 11:39:05 +01:00
Benoit Chesneau
47b9a18619 fix: handle SSLWantReadError in finish_body() (#3448)
The finish_body() function can raise ssl.SSLWantReadError when
discarding unread request body data on SSL connections. This causes
TLS requests to fail intermittently with "Invalid request" errors.

Handle SSLWantReadError by treating it as "no more data to read".
This is safe because finish_body() only discards leftover data before
keepalive - if SSL says "need to wait for more data", there's nothing
left to discard.

Fixes #3448
2026-01-23 09:38:41 +01:00
Benoit Chesneau
ac7296ec49 uwsgi: Add native uWSGI binary protocol support
Add support for the uWSGI binary protocol, enabling gunicorn to work
with nginx's uwsgi_pass directive.

New module gunicorn/uwsgi/ with:
- UWSGIRequest: Parses 4-byte binary header and key-value vars block
- UWSGIParser: Protocol parser following existing Parser pattern
- Error classes: InvalidUWSGIHeader, UnsupportedModifier, ForbiddenUWSGIRequest

New configuration options:
- --protocol: Select 'http' (default) or 'uwsgi' protocol
- --uwsgi-allow-from: IP allowlist for uWSGI requests (default: localhost)

Worker integration via get_parser() factory in gunicorn/http/__init__.py,
updates to sync, gthread, and base_async workers.

Example nginx config:
    upstream gunicorn {
        server 127.0.0.1:8000;
    }
    location / {
        uwsgi_pass gunicorn;
        include uwsgi_params;
    }
2026-01-22 18:32:17 +01:00
Benoit Chesneau
b43dc6d398 gthread: Improve reliability and fix edge cases
This commit addresses three issues with the gthread worker:

1. Request body handling on keepalive
   - Add finish_body() method to Parser to discard unread body bytes
   - Call it before returning connections to the poller
   - Prevents socket appearing readable due to leftover body
   Fixes #3301

2. Timeout reliability with monotonic clock
   - Replace time.time() with time.monotonic() in set_timeout()
   - Replace time.time() with time.monotonic() in murder_keepalived()
   - Prevents timeout issues caused by NTP adjustments

3. SSL error handling
   - Move conn.init() from enqueue_req() to handle()
   - SSL handshake now runs in worker thread, not main thread
   - ENOTCONN errors during ssl_wrap_socket are caught per-connection
   - Prevents entire worker crashes on SSL handshake failures

Also adds comprehensive unit tests for the gthread worker.

Closes #3303
Closes #3308
2026-01-22 09:14:19 +01:00
Benoit Chesneau
e75c3533e3
Merge pull request #3189 from pajod/patch-py36
chore: eat Python 2 leftovers
2024-08-10 10:40:40 +02:00
Benoit Chesneau
3f56d76548
Merge pull request #3192 from pajod/patch-allowed-script-name
22.0.0 regression: We need a better default treatment of SCRIPT_NAME
2024-08-09 09:05:57 +02:00
Paul J. Dorn
5bbf373e18 undocumented allow-all for forwarder-headers 2024-08-07 20:15:17 +02:00
Paul J. Dorn
3e042e8269 Configurable list of forwarder headers 2024-08-07 20:15:13 +02:00
Paul J. Dorn
01bcdb1d12 Exempt SCRIPT_NAME from newly introduced --header-map treatment 2024-08-07 20:10:47 +02:00
Paul J. Dorn
2bc931e7d9 whitespace handling in header field values
Strip whitespace also *after* header field value.
Simply refuse obsolete header folding (a default-off
option to revert is temporarily provided).
While we are at it, explicitly handle recently
introduced http error classes with intended status code.
2024-08-07 19:42:16 +02:00
Benoit Chesneau
52234e7b32
Merge pull request #2688 from StarfishStorage/fix_2684
Fix problem that may happen after interrupted chunk-encoding request
2024-08-07 00:24:46 +02:00
benoitc
555d2fa27f don't tolerate wrong te headers
changes:

- Just follow the new TE specification (https://datatracker.ietf.org/doc/html/rfc9112#name-transfer-encoding)
 here and accept to introduce a breaking change.
- gandle multiple TE on one line

** breaking changes ** : invalid  headers and position will now return
an error.
2024-08-06 23:47:01 +02:00
Benoit Chesneau
9a96e75808
Merge pull request #3253 from pajod/patch-rfc9110-section5.5
Refuse requests with invalid and dangerous CR/LF/NUL in header field value, as demanded by rfc9110 section 5.5
2024-08-06 22:25:12 +02:00
Benoit Chesneau
5c0e1571dc
Merge pull request #3255 from pajod/patch-refuse-empty-request-target
refuse empty request-target in HTTP request
2024-08-06 18:26:47 +02:00
Paul J. Dorn
a3d130ae51 gracefully handle chunked encoding missing size
Treat it the same as invalid characters where size should be.
2024-07-31 18:32:02 +02:00
Paul J. Dorn
9ca4f1fdfc refuse empty request-target in HTTP request
A single slash is valid, but nothing at all can be safely refused.

Python stdlib explicitly tells us it will not perform validation.
https://docs.python.org/3/library/urllib.parse.html#url-parsing-security
There are *four* `request-target` forms in rfc9112, none of them can be empty.
2024-07-31 02:14:35 +02:00
Paul J. Dorn
eda9d456d3 forbid lone CR/LF and NUL in headers
New parser rule: refuse HTTP requests where a header field value
contains characters that
a) should never appear there in the first place,
b) might have lead to incorrect treatment in a proxy in front, and
c) might lead to unintended behaviour in applications.

From RFC 9110 section 5.5:
"Field values containing CR, LF, or NUL characters are invalid and
dangerous, due to the varying ways that implementations might parse
and interpret those characters; a recipient of CR, LF, or NUL within
a field value MUST either reject the message or replace each of those
characters with SP before further processing or forwarding of that
message."
2024-07-31 01:28:30 +02:00
Vaclav Rehak
97f87ec13e Fix InvalidHTTPVersion exception str method
Fixes: #3195
2024-04-26 13:58:10 +02:00
Paul J. Dorn
4f7766585d Python 3.3+: replace deprecated aliases
since 3.3: EnvironmentError, IOError, socket.error and select.error are merged into IOError.
They may now return a more specific subclass - which this commit does not utilize yet.
2024-04-22 03:33:31 +02:00
Paul J. Dorn
422b18acea class Name(object): -> class Name: 2024-04-22 03:33:30 +02:00
Paul J. Dorn
4323027b1e drop long-default - coding: utf-8 2024-04-22 03:33:14 +02:00
Eisuke Kawashima
628a0bcb61
chore: fix typos 2024-03-25 08:31:59 +09:00
Paul J. Dorn
e710393d14 HTTP parser: stricter chunk-ext OBS handling
chunk extensions are silently ignored before and after this change;
its just the whitespace handling for the case without extensions that matters
applying same strip(WS)->rstrip(BWS) replacement as already done in related cases

half-way fix: could probably reject all BWS cases, rejecting only misplaced ones
2023-12-17 17:46:56 +01:00
Paul J. Dorn
7ebe442d08 strict HTTP version validation
Note: This is unrelated to a reverse proxy potentially talking HTTP/3 to clients.
This is about the HTTP protocol version spoken to Gunicorn, which is HTTP/1.0 or HTTP/1.1.

Little legitimate need for processing HTTP 1 requests with ambiguous version numbers.
Broadly refuse.

Co-authored-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
2023-12-15 13:33:31 +01:00
Paul J. Dorn
f5501111a2 strict HTTP header field name validation
Do the validation on the original, not the result from unicode case folding.

Background:
latin-1 0xDF is traditionally uppercased 0x53+0x53 which puts it back in ASCII
2023-12-15 13:33:31 +01:00
Paul J. Dorn
fd67112f40 Ignore secure_scheme_headers in Trailer section
In common configuration unlikely a big security problem in itself
you are just fooling the remote about https.
However, it is offers an oracle for otherwise invisible proxy request headers,
so it might help exploiting other vulnerabilities.
2023-12-15 13:33:31 +01:00
Paul J. Dorn
ac29c9b0a7 fail-safe on unsupported request framing
If we promise wsgi.input_terminated, we better get it right - or not at all.
* chunked encoding on HTTP <= 1.1
* chunked not last transfer coding
* multiple chinked codings
* any unknown codings (yes, this too! because we do not detect unusual syntax that is still chunked)
* empty coding (plausibly harmless, but not see in real life anyway - refused, for the moment)
2023-12-15 13:33:31 +01:00
Paul J. Dorn
72b8970dbf silently drop or refuse header names w/ underscore
Ambiguous mappings open a bottomless pit of "what is user input and what is proxy input" confusion.
Default to what everyone else has been doing for years now, silently drop.

see also https://nginx.org/r/underscores_in_headers
2023-12-15 13:33:31 +01:00
Paul J. Dorn
b2846783d7 strict: header field validation: stop casefolding
* refusing lowercase and ASCII 0x23 (#) had been partially enforced before
* do not casefold by default, HTTP methods are case sensitive
2023-12-15 13:33:31 +01:00
Tomi Belan
f0c91cca48 Check SCRIPT_NAME is at the request path's beginning 2023-12-15 13:33:31 +01:00
Ben Kallus
72238fcf8d RFC compliant request line and header parsing
- Unify HEADER_RE and METH_RE
- Replace CRLF with SP during obs-fold processing (See RFC 9112 Section 5.2, last paragraph)
- Stop stripping header names.
- Remove HTAB in OWS in header values that use obs-fold (See RFC 9112 Section 5.2, last paragraph)
- Use fullmatch instead of search, which has problems with empty strings. (See GHSA-68xg-gqqm-vgj8)
- Split proxy protocol line on space only. (See proxy protocol Section 2.1, bullet 3)
- Use fullmatch for method and version (Thank you to Paul Dorn for noticing this.)
- Replace calls to str.strip() with str.strip(' \t')
- Split request line on SP only.

Co-authored-by: Paul Dorn <pajod@users.noreply.github.com>
2023-12-15 13:33:31 +01:00
Ben Kallus
735e9e867a Disallow empty header names. 2023-12-15 13:33:31 +01:00
Ben Kallus
2dbe49de99 RFC compliant header field+chunk validation
* update HEADER_RE and HEADER_VALUE_RE to match the RFCs
* update chunk length parsing to disallow 0x prefix and digit-separating underscores.
2023-12-15 13:33:31 +01:00
Jason Myers
fa94f70529 Updating Content-Length Handling
Signed-off-by: Jason Myers <jmyers@syntellis.com>
2023-05-30 20:42:13 -05:00
unknown
48d670f087 update pylint version, and fix linter issues 2023-05-17 18:45:59 +03:00
Benoit Chesneau
8fa57d0884
Merge pull request #2928 from samypr100/pycodestyle-fixup
Fixing errors reported by pycodestyle
2023-01-26 22:34:51 +01:00
samypr100
2ea4699fe7
Fixing errors reported by pycodestyle 2023-01-22 21:20:11 -05:00
benoitc
30baeebf33
Revert "get address from tuple"
This reverts commit c9d01c801967596f66636cfc0c47660339d32631.
2023-01-22 12:47:07 -05:00
Benoit Chesneau
00de6d9d79
Merge pull request #2687 from vytas7/fix-sendfile-offset
Fix sendfile behaviour for open files with non-zero offset
2022-10-15 21:02:35 +02:00
Benoit Chesneau
d35ef47db8
Merge pull request #2827 from zffocussss/master
add attribute remote_addr to req object
2022-10-15 20:51:06 +02:00
Vytautas Liuolia
7209ea3ccb
Merge branch 'master' into fix-sendfile-offset 2022-08-29 18:58:38 +02:00
Benoit Chesneau
0b953b8037
Merge pull request #2773 from hazho/master
Solving issue #2692
2022-08-25 14:19:45 +02:00
focus zheng
c9d01c8019 get address from tuple 2022-07-14 10:19:18 +08:00
focus zheng
69bf1d0cf4 remove changes by isort and lint 2022-07-13 15:44:30 +08:00
Hazh. M. Adam
7d8f68c1a7
Solving issue #2692
ValueError: count must be a positive integer (got 0)
2022-04-04 12:27:55 +08:00