gunicorn

mirror of https://github.com/frappe/gunicorn.git synced 2026-01-14 11:09:11 +08:00

Author	SHA1	Message	Date
Paul J. Dorn	f5501111a2	strict HTTP header field name validation Do the validation on the original, not the result from unicode case folding. Background: latin-1 0xDF is traditionally uppercased 0x53+0x53 which puts it back in ASCII	2023-12-15 13:33:31 +01:00
Paul J. Dorn	fd67112f40	Ignore secure_scheme_headers in Trailer section In common configuration unlikely a big security problem in itself you are just fooling the remote about https. However, it is offers an oracle for otherwise invisible proxy request headers, so it might help exploiting other vulnerabilities.	2023-12-15 13:33:31 +01:00
Paul J. Dorn	ac29c9b0a7	fail-safe on unsupported request framing If we promise wsgi.input_terminated, we better get it right - or not at all. * chunked encoding on HTTP <= 1.1 * chunked not last transfer coding * multiple chinked codings * any unknown codings (yes, this too! because we do not detect unusual syntax that is still chunked) * empty coding (plausibly harmless, but not see in real life anyway - refused, for the moment)	2023-12-15 13:33:31 +01:00
Paul J. Dorn	0b10cbab1d	unconditionally log request error Somehow exception logging was conditional on successful request uri parsing. Add it back for the other branch.	2023-12-15 13:33:31 +01:00
Paul J. Dorn	72b8970dbf	silently drop or refuse header names w/ underscore Ambiguous mappings open a bottomless pit of "what is user input and what is proxy input" confusion. Default to what everyone else has been doing for years now, silently drop. see also https://nginx.org/r/underscores_in_headers	2023-12-15 13:33:31 +01:00
Paul J. Dorn	b2846783d7	strict: header field validation: stop casefolding * refusing lowercase and ASCII 0x23 (#) had been partially enforced before * do not casefold by default, HTTP methods are case sensitive	2023-12-15 13:33:31 +01:00
Paul J. Dorn	42dd4190ac	test: verify TOKEN_RE against common HTTP Methods	2023-12-15 13:33:31 +01:00
Paul J. Dorn	13027ef797	Create SECURITY.md	2023-12-15 13:33:31 +01:00
Tomi Belan	f0c91cca48	Check SCRIPT_NAME is at the request path's beginning	2023-12-15 13:33:31 +01:00
Ben Kallus	72238fcf8d	RFC compliant request line and header parsing - Unify HEADER_RE and METH_RE - Replace CRLF with SP during obs-fold processing (See RFC 9112 Section 5.2, last paragraph) - Stop stripping header names. - Remove HTAB in OWS in header values that use obs-fold (See RFC 9112 Section 5.2, last paragraph) - Use fullmatch instead of search, which has problems with empty strings. (See GHSA-68xg-gqqm-vgj8) - Split proxy protocol line on space only. (See proxy protocol Section 2.1, bullet 3) - Use fullmatch for method and version (Thank you to Paul Dorn for noticing this.) - Replace calls to str.strip() with str.strip(' \t') - Split request line on SP only. Co-authored-by: Paul Dorn <pajod@users.noreply.github.com>	2023-12-15 13:33:31 +01:00
Ben Kallus	735e9e867a	Disallow empty header names.	2023-12-15 13:33:31 +01:00
Ben Kallus	2dbe49de99	RFC compliant header field+chunk validation * update HEADER_RE and HEADER_VALUE_RE to match the RFCs * update chunk length parsing to disallow 0x prefix and digit-separating underscores.	2023-12-15 13:33:31 +01:00
Paul J. Dorn	559caf9205	pytest: raise on malformed test fixtures and unbreak test depending on backslash escape	2023-12-15 13:33:31 +01:00
Paul J. Dorn	611746edc9	CI: check entry points Fixes: fdd23e82926d7d10ec4a8e65e42b5184a4ee20ce	2023-12-07 21:12:38 +01:00
Paul J. Dorn	c3396b9786	github actions: cache and test run_module (-m)	2023-12-07 20:02:55 +01:00
Benoit Chesneau	26aba9ed9d	Merge pull request #3102 from deronnax/pyproject-toml-fix-license pyproject.toml: fix embedding of the LICENSE file in the package	2023-12-07 15:39:01 +01:00
benoitc	4023228493	let's exception not bubble ensure we can catch correctly exceptions based on BaseException. Note: patch was origninally proposed by the pr #2923, but original author closed it. Fix #2923	2023-12-07 15:36:48 +01:00
Mathieu Dupuy	7acd83bfb6	pyproject.toml: fix license-files field	2023-12-02 11:03:13 +01:00
Benoit Chesneau	ca9162d9cd	Merge pull request #3090 from sblondon/remove-python2-note Remove Python2 note	2023-11-18 23:15:01 +01:00
Benoit Chesneau	571b6fff46	Merge pull request #3095 from ramikg/simplify-workertmp-notify Use `utime` instead of `fchmod` in `WorkerTmp.notify`	2023-11-18 23:14:29 +01:00
Rami	0dd6b6350e	Use `utime` instead of `fchmod` in WorkerTmp.notify	2023-11-14 11:54:14 +02:00
Benoit Chesneau	02d3dd8b7a	Merge pull request #3063 from deronnax/migrate-to-pyproject-toml Migrate to pyproject toml	2023-11-13 23:57:48 +01:00
sblondon	237f3e6f5c	Remove Python2 note Python2 is not supported anymore.	2023-11-11 23:02:07 +01:00
Alfonso Montero López	a265b9cfe7	news.rst: fix minor typo	2023-11-08 19:54:55 +01:00
Jelmer Draaijer	4ce82358e8	Add Python 3.12 to test matrix and add classifiers	2023-10-31 08:42:48 +01:00
Ben Cail	afe0680212	Document Python 3.7 requirement	2023-10-23 16:58:12 -04:00
Odysseas Fatouros	ca2ce2c76b	Fix for issue #3079 , worker_class parameter accepts a class	2023-10-13 16:15:40 +02:00
Benoit Chesneau	430dcdd997	Merge pull request #3075 from benoitc/dependabot/github_actions/actions/checkout-4 Bump actions/checkout from 3 to 4	2023-10-12 19:01:41 +02:00
dependabot[bot]	7d69222b55	Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2023-10-01 21:28:16 +00:00
Mathieu Dupuy	fdd23e8292	migrate to pyproject.toml	2023-09-12 00:43:37 +02:00
Mathieu Dupuy	7033f27e28	remove exclusion of tests and examples dir setuptools already exclude them by default in the flat-layout setup, see https://setuptools.pypa.io/en/latest/userguide/package_discovery.html\#flat-layout	2023-09-04 15:22:37 +02:00
Mathieu Dupuy	760e864200	migrate to setup.cfg	2023-09-04 15:19:54 +02:00
benoitc	ab9c8301cb	bump to 21.2.0	2023-07-19 13:31:10 +02:00
Benoit Chesneau	f5669f6475	Merge pull request #3033 from benoitc/fix-gthread revert change considering connection as idle	2023-07-19 13:26:28 +02:00
benoitc	bc905859a6	revert change considering connection as idle	2023-07-19 00:10:24 +02:00
benoitc	4e12ebe334	bump to 21.1.0	2023-07-18 14:41:05 +02:00
benoitc	60b78e3d98	fix setup.cfg: use new license_files property `license_file` propert in setup.cfg is deprecated and should be replaced by the `license_files` property. fix #3027	2023-07-18 14:33:53 +02:00
Benoit Chesneau	83c3973e1b	Merge pull request #3030 from benoitc/fix-ghthread fix gthread worker	2023-07-18 14:28:44 +02:00
benoitc	86d85cb369	fix gthread worker under Python 3.8 and sup exception is ValueError when fd has already been cleared by the system. fix #3029	2023-07-18 14:10:36 +02:00
benoitc	547f8561d9	bump 21.0.1: fix doc	2023-07-17 23:19:49 +02:00
benoitc	033dca60cd	fix doc path to conf.py in readthedocs.yaml	2023-07-17 23:14:57 +02:00
benoitc	1dd24e6e3c	fix .readthedocs.yaml path	2023-07-17 23:08:54 +02:00
benoitc	b6eb01ba52	add readthedocs.yaml	2023-07-17 23:03:59 +02:00
benoitc	543628eb12	remove pypy-3.7 from tests	2023-07-17 22:47:52 +02:00
benoitc	91cb3dc67c	Revert "remove cryptography from requirements" This reverts commit 471a6f80f0a255a41e0effe9896751db0a814999.	2023-07-17 22:45:55 +02:00
benoitc	471a6f80f0	remove cryptography from requirements	2023-07-17 22:43:27 +02:00
benoitc	f628dd9730	fix import error	2023-07-17 22:40:52 +02:00
benoitc	cac38b4286	bump doc version	2023-07-17 22:31:15 +02:00
benoitc	0304f006e6	add minitimal changelog	2023-07-17 21:36:31 +02:00
benoitc	f72acb6c0e	add missing depedency for eventlet tests	2023-07-17 21:20:44 +02:00

1 2 3 4 5 ...

3185 Commits