we were trying to enforce the content length when the websocket
key was received but we should instead rely on the headers provided in
the request. Enforcing the expectation of the content length should be
done by the client side not by us.
Changes:
* remove content-length header enforcing in message.p when the
"Sec-WebSocket-Key1" header was found
Sometimes both TRANSFER-ENCODING=chunked and CONTENT_LENGTH are set. Since gunicorn prioritise (following the HTTP1.1 spec) chunked encoding we should make sure in this case to signal to th application that the input is terminated by the server.
Without the change gunicorn were always setting wsg.input_terminated to False when a CONTENT_LENGTH header was present ignoring that Gunicorn was afaik handling the termination.
Some systems report UNIX socket addresses as bytes while others will
report it as a unicode string type. This patch improves socket type
detection code to support both.
Fix#1861
Numbers must be separated by dot. This makes life
a little bit harder for attackers who would like to inject specially crafted packets after GET / (e.g. in nginx there are sometimes regular expressions like (?P<action>[^.]).html
This patch makes sure that we now handle correctly bytes and native
strings on python 3:
- In python 3, sockets are now taking and returning bytes.
- according to PEP3333, headers should be native strings and body in
bytes.
We were accidentally including partial data when we didn't find the
request line terminating '\r\n'. This changes the check to make sure
we're testing the length after we assert there's no termination.
patch from Djoume Salvetti . address the following issues in gunicorn:
* Gunicorn does not limit the size of a request header (the
* limit_request_field_size configuration parameter is not used)
* When the configured request limit is lower than its maximum value, the
* maximum value is used instead. For instance if limit_request_line is
* set to 1024, gunicorn will only limit the request line to 4096 chars
* (this issue also affects limit_request_fields)
* Request limits are not limited to their maximum authorized values. For
* instance it is possible to set limit_request_line to 64K (this issue
* also affects limit_request_fields)
* Setting limit_request_fields and limit_request_field_size to 0 does
* not make them unlimited. The following patch allows limit_request_line
* and limit_request_field_size to be unlimited. limit_request_fields can
* no longer be unlimited (I can't imagine 32K fields to not be enough
* but I have a use case where 8K for the request line is not enough).
* Parsing errors (premature client disconnection) are not reported
* When request line limit is exceeded the configured value is reported
* instead of the effective value.
Add --limit-request-fields (limit_request_fields) and
--limit-request-field-size (limit-request-field-size) options.
- limit_request_fields:
Value is a number from 0 (unlimited) to 32768. This parameter is
used to limit the number of headers in a request to prevent DDOS
attack. Used with the `limit_request_field_size` it allows more
safety.
- limit_request_field_size:
Value is a number from 0 (unlimited) to 8190. to set the limit
on the allowed size of an HTTP request header field.
You can now pass the parameter --limit-request-line or set the
limit_request_line in your configuration file to set the max size of the
request line in bytes.
This parameter is used to limit the allowed size of a client's HTTP
request-line. Since the request-line consists of the HTTP method, URI,
and protocol version, this directive places a restriction on the length
of a request-URI allowed for a request on the server. A server needs
this value to be large enough to hold any of its resource names,
including any information that might be passed in the query part of a
GET request. By default this value is 4094 and can't be larger than
8190.
This parameter can be used to prevent any DDOS attack.
