220 Commits

Author SHA1 Message Date
Benoit Chesneau
ea98400820
ci: Fix macOS tests and add FreeBSD support (#3442)
* ci: Remove failing macos-13 from test matrix

* ci: Add FreeBSD testing workflow

* ci: Document test matrix rationale

* ci: Update cross-platform-actions to v0.32.0 for FreeBSD 14.2 support

* ci: Use FreeBSD 14.1 (14.2 has SSH connectivity issues)

* ci: Switch to vmactions/freebsd-vm for FreeBSD testing

* ci: Fix FreeBSD package names (pip included in Python)

* ci: Simplify FreeBSD matrix and fix package names

* ci: Use specific Python version command on FreeBSD

* ci: Add sqlite3 package for FreeBSD

* tests: Increase signal integration test timeouts for CI

The signal integration tests were flaky in CI environments,
especially FreeBSD VMs, due to 10-second timeouts being too short.
Increased timeouts to 30 seconds to handle slower CI environments.
2026-01-22 14:00:02 +01:00
Benoit Chesneau
b650332c70
Arbiter signal handling improvements (#3441)
* tests: Add tests for current signal handling behavior

Add tests for arbiter signal handling:
- TestSignalHandlerRegistration (4 tests): Verify signal handler
  registration, pipe creation, SIGCHLD separate handler, and
  expected signals list
- TestSignalQueue (4 tests): Test signal queueing, max queue size,
  wakeup writes to pipe, and sleep returns on pipe data
- TestReapWorkers (6 tests): Test worker reaping for normal exit,
  error exit codes, WORKER_BOOT_ERROR, APP_LOAD_ERROR, signal
  termination, and SIGKILL OOM hint

These tests establish baseline coverage before refactoring the
signal handling code for safety and reliability improvements.

* tests: Add tests for SIGHUP reload and worker lifecycle

Add tests for reload and worker management:
- TestSighupReload (3 tests): Verify reload spawns configured number
  of workers, calls manage_workers, and logs hang up message
- TestWorkerLifecycle (4 tests): Test spawn_worker adds to WORKERS
  dict, kill_worker sends correct signal, murder_workers sends
  SIGABRT first then SIGKILL on subsequent timeout

* arbiter: Fix waitpid status parsing using POSIX macros

Use os.WIFEXITED/WEXITSTATUS and os.WIFSIGNALED/WTERMSIG instead
of manual bit shifting for waitpid status interpretation. This
correctly distinguishes between normal exits and signal termination.

The previous code used 'status >> 8' which only worked for normal
exits, and used raw status values for signal detection which was
incorrect.

Fixes part of #3435 and #3056 (signal name display issues)

* arbiter: Change SIGTERM log level to warning

Log signal termination at warning level for expected signals
(SIGTERM, SIGQUIT) since these typically occur during normal
graceful shutdown. SIGKILL remains at error level with the
OOM hint since it indicates abnormal termination.

Fixes #3311, #3050 (SIGTERM logged as error)

* arbiter: Remove logging from SIGCHLD signal handler

Move reap_workers() call from signal handler context to main loop.
The signal handler (now signal_chld) only queues the signal and
wakes up the main loop. The actual reap_workers() is called from
handle_chld() in the main loop where logging is safe.

This fixes potential deadlocks caused by logging from signal
handler context when holding the logging lock.

Fixes #3198, #3004 (logging in signal handlers unsafe, deadlock)

* arbiter: Replace PIPE+select with queue.SimpleQueue

Use queue.SimpleQueue for signal handling instead of PIPE+select.
SimpleQueue is reentrant-safe and can be used from signal handlers.

Changes:
- Remove PIPE-based wakeup mechanism
- Add SIG_QUEUE as SimpleQueue instance
- Add WAKEUP_REQUEST sentinel for non-signal wakeups
- Replace sleep() with wait_for_signals() using queue.get()
- Simplify signal handler to just put_nowait()
- Update main loop to iterate over wait_for_signals()
- Add reap_workers() call in stop() to properly clean up workers
  since SIGCHLD is no longer processed during shutdown

This simplifies the code and removes the dependency on select().

Also adds integration tests for signal handling that verify:
- Basic request/response
- Graceful shutdown with SIGTERM/SIGINT
- SIGHUP reload
- Multiple concurrent requests

* arbiter: Wait for old workers on SIGHUP reload

After spawning new workers during reload, wait for old workers to
terminate before returning from reload(). This prevents the issue
where old workers could receive double SIGTERM - once from
manage_workers() and again from the arbiter loop.

The reload now tracks worker_age before spawning, then waits up to
graceful_timeout for workers older than that age to exit.

Fixes #3312, #3274 (SIGHUP can send double SIGTERM)

* arbiter: Log SIGCHLD at debug level

SIGCHLD is received frequently (whenever a worker exits) and doesn't
need to be logged at info level. Log it at debug level to reduce
noise in the logs while still making it available for debugging.

* tests: Fix lint warnings in test_arbiter.py
2026-01-22 11:56:23 +01:00
Benoit Chesneau
2d03d8e6a9 tests: Add signal handling and liveness tests for gthread worker
Add tests for:
- Worker liveness reporting to arbiter via WorkerTmp
- SIGTERM graceful shutdown behavior
- SIGQUIT immediate shutdown behavior
- Worker-arbiter integration (parent death detection, timeout)
- Signal interaction edge cases (multiple signals, ordering)

These tests ensure the gthread worker properly:
- Calls notify() in the main loop for arbiter heartbeat
- Handles SIGTERM by setting alive=False and waking the poller
- Handles SIGQUIT by immediately shutting down the thread pool
- Drains connections during graceful shutdown within timeout
- Cleans up resources properly on exit
2026-01-22 09:54:04 +01:00
Benoit Chesneau
0186211400 gthread: Lock-free PollableMethodQueue refactoring
Replace RLock-based synchronization with a pipe-based method queue
for lock-free coordination between worker threads and main thread.

Key changes:
- Add PollableMethodQueue class using os.pipe() for wake-up signaling
- Non-blocking pipe (both ends) for BSD compatibility (FreeBSD, OpenBSD)
- Unified event loop using single poller.select() - no more futures.wait()
- Better graceful shutdown with connection draining within grace period
- Rename _keep to keepalived_conns, remove _lock entirely
- Add handle_exit() for SIGTERM, improve handle_quit() for SIGQUIT
- Add set_accept_enabled() for dynamic connection acceptance control
- Add wait_for_and_dispatch_events() with EINTR handling

Performance improvement: ~8% at high concurrency due to reduced
lock contention and non-blocking pipe operations.

Tests: 40 tests covering PollableMethodQueue, graceful shutdown,
keepalive management, error handling, and BSD compatibility.

Fixes #3146
Closes #3157
2026-01-22 09:32:48 +01:00
Benoit Chesneau
b43dc6d398 gthread: Improve reliability and fix edge cases
This commit addresses three issues with the gthread worker:

1. Request body handling on keepalive
   - Add finish_body() method to Parser to discard unread body bytes
   - Call it before returning connections to the poller
   - Prevents socket appearing readable due to leftover body
   Fixes #3301

2. Timeout reliability with monotonic clock
   - Replace time.time() with time.monotonic() in set_timeout()
   - Replace time.time() with time.monotonic() in murder_keepalived()
   - Prevents timeout issues caused by NTP adjustments

3. SSL error handling
   - Move conn.init() from enqueue_req() to handle()
   - SSL handshake now runs in worker thread, not main thread
   - ENOTCONN errors during ssl_wrap_socket are caught per-connection
   - Prevents entire worker crashes on SSL handshake failures

Also adds comprehensive unit tests for the gthread worker.

Closes #3303
Closes #3308
2026-01-22 09:14:19 +01:00
Benoit Chesneau
e75c3533e3
Merge pull request #3189 from pajod/patch-py36
chore: eat Python 2 leftovers
2024-08-10 10:40:40 +02:00
Benoit Chesneau
3f56d76548
Merge pull request #3192 from pajod/patch-allowed-script-name
22.0.0 regression: We need a better default treatment of SCRIPT_NAME
2024-08-09 09:05:57 +02:00
Paul J. Dorn
ffa48b581d test: default change was intentional 2024-08-08 18:37:32 +02:00
Paul J. Dorn
3e042e8269 Configurable list of forwarder headers 2024-08-07 20:15:13 +02:00
Paul J. Dorn
2bc931e7d9 whitespace handling in header field values
Strip whitespace also *after* header field value.
Simply refuse obsolete header folding (a default-off
option to revert is temporarily provided).
While we are at it, explicitly handle recently
introduced http error classes with intended status code.
2024-08-07 19:42:16 +02:00
Benoit Chesneau
ad7c1de132
Merge pull request #3080 from odyfatouros/Fix-#3079-worker_class-parameter-accepts-class
Fix for issue #3079, worker_class parameter accepts a class
2024-08-07 08:47:20 +02:00
benoitc
555d2fa27f don't tolerate wrong te headers
changes:

- Just follow the new TE specification (https://datatracker.ietf.org/doc/html/rfc9112#name-transfer-encoding)
 here and accept to introduce a breaking change.
- gandle multiple TE on one line

** breaking changes ** : invalid  headers and position will now return
an error.
2024-08-06 23:47:01 +02:00
Benoit Chesneau
9a96e75808
Merge pull request #3253 from pajod/patch-rfc9110-section5.5
Refuse requests with invalid and dangerous CR/LF/NUL in header field value, as demanded by rfc9110 section 5.5
2024-08-06 22:25:12 +02:00
Paul J. Dorn
cabc666277 chunked encoding: example invalid requests 2024-07-31 19:21:07 +02:00
Paul J. Dorn
eda9d456d3 forbid lone CR/LF and NUL in headers
New parser rule: refuse HTTP requests where a header field value
contains characters that
a) should never appear there in the first place,
b) might have lead to incorrect treatment in a proxy in front, and
c) might lead to unintended behaviour in applications.

From RFC 9110 section 5.5:
"Field values containing CR, LF, or NUL characters are invalid and
dangerous, due to the varying ways that implementations might parse
and interpret those characters; a recipient of CR, LF, or NUL within
a field value MUST either reject the message or replace each of those
characters with SP before further processing or forwarding of that
message."
2024-07-31 01:28:30 +02:00
Vaclav Rehak
97f87ec13e Fix InvalidHTTPVersion exception str method
Fixes: #3195
2024-04-26 13:58:10 +02:00
Paul J. Dorn
422b18acea class Name(object): -> class Name: 2024-04-22 03:33:30 +02:00
Paul J. Dorn
4323027b1e drop long-default - coding: utf-8 2024-04-22 03:33:14 +02:00
Odysseas Fatouros
08364f0365 Issue #3079, add unit test 2024-01-02 14:21:26 +01:00
Paul J. Dorn
184e36f9da skip eventlet, not yet supported on python 3.12
will work again,
should still be reverted when stdlib conflict resolved in eventlet
2023-12-29 05:11:18 +01:00
Paul J. Dorn
e710393d14 HTTP parser: stricter chunk-ext OBS handling
chunk extensions are silently ignored before and after this change;
its just the whitespace handling for the case without extensions that matters
applying same strip(WS)->rstrip(BWS) replacement as already done in related cases

half-way fix: could probably reject all BWS cases, rejecting only misplaced ones
2023-12-17 17:46:56 +01:00
Paul J. Dorn
7ebe442d08 strict HTTP version validation
Note: This is unrelated to a reverse proxy potentially talking HTTP/3 to clients.
This is about the HTTP protocol version spoken to Gunicorn, which is HTTP/1.0 or HTTP/1.1.

Little legitimate need for processing HTTP 1 requests with ambiguous version numbers.
Broadly refuse.

Co-authored-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
2023-12-15 13:33:31 +01:00
Paul J. Dorn
f5501111a2 strict HTTP header field name validation
Do the validation on the original, not the result from unicode case folding.

Background:
latin-1 0xDF is traditionally uppercased 0x53+0x53 which puts it back in ASCII
2023-12-15 13:33:31 +01:00
Paul J. Dorn
ac29c9b0a7 fail-safe on unsupported request framing
If we promise wsgi.input_terminated, we better get it right - or not at all.
* chunked encoding on HTTP <= 1.1
* chunked not last transfer coding
* multiple chinked codings
* any unknown codings (yes, this too! because we do not detect unusual syntax that is still chunked)
* empty coding (plausibly harmless, but not see in real life anyway - refused, for the moment)
2023-12-15 13:33:31 +01:00
Paul J. Dorn
72b8970dbf silently drop or refuse header names w/ underscore
Ambiguous mappings open a bottomless pit of "what is user input and what is proxy input" confusion.
Default to what everyone else has been doing for years now, silently drop.

see also https://nginx.org/r/underscores_in_headers
2023-12-15 13:33:31 +01:00
Paul J. Dorn
b2846783d7 strict: header field validation: stop casefolding
* refusing lowercase and ASCII 0x23 (#) had been partially enforced before
* do not casefold by default, HTTP methods are case sensitive
2023-12-15 13:33:31 +01:00
Paul J. Dorn
42dd4190ac test: verify TOKEN_RE against common HTTP Methods 2023-12-15 13:33:31 +01:00
Ben Kallus
72238fcf8d RFC compliant request line and header parsing
- Unify HEADER_RE and METH_RE
- Replace CRLF with SP during obs-fold processing (See RFC 9112 Section 5.2, last paragraph)
- Stop stripping header names.
- Remove HTAB in OWS in header values that use obs-fold (See RFC 9112 Section 5.2, last paragraph)
- Use fullmatch instead of search, which has problems with empty strings. (See GHSA-68xg-gqqm-vgj8)
- Split proxy protocol line on space only. (See proxy protocol Section 2.1, bullet 3)
- Use fullmatch for method and version (Thank you to Paul Dorn for noticing this.)
- Replace calls to str.strip() with str.strip(' \t')
- Split request line on SP only.

Co-authored-by: Paul Dorn <pajod@users.noreply.github.com>
2023-12-15 13:33:31 +01:00
Paul J. Dorn
559caf9205 pytest: raise on malformed test fixtures
and unbreak test depending on backslash escape
2023-12-15 13:33:31 +01:00
Jason Myers
fa94f70529 Updating Content-Length Handling
Signed-off-by: Jason Myers <jmyers@syntellis.com>
2023-05-30 20:42:13 -05:00
unknown
48d670f087 update pylint version, and fix linter issues 2023-05-17 18:45:59 +03:00
Tero Saarni
d8c3b1490e Deprecate ssl_version option
This change defaults SSLContext to Python's ssl.create_default_context() and
marks ssl_version option as deprecated. The option value will be ignored and
warnign will be printed in stderr.

The ssl_version option was depending on old method of setting TLS min/max
version, which has not worked well anymore with modern Python versions.
2023-05-11 17:45:57 +03:00
Benoit Chesneau
4a1c402e2c
Merge pull request #2384 from larribas/2066-statsd-socket
Allow reporting StatsD metrics over UDS sockets
2023-05-07 20:39:11 +02:00
Christian Clauss
1feb7c59a2 Revert the xfail for Python 3.10 2022-02-07 08:23:03 +11:00
Christian Clauss
a16b8975a9 GitHub Action to run tox
Because Travis CI seems to be on vacation... https://travis-ci.org/github/benoitc/gunicorn
2022-02-07 08:23:03 +11:00
Randall Leeds
3573fd38d0 Capture peer name from accept
Avoid calls to getpeername by capturing the peer name returned by
accept.
2020-12-17 22:13:02 -05:00
larribas
2a16fcd3ce Test and defend against the specific case where the statsd hostname is 'unix' 2020-07-20 10:16:42 +02:00
larribas
15abac7e81 Allow specifying a UDS socket address through --statsd-host 2020-07-19 20:11:09 +02:00
Hasan Ramezni
57a9e2eb7e Specify wsgi_app in config #1359. 2020-05-01 01:11:21 +02:00
Randall Leeds
839d5dc66c Merge pull request #1996 from javabrett/1690-rewritings 2020-04-20 15:37:41 -07:00
Randall Leeds
ee685e197b Merge pull request #2054 from rcoup/2052-print-config 2020-04-20 12:40:57 -07:00
Stanis Trendelenburg
27d1e9887a Fix issues #2133 and #2244
Start reloader after loading the WSGI app.
2020-02-02 22:57:14 +01:00
Jason Madden
2d40e6dace
Use socket.sendfile() instead of os.sendfile().
Fixes #2223.

Unfortunately, eventlet doesn't implement GreenSocket.sendfile, so we have to do it for it.

Add gevent and eventlet to tox.ini and add tests to make sure we can at least import the workers. Some tests that this actually functions would be nice...

Update the gevent and eventlet setup extras to require the versions that are enforced in their worker modules.
2020-01-04 06:31:25 -06:00
Aaron Wilson
291483dd39 Add a __repr__ to config to include its value (#2076)
It's sometimes helpful to be able to trivially dump all the config values
for debugging purposes. This commit defines a repr for that.
2019-11-22 21:39:45 +01:00
Benoit Chesneau
c5be1bae5c
Merge pull request #2181 from Sytten/fix/http-desync
Fix/http desync
2019-11-20 21:28:18 +01:00
Emile Fugulin
ddf5e66ac8 Remove strict check of Transfer-Encoding 2019-11-20 12:25:39 -05:00
David Lord
19cb68f4c3 load application from factory function (#2178)
* load application from factory function

Use `ast.parse` to validate that the string passed to the CLI is either
an attribute name or a function call. Use `ast.literal_eval` to parse
any positional and keyword arguments to the function. Call the function
to get the real application.

Co-authored-by: Connor Brinton <connor.brinton@gmail.com>

* test coverage for util.import_app

* document app factory pattern
2019-11-19 23:09:53 +01:00
Emile Fugulin
f74324bd75 Handle multiple transfer-encoding 2019-11-18 22:29:02 -05:00
Emile Fugulin
bd8670b4db Handle duplicate content-length 2019-11-18 21:16:12 -05:00
Emile Fugulin
b798412444 Remove default strip of header name 2019-11-18 19:44:01 -05:00