129 Commits

Author SHA1 Message Date
r266-tech
f8fca7a72f
fix: add __iter__ and __next__ to FileWrapper for PEP 3333 compliance (#3550)
* fix: add __iter__ and __next__ to FileWrapper for PEP 3333 compliance

The WSGI spec (PEP 3333) requires that wsgi.file_wrapper return an
iterable object. Gunicorn's FileWrapper only implemented __getitem__,
which technically makes it iterable via old-style iteration but breaks
code that explicitly relies on the iterator protocol (e.g., calling
iter() or using next()).

This adds __iter__ (returning self) and __next__ to make FileWrapper
a proper iterator, maintaining backward compatibility with existing
__getitem__-based usage.

Fixes #3396

* Fix lint: move imports to top of file

---------

Co-authored-by: contributor <noreply@users.noreply.github.com>
Co-authored-by: Benoit Chesneau <bchesneau@gmail.com>
2026-03-24 22:38:16 +01:00
Benoit Chesneau
655716a181 feat(http2): add stream priority support (RFC 7540 Section 5.3) 2026-01-27 11:44:33 +01:00
Benoit Chesneau
66d0880c74 Address PR #3468 review feedback
- Guard early_hints callback against calls after response started
- Fix :authority precedence over Host header per RFC 9113 section 8.3.1
- Add nginx early_hints documentation link
- Use standard port 443 in curl examples
2026-01-27 09:59:35 +01:00
Benoit Chesneau
75b46bf6cf Add HTTP 103 Early Hints support (RFC 8297)
Implement HTTP 103 Early Hints as modern replacement for HTTP/2 Server Push.
This allows servers to send resource hints before the final response,
enabling browsers to preload assets in parallel.

WSGI support:
- Add wsgi.early_hints callback to environ dict
- Apps can call environ['wsgi.early_hints'](headers) to send 103 responses
- Silently ignored for HTTP/1.0 clients (don't support 1xx responses)

ASGI support:
- Handle http.response.informational message type
- Apps can await send({"type": "http.response.informational", "status": 103, ...})

HTTP/2 support:
- Add send_informational() method to HTTP2ServerConnection
- Add async send_informational() method to AsyncHTTP2Connection
- Wire up early hints in gthread worker for HTTP/2 requests

Includes unit tests and Docker integration tests for all protocols.
2026-01-27 09:57:32 +01:00
Paul J. Dorn
88d503ba1c HTTP/1.0 - ignore Expect: 100-continue
* ignore on HTTP/1.0 (would possibly confuse a client or proxy)
* refuse requests with unknown expectations

https://datatracker.ietf.org/doc/html/rfc9110#section-10.1.1
2026-01-24 21:59:02 +01:00
Paul J. Dorn
422b18acea class Name(object): -> class Name: 2024-04-22 03:33:30 +02:00
Paul J. Dorn
4323027b1e drop long-default - coding: utf-8 2024-04-22 03:33:14 +02:00
Paul J. Dorn
72b8970dbf silently drop or refuse header names w/ underscore
Ambiguous mappings open a bottomless pit of "what is user input and what is proxy input" confusion.
Default to what everyone else has been doing for years now, silently drop.

see also https://nginx.org/r/underscores_in_headers
2023-12-15 13:33:31 +01:00
Tomi Belan
f0c91cca48 Check SCRIPT_NAME is at the request path's beginning 2023-12-15 13:33:31 +01:00
Ben Kallus
72238fcf8d RFC compliant request line and header parsing
- Unify HEADER_RE and METH_RE
- Replace CRLF with SP during obs-fold processing (See RFC 9112 Section 5.2, last paragraph)
- Stop stripping header names.
- Remove HTAB in OWS in header values that use obs-fold (See RFC 9112 Section 5.2, last paragraph)
- Use fullmatch instead of search, which has problems with empty strings. (See GHSA-68xg-gqqm-vgj8)
- Split proxy protocol line on space only. (See proxy protocol Section 2.1, bullet 3)
- Use fullmatch for method and version (Thank you to Paul Dorn for noticing this.)
- Replace calls to str.strip() with str.strip(' \t')
- Split request line on SP only.

Co-authored-by: Paul Dorn <pajod@users.noreply.github.com>
2023-12-15 13:33:31 +01:00
Ben Kallus
2dbe49de99 RFC compliant header field+chunk validation
* update HEADER_RE and HEADER_VALUE_RE to match the RFCs
* update chunk length parsing to disallow 0x prefix and digit-separating underscores.
2023-12-15 13:33:31 +01:00
unknown
48d670f087 update pylint version, and fix linter issues 2023-05-17 18:45:59 +03:00
Vytautas Liuolia
7209ea3ccb
Merge branch 'master' into fix-sendfile-offset 2022-08-29 18:58:38 +02:00
Hazh. M. Adam
7d8f68c1a7
Solving issue #2692
ValueError: count must be a positive integer (got 0)
2022-04-04 12:27:55 +08:00
Vytautas Liuolia
f639128bd7 Fix sendfile behaviour for open files with non-zero offset. 2021-11-12 21:39:10 +01:00
Benoit Chesneau
dcfd0f04e8 fix SERVER_SOFTWARE property
WSGI spec requires the SERVER_SOFTWARE property containing the name and version. This change fix it and separate the version header from SERVER_SOFTWARE property. We expose the SERVER variable so custom installations can change it in one place without looking much when needed.
2020-01-10 13:50:53 +01:00
Jason Madden
2d40e6dace
Use socket.sendfile() instead of os.sendfile().
Fixes #2223.

Unfortunately, eventlet doesn't implement GreenSocket.sendfile, so we have to do it for it.

Add gevent and eventlet to tox.ini and add tests to make sure we can at least import the workers. Some tests that this actually functions would be nice...

Update the gevent and eventlet setup extras to require the versions that are enforced in their worker modules.
2020-01-04 06:31:25 -06:00
Takuya Noguchi
ed901637ff Enable pycodestyle 2019-11-28 19:30:38 +09:00
benoitc
8a270c9329 wsgi.input_terminated is always true
As spotted by @tilgovi Gunicorn always ensure the reader terminate. So set wsgi.input_terminated to true to signal it to the application.
2019-11-21 18:13:55 +01:00
benoitc
0d8a022791 Revert "fix wsgi.input_terminated"
This reverts commit 265e58f9e82f64e003015fb25823f5a983be8c27.
2019-11-21 18:11:17 +01:00
benoitc
265e58f9e8 fix wsgi.input_terminated
Sometimes both TRANSFER-ENCODING=chunked and CONTENT_LENGTH are set. Since gunicorn prioritise (following the HTTP1.1 spec) chunked encoding we should make sure in this case to signal to th application that the input is terminated by the server.

Without the change gunicorn were always setting wsg.input_terminated to False when a CONTENT_LENGTH header was present ignoring that Gunicorn was afaik handling the termination.
2019-11-20 23:07:14 +01:00
Jeff Brooks
ad6ed3f4c8 Implement check and exception for str type on value in Response process_headers method. 2019-10-15 09:03:44 -05:00
Jeff Brooks
54c820feb3 Ensure header value is string before conducting regex search on it. 2019-10-10 10:41:22 -05:00
Benoit Chesneau
cf8ac37ce4
Merge pull request #1969 from benoitc/wsgi_input_terminated
handle `wsgi.input_terminated` extension
2019-04-29 13:58:05 +02:00
Brett Randall
879651bb6f Header values are encoded using latin-1, not ascii.
This commit reverts one aspect changed by 5f4ebd2eb2b08783a5fbefe79d09fcb3fc1fbc73 (#1151);
header-values are again encoded as latin-1 and not ascii. Test is restored but uses
a latin-1-mappable test-character, not a general utf8 character.

Fixed #1778.

Signed-off-by: Brett Randall <javabrett@gmail.com>
2019-04-18 04:23:19 +03:00
Benoit Chesneau
e5141a1c5a handle wsgi.input_terminated extension
fix #1653
2019-01-24 15:47:15 +01:00
Hugo
e974f30517 Drop support for Python 2
Co-Authored-By: Dustin Ingram <di@users.noreply.github.com>
Co-Authored-By: Berker Peksag <berker.peksag@gmail.com>
2018-08-01 15:31:17 +03:00
Christian Kreuzberger
f2b8b687e2 Fix for #1755: Decode remote addr if it is a byte 2018-05-02 11:52:34 +02:00
Berker Peksag
76eaa0805b Fix various warnings and errors reported by pylint 2018-01-11 09:59:31 +03:00
Randall Leeds
b07532be75 Forbid contradictory secure scheme headers
When a request specifies contradictory secure scheme headers, raise a
parse error.
2018-01-10 12:10:35 -08:00
tomjaguarpaw
cf401982fd Remove redundant "is not None" in gunicorn/http/wsgi.py (#1556) 2017-08-01 13:51:19 +03:00
Benno Rice
e6edcb454a Remove some errant trailing commas. 2017-07-12 16:16:10 +03:00
Ed Morley
fbd151e984 Remove dead code found using vulture (#1469)
https://pypi.python.org/pypi/vulture

In particular the removal of `get_maxfd()` means the `resource` module
is no longer required (which is not available on Windows) and so helps
with #524.
2017-03-13 13:33:11 -07:00
benoitc
1e10a02e73 check if the header contains control characters
fix #1227
2016-03-19 19:16:59 +01:00
Benoit Chesneau
db52b6e66b Merge pull request #1079 from darkrain42/empty-message-for-HEAD-replies
Ensure response to HEAD request won't have message body
2016-01-22 15:17:54 +01:00
benoitc
6dcd7a6ada keep a consistent style 2016-01-05 01:10:38 +01:00
Hannes Uebelacker
2fe4ad72ca fix http.wsgi.Response.sendfile 2016-01-04 14:11:15 +01:00
Paul Aurich
53329b19cc Ensure response to HEAD request won't have message body
Ensure that Gunicorn won't try to use chunked transfer-encoding for responses
to a HEAD request, so that `Response.close` will not write a terminating
chunk. Responses to a HEAD request MUST NOT have a message-body.

The application is still responsible for ensuring no message body is actually
generated in response to a HEAD request.
2016-01-03 18:25:07 -08:00
benoitc
5bc13be79e rename util.is_fileobject to util.has_fileno
be more descriptive
2015-12-31 15:32:08 +01:00
benoitc
d55ef38c8a reuse util.is_fileobject
is_fileobject usgae was removed due to the use of the `tell` method check.
This change remove this check wich allows us to completely test if
fileno() is usable. Also it handle most of the exceptions around created by
breaking changes across Python versions. Hopefully we are good now.

fix #1174
2015-12-31 14:50:48 +01:00
Randall Leeds
98c9e3b375 Catch sendfile failure from no file descriptor
If the filelike response object has no `fileno` attribute, then skip
trying to use sendfile rather than failing with an error.

Close #1160
2015-12-28 14:50:46 -08:00
Randall Leeds
d8b6f0afff Clarify --no-sendfile default
The --no-sendfile option had a confusing entry in the usage message.
Even though sendfile is enabled by default, the --no-sendfile flag
showed a true value as the default, which could be interpreted to
mean that by default sendfile support is disabled.

This change makes the default "None", meaning sendfile is not
disabled, which is hopefully slightly more clear.

Close #1156
2015-12-27 13:27:20 -08:00
Randall Leeds
1f3bdddfb2 Do not rely on sendfile sending requested count
Close #1155
2015-11-29 11:14:04 -08:00
benoitc
5f4ebd2eb2 don't return utf8 header in example
Since the updated RFC 7230 implys that new Headers Key and Value should be
sent as USASCII only don't try to test utf8 headers in examples.

We now only encode them to ascii. Gunicorn will fail if it's unable to encode
them letting the responsability to the application to correctly encode the
response. (we are just a gateway).

While i'm here simplify the code to not create an extra function only used at
one place.

NOTE: if anyone come to a better solution, i am happy to revisit it on the
next release.

fix #1151
2015-11-25 13:29:46 +01:00
Randall Leeds
18d2b92146 Simplify sendfile logic
A safe and reliable check for whether a file descriptor supports mmap
is to directly check if it is seekable. However, some seekable file
descriptors may also report a zero size when calling fstat. If there
is no content length specified for the response and it cannot be
determined from the file descriptor then it is not possible to know
what chunk size to send to the client. In this case, is it necessary
to fall back to unwinding the body by iteration.

The above conditions together reveal a straightforward and reliable
way to check for sendfile support. This patch modifies the Response
class to assert these conditions using a try/catch block as part of
a new, simplified sendfile method. This method returns False if it
is not possible to serve the response using sendfile. Otherwise, it
serves the response and returns True. By returning False when SSL is
in use, the code is made even simpler by removing the special support
for SSL, which is served well enough by the iteration protocol.

Fix #1038
2015-11-10 17:57:56 -08:00
Jochen Wersdörfer
338721ac56 encode http headers as latin1 RFC 2616 2015-08-29 11:16:58 +02:00
Steven Maude
ad07bccb4e Fix comment typos
In wsgi.py
2015-05-27 14:29:12 +01:00
Berker Peksag
d376b6f78a Raise TypeError instead of AssertionError.
assert statements will be removed if you run Python
in optimized mode (e.g. with -O flag).
2015-02-23 00:35:47 +02:00
Randall Leeds
f3bb0e1e1d Fix typo WSGIErrorsWraper -> WSGIErrorsWrapper 2014-11-30 20:54:30 -08:00
benoitc
2f226acda4 fix method call. 2014-10-19 18:06:51 +02:00