mirror of
https://github.com/frappe/gunicorn.git
synced 2026-07-02 18:51:31 +08:00
Three findings against the ASGI PROXY protocol path: - High: an untrusted peer could send a PROXY v1/v2 header and have the client address surfaced to the app. _setup_callback_parser now passes proxy_protocol='off' to the parser when the peer is not in proxy_allow_ips. _effective_peername adds a defensive re-check. - Medium: PROXY v1 TCP4/TCP6 addresses were copied as strings without validation. Validate with socket.inet_pton, mirroring the WSGI parser. - Medium: PROXY v2 quietly mapped non-STREAM (DGRAM) protocols to UDP4/UDP6. gunicorn is an HTTP server; reject non-STREAM with InvalidProxyHeader, mirroring the WSGI parser.
12 lines
267 B
Python
12 lines
267 B
Python
#
|
|
# This file is part of gunicorn released under the MIT license.
|
|
# See the NOTICE for more information.
|
|
|
|
from gunicorn.config import Config
|
|
from gunicorn.http.errors import InvalidProxyLine
|
|
|
|
cfg = Config()
|
|
cfg.set('proxy_protocol', True)
|
|
|
|
request = InvalidProxyLine
|