Strip trailing optional whitespace (OWS) from single-line header field values #3254
Conversation
gunicorn/config.py
Outdated
| @@ -2241,6 +2241,24 @@ class PasteGlobalConf(Setting): | |||
| """ | |||
|
|
|||
|
|
|||
| class RefuseObsoleteFolding(Setting): | |||
There was a problem hiding this comment.
let just make it the default if it's not supported by the specidication.
There was a problem hiding this comment.
You okay with just flipping it? You added test 016.http in d4ae13c - there may still be systems generating this stuff. If so, it would be forthcoming to offer people the usual flag to determine whether they are hit by this or a different change applied in the same release.
There was a problem hiding this comment.
the spec says
Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message. Field values containing other CTL characters are also invalid; however, recipients MAY retain such characters for the sake of robustness when they appear within a safe context (e.g., an application-specific quoted string that will not be processed by any downstream HTTP parser).
So you're right there to keep that extra option.
There was a problem hiding this comment.
Careful, there seems to be a mixup here! You quoted the excerpt relating to 2, but I was replying regarding 3:
- lone CR/LF or any NUL in field values - always bad, spec demands reject or replace (lets start rejecting, see Refuse requests with invalid and dangerous CR/LF/NUL in header field value, as demanded by rfc9110 section 5.5 #3253)
- control characters beyond those aforementioned 3 in field values - sometimes bad, spec still permits some leeway (lets pass them as-is for now)
- obsolete folding in regular requests - not bad in itself, but increases severity of other parser bugs, spec demands reject or replace (lets start rejecting and merely add a temporary escape hatch option to ease diagnostics)
(Sorry for submitting somewhat related, but in fact separate concerns in one PR. I can still split it up if that helps..)
There was a problem hiding this comment.
this is fine. Thanks for the explanation. Let's merge this change. I think we will deprate the option in next release to remove it completely from 24.
pajod
force-pushed
the
patch-header-trailing-ws
branch
from
8fdb839 to
d1094c1
Compare
Strip whitespace also *after* header field value. Simply refuse obsolete header folding (a default-off option to revert is temporarily provided). While we are at it, explicitly handle recently introduced http error classes with intended status code.
pajod
force-pushed
the
patch-header-trailing-ws
branch
from
d1094c1 to
2bc931e
Compare
Backwards incompatible behavior - but only in rare instances of trailing padding on header field values. Old behavior was wrong, new behavior is sanctioned by https://datatracker.ietf.org/doc/html/rfc9112#name-field-syntax
first commit is just to clean up diff view, should be empty if applied after CI: verify docs are up to date #3217config tosquish deprecated folding altogether