Package: gunicorn / 20.1.0-6+deb12u1

Metadata

Package Version Patches format
gunicorn 20.1.0-6+deb12u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 drop supplemental groups.patch | (download)

gunicorn/util.py | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 
 also drop supplemental groups.
0002 use system js libs.patch | (download)

examples/websocket/websocket.html | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 
 use-system-js-libs
0003 Don t call chown 2 if it would be a no op.patch | (download)

gunicorn/util.py | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 
 don't call chown(2) if it would be a no-op.

Signed-off-by: Chris Lamb <lamby@debian.org>
0004 Set supplementary groups when changing uid.patch | (download)

gunicorn/util.py | 16 16 + 0 - 0 !
1 file changed, 16 insertions(+)

 
 set supplementary groups when changing uid.

Thanks to Filippos Giannakos <philipgian@grnet.gr>.

Signed-off-by: Chris Lamb <lamby@debian.org>
0005 eventlet worker ALREADY_HANDLED WSGI_LOCAL.patch | (download)

gunicorn/workers/geventlet.py | 11 10 + 1 - 0 !
1 file changed, 10 insertions(+), 1 deletion(-)

 
 eventlet worker: already_handled -> wsgi_local

Eventlet v0.30.3+ removed wsgi.ALREADY_HANDLED in favor of
`wsgi.WSGI_LOCAL.already_handled: bool`

Sorry, this breaking change happened during only patch
version increase 0.30.2 -> 0.30.3

https://github.com/eventlet/eventlet/issues/543
https://github.com/eventlet/eventlet/pull/544
0001 fail safe on unsupported request framing.patch | (download)

gunicorn/config.py | 18 18 + 0 - 0 !
gunicorn/http/errors.py | 9 9 + 0 - 0 !
gunicorn/http/message.py | 45 45 + 0 - 0 !
tests/requests/invalid/chunked_01.http | 12 12 + 0 - 0 !
tests/requests/invalid/chunked_01.py | 2 2 + 0 - 0 !
tests/requests/invalid/chunked_02.http | 9 9 + 0 - 0 !
tests/requests/invalid/chunked_02.py | 2 2 + 0 - 0 !
tests/requests/invalid/chunked_03.http | 8 8 + 0 - 0 !
tests/requests/invalid/chunked_03.py | 2 2 + 0 - 0 !
tests/requests/invalid/chunked_04.http | 11 11 + 0 - 0 !
tests/requests/invalid/chunked_04.py | 2 2 + 0 - 0 !
tests/requests/invalid/chunked_05.http | 11 11 + 0 - 0 !
tests/requests/invalid/chunked_05.py | 2 2 + 0 - 0 !
tests/requests/invalid/chunked_06.http | 9 9 + 0 - 0 !
tests/requests/invalid/chunked_06.py | 2 2 + 0 - 0 !
tests/requests/invalid/chunked_08.http | 9 9 + 0 - 0 !
tests/requests/invalid/chunked_08.py | 2 2 + 0 - 0 !
tests/requests/invalid/nonascii_01.http | 4 4 + 0 - 0 !
tests/requests/invalid/nonascii_01.py | 5 5 + 0 - 0 !
tests/requests/invalid/nonascii_02.http | 4 4 + 0 - 0 !
tests/requests/invalid/nonascii_02.py | 5 5 + 0 - 0 !
tests/requests/invalid/nonascii_04.http | 5 5 + 0 - 0 !
tests/requests/invalid/nonascii_04.py | 5 5 + 0 - 0 !
tests/requests/invalid/prefix_01.http | 2 2 + 0 - 0 !
tests/requests/invalid/prefix_01.py | 2 2 + 0 - 0 !
tests/requests/invalid/prefix_02.http | 2 2 + 0 - 0 !
tests/requests/invalid/prefix_02.py | 2 2 + 0 - 0 !
tests/requests/invalid/prefix_03.http | 4 4 + 0 - 0 !
tests/requests/invalid/prefix_03.py | 5 5 + 0 - 0 !
tests/requests/invalid/prefix_04.http | 5 5 + 0 - 0 !
tests/requests/invalid/prefix_04.py | 5 5 + 0 - 0 !
tests/requests/invalid/prefix_05.http | 4 4 + 0 - 0 !
tests/requests/invalid/prefix_05.py | 5 5 + 0 - 0 !
tests/requests/valid/025.http | 9 7 + 2 - 0 !
tests/requests/valid/025.py | 6 5 + 1 - 0 !
tests/requests/valid/025compat.http | 18 18 + 0 - 0 !
tests/requests/valid/025compat.py | 27 27 + 0 - 0 !
tests/requests/valid/029.http | 2 1 + 1 - 0 !
tests/requests/valid/029.py | 2 1 + 1 - 0 !
tests/treq.py | 4 3 + 1 - 0 !
40 files changed, 281 insertions(+), 6 deletions(-)

 
 fail-safe on unsupported request framing

If we promise wsgi.input_terminated, we better get it right - or not at all.
* chunked encoding on HTTP <= 1.1
* chunked not last transfer coding
* multiple chinked codings
* any unknown codings (yes, this too! because we do not detect unusual syntax that is still chunked)
* empty coding (plausibly harmless, but not see in real life anyway - refused, for the moment)
0002 RFC compliant header field chunk validation.patch | (download)

gunicorn/http/body.py | 5 2 + 3 - 0 !
gunicorn/http/message.py | 2 1 + 1 - 0 !
gunicorn/http/wsgi.py | 2 1 + 1 - 0 !
3 files changed, 4 insertions(+), 5 deletions(-)

 
 rfc compliant header field+chunk validation

* update HEADER_RE and HEADER_VALUE_RE to match the RFCs
* update chunk length parsing to disallow 0x prefix and digit-separating underscores.
0003 Disallow empty header names.patch | (download)

gunicorn/http/message.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 disallow empty header names.
0004 RFC compliant request line and header parsing.patch | (download)

gunicorn/http/message.py | 33 16 + 17 - 0 !
gunicorn/http/wsgi.py | 23 13 + 10 - 0 !
tests/requests/invalid/003.http | 4 2 + 2 - 0 !
tests/requests/invalid/003.py | 4 2 + 2 - 0 !
tests/requests/valid/016.py | 64 32 + 32 - 0 !
tests/requests/valid/031.http | 2 2 + 0 - 0 !
tests/requests/valid/031.py | 7 7 + 0 - 0 !
7 files changed, 74 insertions(+), 63 deletions(-)

 
 rfc compliant request line and header parsing

- Unify HEADER_RE and METH_RE
- Replace CRLF with SP during obs-fold processing (See RFC 9112 Section 5.2, last paragraph)
- Stop stripping header names.
- Remove HTAB in OWS in header values that use obs-fold (See RFC 9112 Section 5.2, last paragraph)
- Use fullmatch instead of search, which has problems with empty strings. (See GHSA-68xg-gqqm-vgj8)
- Split proxy protocol line on space only. (See proxy protocol Section 2.1, bullet 3)
- Use fullmatch for method and version (Thank you to Paul Dorn for noticing this.)
- Replace calls to str.strip() with str.strip(' \t')
- Split request line on SP only.

Co-authored-by: Paul Dorn <pajod@users.noreply.github.com>
0005 pytest raise on malformed test fixtures.patch | (download)

tests/treq.py | 15 11 + 4 - 0 !
1 file changed, 11 insertions(+), 4 deletions(-)

 
 pytest: raise on malformed test fixtures

and unbreak test depending on backslash escape