Skip to content

refuse HTTP method CONNECT #3367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

refuse HTTP method CONNECT #3367

wants to merge 1 commit into from
+20 −0

Conversation

@pajod
Copy link
Contributor

@pajod pajod commented Mar 20, 2025
edited
Loading

Semantics of the CONNECT method are not implemented, and URL parser does not enforce the syntactical requirement for the request-target to include the port. Refuse all such requests to shut down attempts at exploiting this parser difference. Note that the refusal happens prior to the (dangerous) cfg.casefold_http_method compatibility switch, so this really only applies to upper case CONNECT.
@pajod
refuse HTTP method CONNECT
d279424 
Semantics not implemented, and URL parser does not enforce the
syntactical requirement for the request-target to include the port.
@pajod pajod moved this to Awaiting: 1st review in @pajod Gunicorn issue sorting table Mar 21, 2025
@pajod pajod moved this from Awaiting: 1st review to Security in @pajod Gunicorn issue sorting table Mar 21, 2025
@pajod pajod mentioned this pull request Apr 8, 2025
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@pajod