-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gunicorn ignores the Content-Length
header when the connection is half-closed.
#3234
Comments
Body is streamed to the application. There is no reason to pass even incomplete header to the appplication. Otherwise that would force the gateway to buffer the whole body which is properly inneficient. The application beg-hind must take care of an incomplete body as a result. What do I miss there? |
I don't know what you're trying to say here.
Obviously, the gateway shouldn't buffer the whole request. No one is suggesting that.
This just doesn't make sense. The application behind must not respond to the request until it is complete. If the connection is half-closed before the request is complete, then the application should close the connection. What it should not do is pretend that the message is complete. If you're curious, this is what other HTTP servers do: Close the connection without responding:
Close the connection and respond 400:
|
One existing test case even has what should be treated as truncated: gunicorn/tests/requests/valid/099.http Line 10 in 2d7eb3d
|
Contrary to some other wsgi implementations, the body is fully streamed to the application when it comes. That's per design and reduce the memory footprint. I would expect that the application validate the payload it received via the gateway before handling any action. This includes to check if its partial or not. However can you clarify what you mean by half closed? I don't see how a content can be returned if the socket is closed. |
No one is asking for Gunicorn to buffer the body for the application. This is entirely unrelated to what I'm talking about. As usual, it feels like we're talking past each other :)
When the Content-Length is too large for the received data, Gunicorn should treat the request as invalid, respond 400, and close the connection. It doesn't currently do this.
A TCP connection is half-closed when one side has sent a FIN and the other side hasn't. The relevant section of the TCP RFC. |
what do you mean by "the Content-Length is too large for the received data" ? I am expectinv that the connection is closed by Gunicorn if it continue to receive some data passed the content length. If it's not the case this is a bug indeed. Is this what you mean? |
I mean the opposite of this. Consider the example request from the first message. The |
I don't see how this could work . At that time we already passed some information to the application in the start_response handler 'gunicorn doesn't buffer). The application need to be aware we are closing this. Which is not planned with current expectation. Instead I would expect the application is taking care about what it read, not the gateway witch is only passing the data through to the application. |
Description of the bug
From RFC 9112:
Gunicorn does not enforce this rule. When it receives a request, and the sender half-closes the connection, Gunicorn responds regardless of whether the request's body has been fully received.
To reproduce
Gunicorn version: 22.0.0
Python version: 3.11.9
The text was updated successfully, but these errors were encountered: