Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Preview: bugfix release v22.1.0 #2

Closed
wants to merge 34 commits into from
Closed

Preview: bugfix release v22.1.0 #2

wants to merge 34 commits into from

Conversation

pajod
Copy link
Owner

@pajod pajod commented Jul 31, 2024

The following PRs merge fine. I recommend these go into a 22.1.0 bugfix release.

OUTSTANDING PROBLEM: 3210 need rebase, it was meant to be used on top of 3127 initially, right now git merges it fine but the code is inappropriate.

Please do not actually octopus merge though, sequential merges produce clearer output in common git tools. Created using this script:

#!/bin/sh
# assuming .git/config fetches pull requests from GitHub, e.g:
# [remote "benoitc"]
#         url = https://github.com/benoitc/gunicorn.git
#         fetch = +refs/heads/*:refs/remotes/benoitc/*
#         fetch = +refs/pull/*/head:refs/remotes/benoitc/pr/*
set -e
echo "preparing branch"
git checkout -B integration-v22.1.0 benoitc/master
git reset --hard benoitc/master
echo "octopus merge"
git merge --verbose --no-edit benoitc/pr/3217 benoitc/pr/3110 benoitc/pr/3157 \
 benoitc/pr/3192 benoitc/pr/3210 benoitc/pr/3253 benoitc/pr/3254 benoitc/pr/3255 \
 benoitc/pr/3257 benoitc/pr/3258
echo "version commit"
sed -i -e 's/22, 0, 0/22, 1, 0/' gunicorn/__init__.py
git commit -m "bump version 22.1.0" -- gunicorn/__init__.py
echo "building"
pip install -U build
python -m build
echo "searching for expected file in sdist"
tar -tf dist/gunicorn-22.1.0.tar.gz  | grep -m 1 gunicorn/__main__.py
echo "searching for unexpected file in sdist"
tar -tf dist/gunicorn-22.1.0.tar.gz  | grep -m 1 docs/build || echo 'none found (good!)'
echo "done"

sylt and others added 30 commits July 3, 2024 23:33
The main purpose is to remove complexity from gthread by:

* Removing the lock for handling self._keep and self.poller. This is
  possible since we now do all such manipulation on the main thread
  instead. When a connection is done, it posts a callback through the
  PollableMethodCaller which gets executed on the main thread.

* Having a single event queue (self.poller), as opposed to also
  managing a set of futures. This fixes benoitc#3146 (although there are
  more minimal ways of doing it).

There are other more minor things as well:

* Renaming some variables, e.g. self._keep to self.keepalived_conns.
* Remove self-explanatory comments (what the code does, not why).
* Just decide that socket is blocking.
* Use time.monotonic() for timeouts in gthread.

Some complexity has been added to the shutdown sequence, but hopefully
for good reason: it's to make sure that all already accepted
connections are served within the grace period.
New parser rule: refuse HTTP requests where a header field value
contains characters that
a) should never appear there in the first place,
b) might have lead to incorrect treatment in a proxy in front, and
c) might lead to unintended behaviour in applications.

From RFC 9110 section 5.5:
"Field values containing CR, LF, or NUL characters are invalid and
dangerous, due to the varying ways that implementations might parse
and interpret those characters; a recipient of CR, LF, or NUL within
a field value MUST either reject the message or replace each of those
characters with SP before further processing or forwarding of that
message."
Strip whitespace also *after* header field value.

Intoduce a default-off option to simply refuse obsolete
header folding. While we are at it, explicitly handle recently
introduced http error classes with intended status code.
A single slash is valid, but nothing at all can be safely refused.

Python stdlib explicitly tells us it will not perform validation.
https://docs.python.org/3/library/urllib.parse.html#url-parsing-security
There are *four* `request-target` forms in rfc9112, none of them can be empty.
just to ease static code analysis, no functional change intended
alternate spelling _build covers new defaults of regenerated sphinx Makefile
Pylint 3.0 is the first version to officially support Python 12
Debian buster EoL since 2022-09-10
pajod added 4 commits July 31, 2024 18:32
Treat it the same as invalid characters where size should be.
…'benoitc/pr/3157', 'benoitc/pr/3192', 'benoitc/pr/3210', 'benoitc/pr/3253', 'benoitc/pr/3254', 'benoitc/pr/3255', 'benoitc/pr/3257' and 'benoitc/pr/3258' into integration-v22.1.0
@pajod pajod force-pushed the integration-v22.1.0 branch from d5f6c9e to 2443d33 Compare July 31, 2024 17:23
@pajod pajod closed this Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants