New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Send HTTP 400 response for invalid request #205
Send HTTP 400 response for invalid request #205
Conversation
Temporarily pull uvicorn from the forked repository https://github.com/markbreedlove/uvicorn.git, which contains a bugfix for bad requests with invalid URLs. See encode/uvicorn#205 ... This change can be reverted when that PR is merged and a new release of uvicorn comes out with the fix.
Great work, thanks! Before we decide on behaviour here I’d like to have a better idea of existing implementation behaviours. Any of the following would be really useful to know:
|
Hi, Tom, I've been running
I'm running in AWS Elastic Beanstalk in production. The application is Dockerized and reverse-proxied with Here's a sample line from
Here's the corresponding
Here's what
The request did not make it past |
Sorry I wasn’t clear. I meant what response do we get running just regular gunicorn and a plain old hello world wsgi app. That’d be a really useful point of comparison. (Node’s behaviour would be interesting too) |
Aha, of course, makes sense. Here's what I observe with gunicorn 19.9.0 and the "hello world" app at https://gunicorn.org.
... other terminal ...
I'll check Node.js a bit later -- looks like tomorrow morning at this point ... |
Actually, this is easy enough in Node and I can do it now rather than later. I'm using this Hello World from https://nodejs.org/en/about/ ...
... in another terminal ...
So Node just closes the connection, whereas gunicorn responds with a 400. I'm using Node v8.11.3. |
09577e1
to
0c84898
Compare
Given an invalid request, respond with an HTTP 400 error instead of closing the connection without a response.
0c84898
to
8aa7bea
Compare
Okay, I like this, yup. Looks like there's a test failure for us to dig into. |
This could possibly be related to #344 |
I'm interested on this. How Hypercorn deals with it: https://gitlab.com/pgjones/hypercorn/-/blob/main/src/hypercorn/protocol/h11.py#L147-153 |
@markbreedlove Sorry for taking so long. Would you mind rebasing it? |
closed by #1352 |
Given an invalid request, respond with an HTTP 400 error instead of closing the connection without a response.
Before this change, a request with invalid characters would result in the HTTP connection being dropped, as in this example:
Such a request should result in an HTTP 400 (Bad Request).
With a reverse-proxied application, this would typically be presented to the user as a 502 (Bad Gateway) error.