.github/workflows/lint.yml

@@ -7,22 +7,45 @@ env:
   FORCE_COLOR: 1
 jobs:
   lint:
-    name: tox-${{ matrix.toxenv }}
+    name: ${{ matrix.python-version }} / tox-${{ matrix.toxenv || '(other)' }}
+    timeout-minutes: 10
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         toxenv: [lint, docs-lint, pycodestyle]
         python-version: [ "3.10" ]
+        include:
+          # for actions that want git env, not tox env
+          - toxenv: null
+            python-version: "3.10"
     steps:
       - uses: actions/checkout@v4
       - name: Using Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: pip
-      - name: Install Dependencies
+      - name: Install Dependencies (tox)
+        if: ${{ matrix.toxenv }}
         run: |
           python -m pip install --upgrade pip
           python -m pip install tox
       - run: tox -e ${{ matrix.toxenv }}
+        if: ${{ matrix.toxenv }}
+      - name: Install Dependencies (non-toxic)
+        if: ${{ ! matrix.toxenv }}
+        run: |
+          python -m pip install sphinx
+      - name: "Update docs"
+        if: ${{ ! matrix.toxenv }}
+        run: |
+          # this will update docs/source/settings.rst - but will not create html output
+          (cd docs && sphinx-build -b "dummy" -d _build/doctrees source "_build/dummy")
+          if unclean=$(git status --untracked-files=no --porcelain) && [ -z "$unclean" ]; then
+            echo "no uncommitted changes in working tree (as it should be)"
+          else
+            echo "did you forget to run `make -C docs html`?"
+            echo "$unclean"
+            exit 2
+          fi

.github/workflows/tox.yml

@@ -14,7 +14,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest] # All OSes pass except Windows because tests need Unix-only fcntl, grp, pwd, etc.
+        unsupported: [false]
+        os:
+         - ubuntu-latest
+         # not defaulting to macos-latest: Python <= 3.9 was missing from macos-14 @ arm64
+         - macos-13
+         # Not testing Windows, because tests need Unix-only fcntl, grp, pwd, etc.
         python-version:
          # CPython <= 3.7 is EoL since 2023-06-27
          - "3.7"
@@ -26,6 +31,19 @@ jobs:
          # PyPy <= 3.8 is EoL since 2023-06-16
          - "pypy-3.9"
          - "pypy-3.10"
+        include:
+         # Note: potentially "universal2" release
+         # https://github.com/actions/runner-images/issues/9741
+         - os: macos-latest
+           python-version: "3.12"
+           unsupported: false
+         # will run these without showing red CI results should they fail
+         - os: macos-latest
+           python-version: "3.13"
+           unsupported: true
+         - os: ubuntu-latest
+           python-version: "3.13"
+           unsupported: true
     steps:
       - uses: actions/checkout@v4
       - name: Using Python ${{ matrix.python-version }}
@@ -35,10 +53,14 @@ jobs:
           cache: pip
           cache-dependency-path: requirements_test.txt
           check-latest: true
+          allow-prereleases: ${{ matrix.unsupported }}
       - name: Install Dependencies
         run: |
           python -m pip install --upgrade pip
           python -m pip install tox
       - run: tox -e run-module
+        continue-on-error: ${{ matrix.unsupported }}
       - run: tox -e run-entrypoint
+        continue-on-error: ${{ matrix.unsupported }}
       - run: tox -e py
+        continue-on-error: ${{ matrix.unsupported }}

.gitignore

@@ -7,6 +7,7 @@
 .tox
 __pycache__
 build
+docs/_build
 coverage.xml
 dist
 examples/frameworks/django/testing/testdb.sql

LICENSE

@@ -1,4 +1,4 @@
-2009-2023 (c) Benoît Chesneau <benoitc@gunicorn.org>
+2009-2024 (c) Benoît Chesneau <benoitc@gunicorn.org>
 2009-2015 (c) Paul J. Davis <paul.joseph.davis@gmail.com>
 
 Permission is hereby granted, free of charge, to any person

MANIFEST.in

@@ -10,4 +10,6 @@ recursive-include examples *
 recursive-include docs *
 recursive-include examples/frameworks *
 recursive-exclude * __pycache__
+recursive-exclude docs/build *
+recursive-exclude docs/_build *
 recursive-exclude * *.py[co]

NOTICE

@@ -1,6 +1,6 @@
 Gunicorn
 
-2009-2023 (c) Benoît Chesneau <benoitc@gunicorn.org>
+2009-2024 (c) Benoît Chesneau <benoitc@gunicorn.org>
 2009-2015 (c) Paul J. Davis <paul.joseph.davis@gmail.com>
 
 Gunicorn is released under the MIT license. See the LICENSE

SECURITY.md

@@ -4,19 +4,27 @@
 
 **Please note that public Github issues are open for everyone to see!**
 
-If you believe you are found a problem in Gunicorn software, examples or documentation, we encourage you to send your report privately via [email](mailto:security@gunicorn.org?subject=Security%20issue%20in%20Gunicorn), or via Github using the *Report a vulnerability* button in the [Security](https://github.com/benoitc/gunicorn/security) section.
+If you believe you are found a problem in Gunicorn software, examples or documentation, we encourage you to send your
+ report privately via [email](mailto:security@gunicorn.org?subject=Security%20issue%20in%20Gunicorn), or via Github
+ using the *Report a vulnerability* button in the [Security](https://github.com/benoitc/gunicorn/security) section.
 
 ## Supported Releases
 
 At this time, **only the latest release** receives any security attention whatsoever.
 
+Please target reports against :white_check_mark: or current master. Please understand that :x: will
+ not receive further security attention.
+
 | Version | Status          |
 | ------- | ------------------ |
-| latest release  | :white_check_mark: |
+| 23.0.0  | :white_check_mark: |
+| 22.0.0  | :x: |
 | 21.2.0  | :x: |
 | 20.0.0  | :x: |
 | < 20.0  | :x: |
 
 ## Python Versions
 
-Gunicorn runs on Python 3.7+, we *highly recommend* the latest release of a [supported series](https://devguide.python.org/versions/) and will not prioritize issues exclusively affecting in EoL environments.
+Gunicorn runs on Python 3.7+, we *highly recommend* the latest release of a 
+[supported series](https://devguide.python.org/versions/) and will not prioritize issues exclusively 
+affecting in EoL environments.

docs/Makefile

@@ -1,5 +1,7 @@
 # Makefile for Sphinx documentation
 #
+# if you want to compare this file to current sphinx defaults, recreate it:
+# BUILDDIR=build sphinx-quickstart --sep --extensions=gunicorn_ext --templatedir=_templates --makefile --batchfile --no-use-make-mode --master=index
 
 # You can set these variables from the command line.
 PYTHON        = python

docs/README.rst

@@ -6,8 +6,8 @@ Requirements
 
 To generate documentation you need to install:
 
- - Python >= 3.4
- - Sphinx (http://sphinx-doc.org/)
+ - Python >= 3.7
+ - Sphinx (https://www.sphinx-doc.org/)
 
 
 Generate html

docs/site/index.html

@@ -16,7 +16,7 @@
     <div class="logo-div">
       <div class="latest">
         Latest version: <strong><a
-            href="https://docs.gunicorn.org/en/stable/">22.0.0</a></strong>
+            href="https://docs.gunicorn.org/en/stable/">23.0.0</a></strong>
       </div>
 
       <div class="logo"><img src="images/logo.jpg" ></div>

docs/source/2023-news.rst

@@ -11,6 +11,11 @@ Changelog - 2023
 
 This is fixing the bad file description error.
 
+21.1.0 - 2023-07-18
+===================
+
+- fix thread worker: fix socket removal from the queue
+
 21.0.1 - 2023-07-17
 ===================
 

docs/source/2024-news.rst

@@ -0,0 +1,61 @@
+================
+Changelog - 2024
+================
+
+23.0.0 - 2024-08-10
+===================
+
+- minor docs fixes (:pr:`3217`, :pr:`3089`, :pr:`3167`)
+- worker_class parameter accepts a class (:pr:`3079`)
+- fix deadlock if request terminated during chunked parsing (:pr:`2688`)
+- permit receiving Transfer-Encodings: compress, deflate, gzip (:pr:`3261`)
+- permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (:pr:`3261`)
+- sdist generation now explicitly excludes sphinx build folder (:pr:`3257`)
+- decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising `TypeError` (:pr:`2336`)
+- raise correct Exception when encounting invalid chunked requests (:pr:`3258`)
+- the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (:pr:`3192`)
+- include IPv6 loopback address ``[::1]`` in default for :ref:`forwarded-allow-ips` and :ref:`proxy-allow-ips` (:pr:`3192`)
+
+** NOTE **
+
+- The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release
+- Review your :ref:`forwarded-allow-ips` setting if you are still not seeing the SCRIPT_NAME transmitted
+- Review your :ref:`forwarder-headers` setting if you are missing headers after upgrading from a version prior to 22.0.0
+
+** Breaking changes **
+
+- refuse requests where the uri field is empty (:pr:`3255`)
+- refuse requests with invalid CR/LR/NUL in heade field values (:pr:`3253`)
+- remove temporary ``--tolerate-dangerous-framing`` switch from 22.0 (:pr:`3260`)
+- If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.
+
+22.0.0 - 2024-04-17
+===================
+
+- use `utime` to notify workers liveness 
+- migrate setup to pyproject.toml
+- fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
+- parsing additional requests is no longer attempted past unsupported request framing
+- on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
+- requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
+- Trailer fields are no longer inspected for headers indicating secure scheme
+- support Python 3.12
+
+** Breaking changes **
+
+- minimum version is Python 3.7
+- the limitations on valid characters in the HTTP method have been bounded to Internet Standards
+- requests specifying unsupported transfer coding (order) are refused by default (rare)
+- HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
+- HTTP methods containing the number sign (#) are no longer accepted by default (rare)
+- HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
+- HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
+- HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
+- HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
+- requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
+- empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
+
+
+** SECURITY **
+
+- fix CVE-2024-1135

docs/source/conf.py

@@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 #
 # Gunicorn documentation build configuration file
 #

docs/source/custom.rst

@@ -16,6 +16,25 @@ a custom Application:
     :start-after: # See the NOTICE for more information
     :lines: 2-
 
+Using server hooks
+------------------
+
+If you wish to include server hooks in your custom application, you can specify a function in the config options.  Here is an example with the `pre_fork` hook:
+
+.. code-block:: python
+
+   def pre_fork(server, worker):
+       print(f"pre-fork server {server} worker {worker}", file=sys.stderr)
+
+   # ...
+   if __name__ == '__main__':
+       options = {
+           'bind': '%s:%s' % ('127.0.0.1', '8080'),
+           'workers': number_of_workers(),
+           'pre_fork': pre_fork,
+       }
+
+
 Direct Usage of Existing WSGI Apps
 ----------------------------------
 

docs/source/deploy.rst

@@ -246,20 +246,23 @@ to the newly created unix socket:
     After=network.target
 
     [Service]
+    # gunicorn can let systemd know when it is ready
     Type=notify
+    NotifyAccess=main
     # the specific user that our service will run as
     User=someuser
     Group=someuser
-    # another option for an even more restricted service is
-    # DynamicUser=yes
-    # see http://0pointer.net/blog/dynamic-users-with-systemd.html
+    # this user can be transiently created by systemd
+    # DynamicUser=true
     RuntimeDirectory=gunicorn
     WorkingDirectory=/home/someuser/applicationroot
     ExecStart=/usr/bin/gunicorn applicationname.wsgi
     ExecReload=/bin/kill -s HUP $MAINPID
     KillMode=mixed
     TimeoutStopSec=5
     PrivateTmp=true
+    # if your app does not need administrative capabilities, let systemd know
+    # ProtectSystem=strict
 
     [Install]
     WantedBy=multi-user.target
@@ -272,11 +275,12 @@ to the newly created unix socket:
     [Socket]
     ListenStream=/run/gunicorn.sock
     # Our service won't need permissions for the socket, since it
-    # inherits the file descriptor by socket activation
-    # only the nginx daemon will need access to the socket
+    # inherits the file descriptor by socket activation.
+    # Only the nginx daemon will need access to the socket:
     SocketUser=www-data
-    # Optionally restrict the socket permissions even more.
-    # SocketMode=600
+    SocketGroup=www-data
+    # Once the user/group is correct, restrict the permissions:
+    SocketMode=0660
 
     [Install]
     WantedBy=sockets.target

docs/source/design.rst

@@ -75,10 +75,7 @@ WSGI application, this is not a recommended configuration.
 AsyncIO Workers
 ---------------
 
-These workers are compatible with Python 3.
-
-You can port also your application to use aiohttp_'s ``web.Application`` API and use the
-``aiohttp.worker.GunicornWebWorker`` worker.
+Third-party workers can be usedd to use Gunicorn with asyncio frameworks. 
 
 Choosing a Worker Type
 ======================

docs/source/faq.rst

@@ -11,8 +11,14 @@ How do I set SCRIPT_NAME?
 -------------------------
 
 By default ``SCRIPT_NAME`` is an empty string. The value could be set by
-setting ``SCRIPT_NAME`` in the environment or as an HTTP header.
+setting ``SCRIPT_NAME`` in the environment or as an HTTP header. Note that
+this headers contains and underscore, so it is only accepted from trusted
+forwarders listed in the :ref:`forwarded-allow-ips` setting.
 
+.. note::
+
+   If your application should appear in a subfolder, your ``SCRIPT_NAME``
+   would typically start with single slash but contain no trailing slash.
 
 Server Stuff
 ============