stop pretending to support gzip *request* transfer-encoding#3368
Open
pajod wants to merge 1 commit into
Open
Conversation
* https://peps.python.org/pep-3333/#other-http-features "WSGI servers must handle any supported inbound “hop-by-hop” headers on their own, such as by decoding any inbound Transfer-Encoding, including chunked encoding if applicable." * https://datatracker.ietf.org/doc/html/rfc9110#section-7.6.1 "intermediaries SHOULD remove or replace fields that are known to require removal before forwarding" * partial revert: 555d2fa
pajod
changed the title
This was referenced Mar 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Gunicorn does not decode compressed body, so forwarding the header to the application without offering a robust method of failing safe or working against different server versions can only lead to a mess. A small mess, because nobody is using this. Yet an important one, because almost everyone using this is trying to exploit a flaw in a proxy setup.
This PR undoes (or restarts the conversation about) the part of #3260 that I do not understand.
If Gunicorn does not fully handle a hop-by-hop header, and leaves the WSGI application in no place to figure out what is left to do, it should not not partially handle it.
https://peps.python.org/pep-3333/#other-http-features
https://datatracker.ietf.org/doc/html/rfc9110#section-7.6.1