Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[REF-2764] dep update 0.5.0 #3245

Merged
merged 5 commits into from
May 7, 2024
Merged

[REF-2764] dep update 0.5.0 #3245

merged 5 commits into from
May 7, 2024

Conversation

masenf
Copy link
Collaborator

@masenf masenf commented May 7, 2024

Bump gunicorn dep to 22.0.0

Relock dependencies for CI testing

Upgrade pip for docker test to resolve backtracking issue

Filed #3244 since i couldn't upgrade fastapi

masenf added 2 commits May 7, 2024 09:42
Changelog: https://docs.gunicorn.org/en/stable/news.html#id1

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **
minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **
fix CVE-2024-1135
Copy link

linear bot commented May 7, 2024

picklelo
picklelo previously approved these changes May 7, 2024
@masenf
Copy link
Collaborator Author

masenf commented May 7, 2024

hmm definitely hitting pre-commit issues with this change... looking into it

@masenf
Copy link
Collaborator Author

masenf commented May 7, 2024

Ah okay, we weren't running the linters with pydantic v2 installed prior to this patch.

Retain TYPE_CHECKING guard in v1 fallback to force pyright into pydantic.v1 namespace
@masenf masenf force-pushed the masenf/dep-update-0.5.0 branch from 0a864f5 to c714efa Compare May 7, 2024 19:50
@masenf
Copy link
Collaborator Author

masenf commented May 7, 2024

@picklelo i think this one is good to go now, after fixing up a few issues with pyright running on pydantic v2.

just waiting for the last few slow CI runs to finish

@masenf masenf merged commit ea0f490 into main May 7, 2024
46 checks passed
@masenf masenf deleted the masenf/dep-update-0.5.0 branch May 7, 2024 22:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants