Gunicorn incorrectly accepts NUL within URIs

[kenballus]

When Gunicorn receives a request with a null byte in a URI, it does not reject the request. Null bytes are not permitted within request URIs as per the grammar in the RFCs, so requests with null bytes in URIs should be rejected with status 400.

To see this for yourself,

1. Start a simple Gunicorn server that echoes the URI, such as this one:

python3 -m gunicorn --worker-class=gevent --workers=1 --worker-connections=1000 --bind 0.0.0.0:80 server:app

2. Send it a request with a NUL in the URI:

printf 'GET /\x00 HTTP/1.1\r\nHost: whatever\r\n\r\n' \
    | ncat localhost 80 \
    | grep "uri" \
    | jq'.["uri"]' \
    | xargs echo \
    | base64 -d \
    | xxd

3. Observe that Gunicorn considers the NUL to be part of the URI, and does not reject the request:

00000000: 2f00                                     /.

[pajod]

And quotes, and pipe, which should also be received percent-encoded only, but still are. I guess focusing on the high-risk controls first is the way to go here?

Unfortunately, Gunicorn has not had tests for a whole lot rfc3986-ignorant URL-lookalikes, so it is not clear which of the other weird "should have been percent-encoded" or "no, not even if you % it" strings worked for someone before, who will be unhappy about Gunicorn refusing to forward them.