Open Kludex opened 4 days ago
Confirmed. This happened to me.
Turns out gunicorn is parsing forwarded_allow_ips
command line option and then putting its values into a list before handing it over to uvicorn's worker as part of configs. Refer to ForwarderHeaders
class from gunicorn's gunicorn/config.py
file. This class is handling cli --forwarder-headers
, with a validator called validate_string_to_list
.
This validator puts all the comma-separated values into a list which are received with the given parameter. i.e. --forwarder-headers
.
So basically the check _TrustedHosts
should have is trusted_hosts == ["*"]
instead of trusted_hosts == "*"
. But this would be completely gunicorn
specific change. So we would have to make sure that this checks should work fine with both uvicorn as a standalone application and with gunicorn integration. We can make it as one of the following: trusted_hosts == ["*"] or trusted_hosts == "*"
/ trusted_hosts in (["*"], "*")
/ "*" in trusted_hosts
.
Discussed in https://github.com/encode/uvicorn/discussions/2475