v24 LTS security patch

[ahopkins]

• cleanup CRLF header injection
• resolve chunked trailer request smuggling
• limit inspector to public methods
• reject requests where url_bytes exceeds 65535

[Copilot]

Pull request overview

Security patch release (24.12.1) for Sanic v24 LTS, bundling four hardening fixes together with a large amount of unrelated string-concatenation/style cleanups across the codebase and emoji guide data.

Changes:

• Sanitize CR/LF/NUL from response header names and values to prevent CRLF header injection (sanic/response/types.py).
• Reject any chunked trailer-part on the wire (sanic/http/http1.py) and drop the connection on BadRequest after request, closing a request-smuggling vector; covered by new tests in tests/test_http.py.
• Restrict the worker Inspector to public bound methods (sanic/worker/inspector.py) and raise NotFound for any other action; tests added.
• New URITooLong (414) exception; Request.__init__ rejects URLs longer than 65535 bytes to avoid uint16 wrap inside httptools.parse_url (sanic/exceptions.py, sanic/request/types.py).
• Wide-ranging cosmetic cleanup of implicit string concatenations across tests, guide and Sanic source; version bumped to 24.12.1.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
sanic/version.py	Bump to 24.12.1 for the LTS security release.
sanic/exceptions.py	Add URITooLong (HTTP 414) exception.
sanic/request/types.py	Reject url_bytes longer than 65535 to avoid httptools uint16 truncation.
sanic/response/types.py	Strip \r, \n, \x00 from outgoing header names/values (CRLF injection fix).
sanic/http/http1.py	Enforce empty chunked trailer; close connection on BadRequest/PayloadTooLarge to block smuggling.
sanic/worker/inspector.py	Only public, bound methods are dispatchable; otherwise raise NotFound.
sanic/handlers/error.py, sanic/logging/formatter.py, sanic/mixins/startup.py, sanic/cli/arguments.py, sanic/response/convenience.py	Merge implicit string concatenations; no behavioral change.
tests/test_http.py	New tests covering chunked-trailer smuggling and legit pipelining.
tests/test_requests.py	New tests for URITooLong and the 65535-byte boundary.
tests/worker/test_inspector.py	New tests for rejected non-action attributes/dunder names.
tests/test_request.py, tests/test_views.py, tests/test_routes.py, tests/test_headers.py, tests/test_cli.py	Style-only cleanups (string concat, is vs ==).
guide/content/en/emoji.py, guide/webapp/display/markdown.py, guide/webapp/display/plugins/tabs.py	Style-only cleanups of implicit string concatenation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.