Gunicorn does not care much about URI parsing, but it probably should not forward things

• already known to be invalid, and
• not in common use, and
• likely to be misinterpreted by consumers (python stdlib is practical, not pure).

Suggested changes:

• newly reject ASCII controls
  • thereby fixes: Gunicorn incorrectly accepts NUL within URIs #3371
• continue permitting " (quotation mark) and | (vertical line a.k.a pipe)
  • quotes should be %22 on the wire, but we have a test that wants this
  • pipes should be %7C on the wire, but Firefox converts such URL back to literal
• newly reject ASCII <>{}`^\
  • those are never allowed in URIs, but at least {} is used anyway.. in percent-encoded form
  • decision needed, as this is not as obviously confusing URL parsers as NUL bytes are
  • compatibility check for Safari needed, e.g. and watch print(bits[1]) when browsing to

    http://[::1]/a"|<>{}`^\

• continue permitting upper bytes, deferring interpretation to the application
  • context: 003c474 15e901a

Ref:

• https://datatracker.ietf.org/doc/html/rfc9112#section-3.2
• https://datatracker.ietf.org/doc/html/rfc3986#section-2
• https://datatracker.ietf.org/doc/html/rfc3987#section-3.1