diff options
author | Bert JW Regeer <bertjw@regeer.org> | 2022-03-16 15:25:23 -0600 |
---|---|---|
committer | Bert JW Regeer <bertjw@regeer.org> | 2022-03-16 15:25:23 -0600 |
commit | b28c9e8bda326ff2f87bf8eb7ea6b110ee0ae6fe (patch) | |
tree | 9d072734176f480abc59c06b8b2e03ec1850587d | |
parent | bd22869c143a3f1284f271399524676efbafa655 (diff) | |
download | waitress-b28c9e8bda326ff2f87bf8eb7ea6b110ee0ae6fe.tar.gz |
Prep for 2.1.1
-rw-r--r-- | CHANGES.txt | 26 | ||||
-rw-r--r-- | setup.cfg | 2 |
2 files changed, 27 insertions, 1 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index a1e60fe..eb7093c 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,3 +1,29 @@ +2.1.1 +----- + +Security Bugfix +~~~~~~~~~~~~~~~ + +- Waitress now validates that chunked encoding extensions are valid, and don't + contain invalid characters that are not allowed. They are still skipped/not + processed, but if they contain invalid data we no longer continue in and + return a 400 Bad Request. This stops potential HTTP desync/HTTP request + smuggling. Thanks to Zhang Zeyu for reporting this issue. See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + +- Waitress now validates that the chunk length is only valid hex digits when + parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no + longer supported. This stops potential HTTP desync/HTTP request smuggling. + Thanks to Zhang Zeyu for reporting this issue. See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + +- Waitress now validates that the Content-Length sent by a remote contains only + digits in accordance with RFC7230 and will return a 400 Bad Request when the + Content-Length header contains invalid data, such as ``+10`` which would + previously get parsed as ``10`` and accepted. This stops potential HTTP + desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + 2.1.0 ----- @@ -1,6 +1,6 @@ [metadata] name = waitress -version = 2.1.0 +version = 2.1.1 description = Waitress WSGI server long_description = file: README.rst, CHANGES.txt long_description_content_type = text/x-rst |