summaryrefslogtreecommitdiff
path: root/CHANGES.txt
diff options
context:
space:
mode:
Diffstat (limited to 'CHANGES.txt')
-rw-r--r--CHANGES.txt106
1 files changed, 6 insertions, 100 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index 17ca87e..5ae6166 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,102 +1,8 @@
-2.1.2
------
+3.0.0 (Unreleased)
+------------------
-Bugfix
-~~~~~~
+Updated Defaults
+~~~~~~~~~~~~~~~~
-- When expose_tracebacks is enabled waitress would fail to properly encode
- unicode thereby causing another error during error handling. See
- https://github.com/Pylons/waitress/pull/378
-
-- Header length checking had a calculation that was done incorrectly when the
- data was received across multple socket reads. This calculation has been
- corrected, and no longer will Waitress send back a 413 Request Entity Too
- Large. See https://github.com/Pylons/waitress/pull/376
-
-Security Bugfix
-~~~~~~~~~~~~~~~
-
-- in 2.1.0 a new feature was introduced that allowed the WSGI thread to start
- sending data to the socket. However this introduced a race condition whereby
- a socket may be closed in the sending thread while the main thread is about
- to call select() therey causing the entire application to be taken down.
- Waitress will no longer close the socket in the WSGI thread, instead waking
- up the main thread to cleanup. See https://github.com/Pylons/waitress/pull/377
-
-2.1.1
------
-
-Security Bugfix
-~~~~~~~~~~~~~~~
-
-- Waitress now validates that chunked encoding extensions are valid, and don't
- contain invalid characters that are not allowed. They are still skipped/not
- processed, but if they contain invalid data we no longer continue in and
- return a 400 Bad Request. This stops potential HTTP desync/HTTP request
- smuggling. Thanks to Zhang Zeyu for reporting this issue. See
- https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
-
-- Waitress now validates that the chunk length is only valid hex digits when
- parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no
- longer supported. This stops potential HTTP desync/HTTP request smuggling.
- Thanks to Zhang Zeyu for reporting this issue. See
- https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
-
-- Waitress now validates that the Content-Length sent by a remote contains only
- digits in accordance with RFC7230 and will return a 400 Bad Request when the
- Content-Length header contains invalid data, such as ``+10`` which would
- previously get parsed as ``10`` and accepted. This stops potential HTTP
- desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See
- https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
-
-2.1.0
------
-
-Python Version Support
-~~~~~~~~~~~~~~~~~~~~~~
-
-- Python 3.6 is no longer supported by Waitress
-
-- Python 3.10 is fully supported by Waitress
-
-Bugfix
-~~~~~~
-
-- ``wsgi.file_wrapper`` now sets the ``seekable``, ``seek``, and ``tell``
- attributes from the underlying file if the underlying file is seekable. This
- allows WSGI middleware to implement things like range requests for example
-
- See https://github.com/Pylons/waitress/issues/359 and
- https://github.com/Pylons/waitress/pull/363
-
-- In Python 3 ``OSError`` is no longer subscriptable, this caused failures on
- Windows attempting to loop to find an socket that would work for use in the
- trigger.
-
- See https://github.com/Pylons/waitress/pull/361
-
-- Fixed an issue whereby ``BytesIO`` objects were not properly closed, and
- thereby would not get cleaned up until garbage collection would get around to
- it.
-
- This led to potential for random memory spikes/memory issues, see
- https://github.com/Pylons/waitress/pull/358 and
- https://github.com/Pylons/waitress/issues/357 .
-
- With thanks to Florian Schulze for testing/vaidating this fix!
-
-Features
-~~~~~~~~
-
-- When the WSGI app starts sending data to the output buffer, we now attempt to
- send data directly to the socket. This avoids needing to wake up the main
- thread to start sending data. Allowing faster transmission of the first byte.
- See https://github.com/Pylons/waitress/pull/364
-
- With thanks to Michael Merickel for being a great rubber ducky!
-
-- Add REQUEST_URI to the WSGI environment.
-
- REQUEST_URI is similar to ``request_uri`` in nginx. It is a string that
- contains the request path before separating the query string and
- decoding ``%``-escaped characters.
+- clear_untrusted_proxy_headers is set to True by default. See
+ https://github.com/Pylons/waitress/pull/370
View Lorry Controller Status