summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Version 1.4.0Bert JW Regeer2019-12-201-1/+1
| | | | | | | Updating version to version 1.4.0 due to the many changes in this release. If anyone has explicitly pinned 1.3.x they will need to opt-in to receive the security fixes, which do come with big changes that may cahnge how Waitress handles HTTP requests.
* Update CHANGES.txt and HISTORY.txt as appropriateBert JW Regeer2019-12-202-73/+151
|
* Allow end of chunk parser to be resumeableBert JW Regeer2019-12-192-9/+44
|
* Improve validation of Transfer-EncodingBert JW Regeer2019-12-193-1/+81
| | | | | | | | | | | | | | | | Waitress only supports a single Transfer-Encoding and that is chunked. We will read the whole request into a temporary buffer and then remove the header and set the Content-Length. However HTTP desync/HTTP request smuggling attacks could potentially provide multiple Transfer-Encoding headers that would not get appropriately treated by waitress. Waitress now treats the header as potentially containing multiple values, and validates that the last encoding listed is "chunked". At this time Waitress does not support any other encodings, and all other requests will be rejected with a 501 Not Implemented error.
* Upon receiving invalid Content-Length bailBert JW Regeer2019-12-192-3/+23
| | | | | | | | Instead of attempting to continue processing the request, we instead raise a ParsingError and return a HTTP Bad Request to the client. This also catches the case where two Content-Length's are sent, and are folded together using HTTP header folding.
* Disallow BWS in header field-namesBert JW Regeer2019-12-192-0/+16
| | | | | | | | | | Waitress used to treat: Foo : bar As a valid header, however https://tools.ietf.org/html/rfc7230#section-3.2 states that this is not valid.
* Properly enforce max_request_header_sizeBert JW Regeer2019-12-191-17/+31
| | | | | | Previously this would not be properly enforced if the request was passed to waitress in one go, and the request headers could be larger than the administrator had allowed.
* Remove support for non CRLF line endingsBert JW Regeer2019-12-198-303/+408
| | | | | | | | | | | | | | | https://tools.ietf.org/html/rfc7230#section-3.5 says that servers MAY implement their parsers to use only the LF as a delimeter between lines, however if the frontend server does NOT do the same you can potentially allow a single HTTP request to be treated differently by the two servers. This issue can be used to cause HTTP request smuggling or HTTP desync which may lead to vulnerabilities. To increase robustness Waitress will no longer allow bare LF for HTTP messages/headers and chunked encoding and instead now enforces that the line endings at CRLF.
* Make sure all errors have a code/reasonBert JW Regeer2019-12-191-0/+4
| | | | | Silences some warnings in my editor, and makes sure if it is subclassed in the future we don't blow up in code somewhere.
* Upon processing errors, set Connection: close headerBert JW Regeer2019-12-193-28/+26
| | | | | | | | | | When we start sending out an exception that has happened we want to drop any further pipelined requests that may be waiting. The way we do this is by slamming the connection shut after we send the response to the received request that has errored. This avoids potential issues with attempting to parse the rest of the data that is in the TCP/IP connection that may contain invalid data.
* Fix coverage reporting of subprocess in coverage 5.xBert JW Regeer2019-12-192-9/+8
|
* Bring coverage back to 100%Bert JW Regeer2019-12-191-3/+0
|
* Concatenate lines black reformattedBert JW Regeer2019-12-191-11/+7
|
* Blacken the entire code baseBert JW Regeer2019-12-1243-2781/+3245
|
* Merge pull request #262 from Pylons/workflowsBert JW Regeer2019-12-123-0/+113
|\ | | | | Add GH actions
| * Also run on PR'sworkflowsBert JW Regeer2019-09-193-3/+3
| |
| * Add macOS testingBert JW Regeer2019-09-191-0/+29
| |
| * Setup GH actionsBert JW Regeer2019-09-192-0/+84
| | | | | | | | | | This sets up Github Actions to be used. Right now alongside Appveyor and Travis, but I am thinking this will eventually take over.
* | Merge pull request #272 from JonathonReinhart/fix-usage-typosSteve Piercy2019-11-291-4/+4
|\ \ | |/ |/| Fix typos in command line usage text
| * Fix typos in command line usage textJonathon Reinhart2019-11-291-4/+4
|/
* Prep for 1.3.1v1.3.1Bert JW Regeer2019-08-271-1/+1
|
* Merge pull request #261 from Pylons/bugfix/uri_parsingBert JW Regeer2019-08-273-4/+62
|\ | | | | Bugfix: uri parsing
| * Add CHANGES.txt entry for bugBert JW Regeer2019-08-271-0/+14
| |
| * Add comment why this code existsBert JW Regeer2019-08-271-0/+7
| |
| * Allow requests with URI that starts with multiple slashesBert JW Regeer2019-08-271-4/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The HTTP spec states that it is acceptable to send a request like: GET //whatever/testing HTTP/1.1 This should get properly conveyed to the WSGI application, but due to the way that urlsplit works in the standard library this did not happen correctly. With this fix we pass through the original path as requested by the client, and the WSGI application will be responsible for collapsing multiple empty path segments as necessary. Fixes #260
| * Add failing tests for #260Bert JW Regeer2019-08-271-0/+24
|/
* Merge pull request #259 from Pylons/proxy-header-middlewareBert JW Regeer2019-07-2413-1000/+1295
|\ | | | | move proxy headers to a middleware and return 400 for malformed values
| * restore the old per-language coverage filesproxy-header-middlewareMichael Merickel2019-07-243-2/+13
| |
| * add proxy header testsMichael Merickel2019-07-197-22/+105
| |
| * support echoing more request info, not just body, in functional testsMichael Merickel2019-07-192-27/+64
| |
| * move tests into test_proxy_headersMichael Merickel2019-07-184-612/+691
| |
| * log the header valueMichael Merickel2019-07-143-57/+78
| |
| * handle exceptions and tag them with the specific headerMichael Merickel2019-06-301-91/+117
| |
| * move proxy headers to a middleware and return 400 for malformed valuesMichael Merickel2019-06-294-354/+392
|/
* Prep v1.3.0v1.3.0Bert JW Regeer2019-04-222-3/+8
|
* Merge pull request #252 from Pylons/crack-versionBert JW Regeer2019-04-132-2/+5
|\ | | | | avoid converting the version to a string value "None", empty instead
| * avoid converting the version to a string value "None", empty insteadcrack-versionMichael Merickel2019-04-132-2/+5
|/
* Prep for 1.3.0b0v1.3.0b0Bert JW Regeer2019-04-113-123/+123
|
* Merge pull request #250 from Pylons/triggerBert JW Regeer2019-04-111-7/+10
|\ | | | | pull the trigger more often, increases throughput in some testing
| * pull the trigger more often, increases throughput in some testingtriggerMichael Merickel2019-04-101-7/+10
| |
* | Merge pull request #251 from Pylons/resource-warningsBert JW Regeer2019-04-113-6/+65
|\ \ | | | | | | fix resource warnings
| * | fix resource warningsresource-warningsMichael Merickel2019-04-103-6/+65
| |/
* | Merge pull request #249 from Pylons/iobaseBert JW Regeer2019-04-114-1/+52
|\ \ | |/ |/| support iobase subclasses
| * add changelogiobaseMichael Merickel2019-04-101-0/+4
| |
| * test for seekable method and use itMichael Merickel2019-04-102-3/+7
| |
| * demonstrate failing test with non-seekable filewrapper streamMichael Merickel2019-04-102-1/+44
|/
* Merge pull request #242 from Pylons/outbuf-high-watermarkBert JW Regeer2019-04-068-26/+165
|\ | | | | outbuf_high_watermark
| * fix commentMichael Merickel2019-04-061-2/+2
| |
| * adjust changelogoutbuf-high-watermarkMichael Merickel2019-04-051-7/+6
| |
| * simplify rotationMichael Merickel2019-04-052-20/+20
| |
View Lorry Controller Status