blob: eb7093c55a821cd5865bef060a79844dbf6dcd02 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
2.1.1
-----
Security Bugfix
~~~~~~~~~~~~~~~
- Waitress now validates that chunked encoding extensions are valid, and don't
contain invalid characters that are not allowed. They are still skipped/not
processed, but if they contain invalid data we no longer continue in and
return a 400 Bad Request. This stops potential HTTP desync/HTTP request
smuggling. Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
- Waitress now validates that the chunk length is only valid hex digits when
parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no
longer supported. This stops potential HTTP desync/HTTP request smuggling.
Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
- Waitress now validates that the Content-Length sent by a remote contains only
digits in accordance with RFC7230 and will return a 400 Bad Request when the
Content-Length header contains invalid data, such as ``+10`` which would
previously get parsed as ``10`` and accepted. This stops potential HTTP
desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
2.1.0
-----
Python Version Support
~~~~~~~~~~~~~~~~~~~~~~
- Python 3.6 is no longer supported by Waitress
- Python 3.10 is fully supported by Waitress
Bugfix
~~~~~~
- ``wsgi.file_wrapper`` now sets the ``seekable``, ``seek``, and ``tell``
attributes from the underlying file if the underlying file is seekable. This
allows WSGI middleware to implement things like range requests for example
See https://github.com/Pylons/waitress/issues/359 and
https://github.com/Pylons/waitress/pull/363
- In Python 3 ``OSError`` is no longer subscriptable, this caused failures on
Windows attempting to loop to find an socket that would work for use in the
trigger.
See https://github.com/Pylons/waitress/pull/361
- Fixed an issue whereby ``BytesIO`` objects were not properly closed, and
thereby would not get cleaned up until garbage collection would get around to
it.
This led to potential for random memory spikes/memory issues, see
https://github.com/Pylons/waitress/pull/358 and
https://github.com/Pylons/waitress/issues/357 .
With thanks to Florian Schulze for testing/vaidating this fix!
Features
~~~~~~~~
- When the WSGI app starts sending data to the output buffer, we now attempt to
send data directly to the socket. This avoids needing to wake up the main
thread to start sending data. Allowing faster transmission of the first byte.
See https://github.com/Pylons/waitress/pull/364
With thanks to Michael Merickel for being a great rubber ducky!
- Add REQUEST_URI to the WSGI environment.
REQUEST_URI is similar to ``request_uri`` in nginx. It is a string that
contains the request path before separating the query string and
decoding ``%``-escaped characters.
|
