-
Notifications
You must be signed in to change notification settings - Fork 162
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Re-introduce clear_untrusted_proxy_headers for the 3.x version
- Loading branch information
1 parent
ca95fa2
commit ec0e165
Showing
5 changed files
with
113 additions
and
103 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,102 +1,8 @@ | ||
| 2.1.2 | ||
| ----- | ||
| 3.0.0 (Unreleased) | ||
| ------------------ | ||
|
|
||
| Bugfix | ||
| ~~~~~~ | ||
| Updated Defaults | ||
| ~~~~~~~~~~~~~~~~ | ||
|
|
||
| - When expose_tracebacks is enabled waitress would fail to properly encode | ||
| unicode thereby causing another error during error handling. See | ||
| https://github.com/Pylons/waitress/pull/378 | ||
|
|
||
| - Header length checking had a calculation that was done incorrectly when the | ||
| data was received across multple socket reads. This calculation has been | ||
| corrected, and no longer will Waitress send back a 413 Request Entity Too | ||
| Large. See https://github.com/Pylons/waitress/pull/376 | ||
|
|
||
| Security Bugfix | ||
| ~~~~~~~~~~~~~~~ | ||
|
|
||
| - in 2.1.0 a new feature was introduced that allowed the WSGI thread to start | ||
| sending data to the socket. However this introduced a race condition whereby | ||
| a socket may be closed in the sending thread while the main thread is about | ||
| to call select() therey causing the entire application to be taken down. | ||
| Waitress will no longer close the socket in the WSGI thread, instead waking | ||
| up the main thread to cleanup. See https://github.com/Pylons/waitress/pull/377 | ||
|
|
||
| 2.1.1 | ||
| ----- | ||
|
|
||
| Security Bugfix | ||
| ~~~~~~~~~~~~~~~ | ||
|
|
||
| - Waitress now validates that chunked encoding extensions are valid, and don't | ||
| contain invalid characters that are not allowed. They are still skipped/not | ||
| processed, but if they contain invalid data we no longer continue in and | ||
| return a 400 Bad Request. This stops potential HTTP desync/HTTP request | ||
| smuggling. Thanks to Zhang Zeyu for reporting this issue. See | ||
| https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 | ||
|
|
||
| - Waitress now validates that the chunk length is only valid hex digits when | ||
| parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no | ||
| longer supported. This stops potential HTTP desync/HTTP request smuggling. | ||
| Thanks to Zhang Zeyu for reporting this issue. See | ||
| https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 | ||
|
|
||
| - Waitress now validates that the Content-Length sent by a remote contains only | ||
| digits in accordance with RFC7230 and will return a 400 Bad Request when the | ||
| Content-Length header contains invalid data, such as ``+10`` which would | ||
| previously get parsed as ``10`` and accepted. This stops potential HTTP | ||
| desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See | ||
| https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 | ||
|
|
||
| 2.1.0 | ||
| ----- | ||
|
|
||
| Python Version Support | ||
| ~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| - Python 3.6 is no longer supported by Waitress | ||
|
|
||
| - Python 3.10 is fully supported by Waitress | ||
|
|
||
| Bugfix | ||
| ~~~~~~ | ||
|
|
||
| - ``wsgi.file_wrapper`` now sets the ``seekable``, ``seek``, and ``tell`` | ||
| attributes from the underlying file if the underlying file is seekable. This | ||
| allows WSGI middleware to implement things like range requests for example | ||
|
|
||
| See https://github.com/Pylons/waitress/issues/359 and | ||
| https://github.com/Pylons/waitress/pull/363 | ||
|
|
||
| - In Python 3 ``OSError`` is no longer subscriptable, this caused failures on | ||
| Windows attempting to loop to find an socket that would work for use in the | ||
| trigger. | ||
|
|
||
| See https://github.com/Pylons/waitress/pull/361 | ||
|
|
||
| - Fixed an issue whereby ``BytesIO`` objects were not properly closed, and | ||
| thereby would not get cleaned up until garbage collection would get around to | ||
| it. | ||
|
|
||
| This led to potential for random memory spikes/memory issues, see | ||
| https://github.com/Pylons/waitress/pull/358 and | ||
| https://github.com/Pylons/waitress/issues/357 . | ||
|
|
||
| With thanks to Florian Schulze for testing/vaidating this fix! | ||
|
|
||
| Features | ||
| ~~~~~~~~ | ||
|
|
||
| - When the WSGI app starts sending data to the output buffer, we now attempt to | ||
| send data directly to the socket. This avoids needing to wake up the main | ||
| thread to start sending data. Allowing faster transmission of the first byte. | ||
| See https://github.com/Pylons/waitress/pull/364 | ||
|
|
||
| With thanks to Michael Merickel for being a great rubber ducky! | ||
|
|
||
| - Add REQUEST_URI to the WSGI environment. | ||
|
|
||
| REQUEST_URI is similar to ``request_uri`` in nginx. It is a string that | ||
| contains the request path before separating the query string and | ||
| decoding ``%``-escaped characters. | ||
| - clear_untrusted_proxy_headers is set to True by default. See | ||
| https://github.com/Pylons/waitress/pull/370 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters