- update to 3.0.0:
* Fixed testing of vendored asyncore code to not rely on
particular naming for errno's.
* HTTP Request methods and versions are now validated to meet
the HTTP standards thereby dropping invalid requests on the floor.
* No longer close the connection when sending a HEAD request
response.
* Always attempt to send the Connection: close response header
when we are going to close the connection to let the remote
know in more instances.
* Document that trusted_proxy may be set to a wildcard value to
trust all proxies.
* clear_untrusted_proxy_headers is set to True by default.
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
* Waitress did not properly validate that the HTTP headers it received
were properly formed, thereby potentially allowing a front-end server
to treat a request different from Waitress. This could lead to HTTP
* Waitress won’t accidentally throw away part of the path if it
- Initial package (0.8.3)
OBS-URL: https://build.opensuse.org/request/show/1184077
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-waitress?expand=0&rev=32
* Fixed testing of vendored asyncore code to not rely on
particular naming for errno's.
* HTTP Request methods and versions are now validated to meet
the HTTP standards thereby dropping invalid requests on the floor.
* No longer close the connection when sending a HEAD request
response.
* Always attempt to send the Connection: close response header
when we are going to close the connection to let the remote
know in more instances.
* Document that trusted_proxy may be set to a wildcard value to
trust all proxies.
* clear_untrusted_proxy_headers is set to True by default.
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
* Waitress did not properly validate that the HTTP headers it received
were properly formed, thereby potentially allowing a front-end server
to treat a request different from Waitress. This could lead to HTTP
* Waitress won’t accidentally throw away part of the path if it
- Initial package (0.8.3)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-waitress?expand=0&rev=67
- update to 2.1.1 (bsc#1197255, CVE-2022-24761):
* Waitress now validates that chunked encoding extensions are valid, and don’t
contain invalid characters that are not allowed. They are still skipped/not
processed, but if they contain invalid data we no longer continue in and return
a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling.
Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
* Waitress now validates that the chunk length is only valid hex digits when
parsing chunked encoding, and values such as 0x01 and +01 are no longer
supported. This stops potential HTTP desync/HTTP request smuggling. Thanks
to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
* Waitress now validates that the Content-Length sent by a remote contains only
digits in accordance with RFC7230 and will return a 400 Bad Request when the
Content-Length header contains invalid data, such as +10 which would
previously get parsed as 10 and accepted. This stops potential HTTP
desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue.
See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
OBS-URL: https://build.opensuse.org/request/show/962909
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-waitress?expand=0&rev=24
* Waitress now validates that chunked encoding extensions are valid, and don’t
contain invalid characters that are not allowed. They are still skipped/not
processed, but if they contain invalid data we no longer continue in and return
a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling.
Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
* Waitress now validates that the chunk length is only valid hex digits when
parsing chunked encoding, and values such as 0x01 and +01 are no longer
supported. This stops potential HTTP desync/HTTP request smuggling. Thanks
to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
* Waitress now validates that the Content-Length sent by a remote contains only
digits in accordance with RFC7230 and will return a 400 Bad Request when the
Content-Length header contains invalid data, such as +10 which would
previously get parsed as 10 and accepted. This stops potential HTTP
desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue.
See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-waitress?expand=0&rev=50
- version update to 2.0.0
- Friendly Reminder
This release still contains a variety of deprecation notices about defaults
that can be set for a variety of options.
Please note that this is your last warning, and you should update your
configuration if you do NOT want to use the new defaults.
See the arguments documentation page for all supported options, and pay
attention to the warnings:
https://docs.pylonsproject.org/projects/waitress/en/stable/arguments.html
- Fix a crash on startup when listening to multiple interfaces.
See https://github.com/Pylons/waitress/pull/332
- Waitress no longer attempts to guess at what the ``server_name`` should be for
a listen socket, instead it always use a new adjustment/argument named
``server_name``.
Please see the documentation for ``server_name`` in
https://docs.pylonsproject.org/projects/waitress/en/latest/arguments.html and
see https://github.com/Pylons/waitress/pull/329
- Allow tasks to notice if the client disconnected.
This inserts a callable ``waitress.client_disconnected`` into the environment
that allows the task to check if the client disconnected while waiting for
the response at strategic points in the execution and to cancel the
operation.
It requires setting the new adjustment ``channel_request_lookahead`` to a value
larger than 0, which continues to read requests from a channel even if a
request is already being processed on that channel, up to the given count,
since a client disconnect is detected by reading from a readable socket and
receiving an empty result.
See https://github.com/Pylons/waitress/pull/310
- Drop Python 2.7 and 3.5 support
- The server now issues warning output when it there are enough open
OBS-URL: https://build.opensuse.org/request/show/914584
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-waitress?expand=0&rev=48
- Update to version 1.4.4 (2020-06-01)
+ Fix an issue with keep-alive connections in which memory usage
was higher than expected because output buffers were being
reused across requests on a long-lived connection and each
buffer would not be freed until it was full or the connection
was closed. Buffers are now rotated per-request to stabilize
their behavior.
+ See https://github.com/Pylons/waitress/pull/300
+ Waitress threads have been updated to contain their thread
number. This will allow loggers that use that information to
print the thread that the log is coming from.
+ See https://github.com/Pylons/waitress/pull/302
- Switch to pytest, disable one test, that requires network
- Create _multibuild for doc package
It requires installation of base package now
OBS-URL: https://build.opensuse.org/request/show/839249
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-waitress?expand=0&rev=46
- update to 1.4.0:
- Waitress used to slam the door shut on HTTP pipelined requests without
setting the ``Connection: close`` header as appropriate in the response. This
is of course not very friendly. Waitress now explicitly sets the header when
responding with an internally generated error such as 400 Bad Request or 500
Internal Server Error to notify the remote client that it will be closing the
connection after the response is sent.
- Waitress no longer allows any spaces to exist between the header field-name
and the colon. While waitress did not strip the space and thereby was not
vulnerable to any potential header field-name confusion, it should have sent
back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273
- CRLR handling Security fixes
OBS-URL: https://build.opensuse.org/request/show/758618
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-waitress?expand=0&rev=17
- Waitress used to slam the door shut on HTTP pipelined requests without
setting the ``Connection: close`` header as appropriate in the response. This
is of course not very friendly. Waitress now explicitly sets the header when
responding with an internally generated error such as 400 Bad Request or 500
Internal Server Error to notify the remote client that it will be closing the
connection after the response is sent.
- Waitress no longer allows any spaces to exist between the header field-name
and the colon. While waitress did not strip the space and thereby was not
vulnerable to any potential header field-name confusion, it should have sent
back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273
- CRLR handling Security fixes
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-waitress?expand=0&rev=38
- version update to 1.3.0
Deprecations
~~~~~~~~~~~~
- The ``send_bytes`` adjustment now defaults to ``1`` and is deprecated
pending removal in a future release.
and https://github.com/Pylons/waitress/pull/246
Features
~~~~~~~~
- Add a new ``outbuf_high_watermark`` adjustment which is used to apply
backpressure on the ``app_iter`` to avoid letting it spin faster than data
can be written to the socket. This stabilizes responses that iterate quickly
with a lot of data.
See https://github.com/Pylons/waitress/pull/242
- Stop early and close the ``app_iter`` when attempting to write to a closed
socket due to a client disconnect. This should notify a long-lived streaming
response when a client hangs up.
See https://github.com/Pylons/waitress/pull/238
and https://github.com/Pylons/waitress/pull/240
and https://github.com/Pylons/waitress/pull/241
- Adjust the flush to output ``SO_SNDBUF`` bytes instead of whatever was
set in the ``send_bytes`` adjustment. ``send_bytes`` now only controls how
much waitress will buffer internally before flushing to the kernel, whereas
previously it used to also throttle how much data was sent to the kernel.
This change enables a streaming ``app_iter`` containing small chunks to
still be flushed efficiently.
See https://github.com/Pylons/waitress/pull/246
Bugfixes
~~~~~~~~
- Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will
no longer set the version to the string value "None". See
OBS-URL: https://build.opensuse.org/request/show/701044
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-waitress?expand=0&rev=34
