5e9b1792ec- update to 3.0.2: * When using Waitress to process trusted proxy headers, Waitress will now update the headers to drop any untrusted values, thereby making sure that WSGI apps only get trusted and validated values that Waitress itself used to update the environ.
devel
Dirk Mueller2024-11-20 17:07:15 +00:00
ee0612d449Accepting request 1184077 from devel:languages:pythonAna Guerrero2024-07-03 18:28:48 +00:00
2507a6a762- update to 3.0.0: * Fixed testing of vendored asyncore code to not rely on particular naming for errno's. * HTTP Request methods and versions are now validated to meet the HTTP standards thereby dropping invalid requests on the floor. * No longer close the connection when sending a HEAD request response. * Always attempt to send the Connection: close response header when we are going to close the connection to let the remote know in more instances. * Document that trusted_proxy may be set to a wildcard value to trust all proxies. * clear_untrusted_proxy_headers is set to True by default. https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 * Waitress did not properly validate that the HTTP headers it received were properly formed, thereby potentially allowing a front-end server to treat a request different from Waitress. This could lead to HTTP * Waitress won’t accidentally throw away part of the path if it - Initial package (0.8.3)Dirk Mueller2024-06-30 08:09:07 +00:00
3fc5e71e86Accepting request 1130937 from devel:languages:pythonAna Guerrero2023-12-06 22:52:21 +00:00
4c23082225Accepting request 1130817 from home:anag:AllStagingDirk Mueller2023-12-05 09:43:01 +00:00
5becce6854Accepting request 1100878 from devel:languages:pythonAna Guerrero2023-07-27 14:50:08 +00:00
29fd08fbcdAccepting request 1100756 from home:bmwiedemann:branches:devel:languages:pythonMatej Cepl2023-07-26 14:28:43 +00:00
fb396095fb- update to 2.1.1 (bsc#1197255, CVE-2022-24761): * Waitress now validates that chunked encoding extensions are valid, and don’t contain invalid characters that are not allowed. They are still skipped/not processed, but if they contain invalid data we no longer continue in and return a 400 Bad Request. This stops potential HTTP desync/HTTP request smuggling. Thanks to Zhang Zeyu for reporting this issue. See https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 * Waitress now validates that the chunk length is only valid hex digits when parsing chunked encoding, and values such as 0x01 and +01 are no longer supported. This stops potential HTTP desync/HTTP request smuggling. Thanks to Zhang Zeyu for reporting this issue. See https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 * Waitress now validates that the Content-Length sent by a remote contains only digits in accordance with RFC7230 and will return a 400 Bad Request when the Content-Length header contains invalid data, such as +10 which would previously get parsed as 10 and accepted. This stops potential HTTP desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36Dirk Mueller2022-03-17 17:48:05 +00:00
0d71bd52b1- update to 1.4.0: - Waitress used to slam the door shut on HTTP pipelined requests without setting the `Connection: close` header as appropriate in the response. This is of course not very friendly. Waitress now explicitly sets the header when responding with an internally generated error such as 400 Bad Request or 500 Internal Server Error to notify the remote client that it will be closing the connection after the response is sent. - Waitress no longer allows any spaces to exist between the header field-name and the colon. While waitress did not strip the space and thereby was not vulnerable to any potential header field-name confusion, it should have sent back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273 - CRLR handling Security fixesDirk Mueller2019-12-20 18:36:31 +00:00
a11d936bfe- update to 0.9.0: * Security/Protections - Building on the changes made in pull request 117, add in checking for line feed/carriage return HTTP Response Splitting in the status line, as well as the key of a header. See https://github.com/Pylons/waitress/pull/124 and https://github.com/Pylons/waitress/issues/122. - Waitress will no longer accept headers or status lines with newline/carriage returns in them, thereby disallowing HTTP Response Splitting. * Bugfixes - FileBasedBuffer and more important ReadOnlyFileBasedBuffer no longer report False when tested with bool(), instead always returning True, and becoming more iterator like. - Call prune() on the output buffer at the end of a request so that it doesn't continue to grow without bounds.Dirk Mueller2016-05-20 11:30:01 +00:00
Ana Guerrero
Dirk Mueller
Dominique Leuenberger
Daniel Garcia
Matej Cepl
Markéta Machová
Ondřej Súkup
Tomáš Chvátal
Yuchen Lin
Stephan Kulow
Todd R
Denisart Benjamin
Tomáš Chvátal
Sascha Peilicke