diff options
author | Bert JW Regeer <bertjw@regeer.org> | 2022-05-30 15:51:53 -0600 |
---|---|---|
committer | Bert JW Regeer <bertjw@regeer.org> | 2022-05-30 15:51:53 -0600 |
commit | ec0e1655c4bba1411bf65dc9f0f03fdfb0e4fc74 (patch) | |
tree | 9f8b4b7290bc84940817012e55c77975d548b507 | |
parent | ca95fa2108abc7efdbf814661a7d4a4b2f82a8fd (diff) | |
download | waitress-ec0e1655c4bba1411bf65dc9f0f03fdfb0e4fc74.tar.gz |
Re-introduce clear_untrusted_proxy_headers for the 3.x version
-rw-r--r-- | CHANGES.txt | 106 | ||||
-rw-r--r-- | HISTORY.txt | 104 | ||||
-rw-r--r-- | docs/arguments.rst | 2 | ||||
-rw-r--r-- | setup.cfg | 2 | ||||
-rw-r--r-- | src/waitress/adjustments.py | 2 |
5 files changed, 113 insertions, 103 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 17ca87e..5ae6166 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,102 +1,8 @@ -2.1.2 ------ +3.0.0 (Unreleased) +------------------ -Bugfix -~~~~~~ +Updated Defaults +~~~~~~~~~~~~~~~~ -- When expose_tracebacks is enabled waitress would fail to properly encode - unicode thereby causing another error during error handling. See - https://github.com/Pylons/waitress/pull/378 - -- Header length checking had a calculation that was done incorrectly when the - data was received across multple socket reads. This calculation has been - corrected, and no longer will Waitress send back a 413 Request Entity Too - Large. See https://github.com/Pylons/waitress/pull/376 - -Security Bugfix -~~~~~~~~~~~~~~~ - -- in 2.1.0 a new feature was introduced that allowed the WSGI thread to start - sending data to the socket. However this introduced a race condition whereby - a socket may be closed in the sending thread while the main thread is about - to call select() therey causing the entire application to be taken down. - Waitress will no longer close the socket in the WSGI thread, instead waking - up the main thread to cleanup. See https://github.com/Pylons/waitress/pull/377 - -2.1.1 ------ - -Security Bugfix -~~~~~~~~~~~~~~~ - -- Waitress now validates that chunked encoding extensions are valid, and don't - contain invalid characters that are not allowed. They are still skipped/not - processed, but if they contain invalid data we no longer continue in and - return a 400 Bad Request. This stops potential HTTP desync/HTTP request - smuggling. Thanks to Zhang Zeyu for reporting this issue. See - https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 - -- Waitress now validates that the chunk length is only valid hex digits when - parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no - longer supported. This stops potential HTTP desync/HTTP request smuggling. - Thanks to Zhang Zeyu for reporting this issue. See - https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 - -- Waitress now validates that the Content-Length sent by a remote contains only - digits in accordance with RFC7230 and will return a 400 Bad Request when the - Content-Length header contains invalid data, such as ``+10`` which would - previously get parsed as ``10`` and accepted. This stops potential HTTP - desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See - https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 - -2.1.0 ------ - -Python Version Support -~~~~~~~~~~~~~~~~~~~~~~ - -- Python 3.6 is no longer supported by Waitress - -- Python 3.10 is fully supported by Waitress - -Bugfix -~~~~~~ - -- ``wsgi.file_wrapper`` now sets the ``seekable``, ``seek``, and ``tell`` - attributes from the underlying file if the underlying file is seekable. This - allows WSGI middleware to implement things like range requests for example - - See https://github.com/Pylons/waitress/issues/359 and - https://github.com/Pylons/waitress/pull/363 - -- In Python 3 ``OSError`` is no longer subscriptable, this caused failures on - Windows attempting to loop to find an socket that would work for use in the - trigger. - - See https://github.com/Pylons/waitress/pull/361 - -- Fixed an issue whereby ``BytesIO`` objects were not properly closed, and - thereby would not get cleaned up until garbage collection would get around to - it. - - This led to potential for random memory spikes/memory issues, see - https://github.com/Pylons/waitress/pull/358 and - https://github.com/Pylons/waitress/issues/357 . - - With thanks to Florian Schulze for testing/vaidating this fix! - -Features -~~~~~~~~ - -- When the WSGI app starts sending data to the output buffer, we now attempt to - send data directly to the socket. This avoids needing to wake up the main - thread to start sending data. Allowing faster transmission of the first byte. - See https://github.com/Pylons/waitress/pull/364 - - With thanks to Michael Merickel for being a great rubber ducky! - -- Add REQUEST_URI to the WSGI environment. - - REQUEST_URI is similar to ``request_uri`` in nginx. It is a string that - contains the request path before separating the query string and - decoding ``%``-escaped characters. +- clear_untrusted_proxy_headers is set to True by default. See + https://github.com/Pylons/waitress/pull/370 diff --git a/HISTORY.txt b/HISTORY.txt index 2eb829d..c03da8a 100644 --- a/HISTORY.txt +++ b/HISTORY.txt @@ -1,3 +1,107 @@ +2.1.2 +----- + +Bugfix +~~~~~~ + +- When expose_tracebacks is enabled waitress would fail to properly encode + unicode thereby causing another error during error handling. See + https://github.com/Pylons/waitress/pull/378 + +- Header length checking had a calculation that was done incorrectly when the + data was received across multple socket reads. This calculation has been + corrected, and no longer will Waitress send back a 413 Request Entity Too + Large. See https://github.com/Pylons/waitress/pull/376 + +Security Bugfix +~~~~~~~~~~~~~~~ + +- in 2.1.0 a new feature was introduced that allowed the WSGI thread to start + sending data to the socket. However this introduced a race condition whereby + a socket may be closed in the sending thread while the main thread is about + to call select() therey causing the entire application to be taken down. + Waitress will no longer close the socket in the WSGI thread, instead waking + up the main thread to cleanup. See https://github.com/Pylons/waitress/pull/377 + +2.1.1 +----- + +Security Bugfix +~~~~~~~~~~~~~~~ + +- Waitress now validates that chunked encoding extensions are valid, and don't + contain invalid characters that are not allowed. They are still skipped/not + processed, but if they contain invalid data we no longer continue in and + return a 400 Bad Request. This stops potential HTTP desync/HTTP request + smuggling. Thanks to Zhang Zeyu for reporting this issue. See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + +- Waitress now validates that the chunk length is only valid hex digits when + parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no + longer supported. This stops potential HTTP desync/HTTP request smuggling. + Thanks to Zhang Zeyu for reporting this issue. See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + +- Waitress now validates that the Content-Length sent by a remote contains only + digits in accordance with RFC7230 and will return a 400 Bad Request when the + Content-Length header contains invalid data, such as ``+10`` which would + previously get parsed as ``10`` and accepted. This stops potential HTTP + desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See + https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 + +2.1.0 +----- + +Python Version Support +~~~~~~~~~~~~~~~~~~~~~~ + +- Python 3.6 is no longer supported by Waitress + +- Python 3.10 is fully supported by Waitress + +Bugfix +~~~~~~ + +- ``wsgi.file_wrapper`` now sets the ``seekable``, ``seek``, and ``tell`` + attributes from the underlying file if the underlying file is seekable. This + allows WSGI middleware to implement things like range requests for example + + See https://github.com/Pylons/waitress/issues/359 and + https://github.com/Pylons/waitress/pull/363 + +- In Python 3 ``OSError`` is no longer subscriptable, this caused failures on + Windows attempting to loop to find an socket that would work for use in the + trigger. + + See https://github.com/Pylons/waitress/pull/361 + +- Fixed an issue whereby ``BytesIO`` objects were not properly closed, and + thereby would not get cleaned up until garbage collection would get around to + it. + + This led to potential for random memory spikes/memory issues, see + https://github.com/Pylons/waitress/pull/358 and + https://github.com/Pylons/waitress/issues/357 . + + With thanks to Florian Schulze for testing/vaidating this fix! + +Features +~~~~~~~~ + +- When the WSGI app starts sending data to the output buffer, we now attempt to + send data directly to the socket. This avoids needing to wake up the main + thread to start sending data. Allowing faster transmission of the first byte. + See https://github.com/Pylons/waitress/pull/364 + + With thanks to Michael Merickel for being a great rubber ducky! + +- Add REQUEST_URI to the WSGI environment. + + REQUEST_URI is similar to ``request_uri`` in nginx. It is a string that + contains the request path before separating the query string and + decoding ``%``-escaped characters. + + 2.0.0 (2021-03-07) ------------------ diff --git a/docs/arguments.rst b/docs/arguments.rst index db765e4..2e91112 100644 --- a/docs/arguments.rst +++ b/docs/arguments.rst @@ -160,7 +160,7 @@ clear_untrusted_proxy_headers Default: ``True`` - .. versionchanged:: 2.1.2 + .. versionchanged:: 3.0.0 In this version default value is set to ``True`` and deprecation warning doesn't show up anymore. @@ -1,6 +1,6 @@ [metadata] name = waitress -version = 2.1.2 +version = 3.0.0b0 description = Waitress WSGI server long_description = file: README.rst, CHANGES.txt long_description_content_type = text/x-rst diff --git a/src/waitress/adjustments.py b/src/waitress/adjustments.py index e08d75d..9eb1794 100644 --- a/src/waitress/adjustments.py +++ b/src/waitress/adjustments.py @@ -176,7 +176,7 @@ class Adjustments: # proxy server to filter invalid headers log_untrusted_proxy_headers = False - # Changed this parameter to True by default in 2.x + # Changed this parameter to True by default in 3.x clear_untrusted_proxy_headers = True # default ``wsgi.url_scheme`` value |