2024-01-31 11:46:04 by Jonathan Perkin | Files touched by this commit (1) |
Log message:
py-waitress: Fix PYTHON_VERSIONS_INCOMPATIBLE.
|
2024-01-26 14:48:21 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
py-waitress: updated to 2.1.2
2.1.2
-----
Bugfix
~~~~~~
- When expose_tracebacks is enabled waitress would fail to properly encode
unicode thereby causing another error during error handling. See
https://github.com/Pylons/waitress/pull/378
- Header length checking had a calculation that was done incorrectly when the
data was received across multple socket reads. This calculation has been
corrected, and no longer will Waitress send back a 413 Request Entity Too
Large. See https://github.com/Pylons/waitress/pull/376
Security Bugfix
~~~~~~~~~~~~~~~
- in 2.1.0 a new feature was introduced that allowed the WSGI thread to start
sending data to the socket. However this introduced a race condition whereby
a socket may be closed in the sending thread while the main thread is about
to call select() therey causing the entire application to be taken down.
Waitress will no longer close the socket in the WSGI thread, instead waking
up the main thread to cleanup. See https://github.com/Pylons/waitress/pull/377
2.1.1
-----
Security Bugfix
~~~~~~~~~~~~~~~
- Waitress now validates that chunked encoding extensions are valid, and don't
contain invalid characters that are not allowed. They are still skipped/not
processed, but if they contain invalid data we no longer continue in and
return a 400 Bad Request. This stops potential HTTP desync/HTTP request
smuggling. Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
- Waitress now validates that the chunk length is only valid hex digits when
parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no
longer supported. This stops potential HTTP desync/HTTP request smuggling.
Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
- Waitress now validates that the Content-Length sent by a remote contains only
digits in accordance with RFC7230 and will return a 400 Bad Request when the
Content-Length header contains invalid data, such as ``+10`` which would
previously get parsed as ``10`` and accepted. This stops potential HTTP
desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
2.1.0
-----
Python Version Support
~~~~~~~~~~~~~~~~~~~~~~
- Python 3.6 is no longer supported by Waitress
- Python 3.10 is fully supported by Waitress
Bugfix
~~~~~~
- ``wsgi.file_wrapper`` now sets the ``seekable``, ``seek``, and ``tell``
attributes from the underlying file if the underlying file is seekable. This
allows WSGI middleware to implement things like range requests for example
See https://github.com/Pylons/waitress/issues/359 and
https://github.com/Pylons/waitress/pull/363
- In Python 3 ``OSError`` is no longer subscriptable, this caused failures on
Windows attempting to loop to find an socket that would work for use in the
trigger.
See https://github.com/Pylons/waitress/pull/361
- Fixed an issue whereby ``BytesIO`` objects were not properly closed, and
thereby would not get cleaned up until garbage collection would get around to
it.
This led to potential for random memory spikes/memory issues, see
https://github.com/Pylons/waitress/pull/358 and
https://github.com/Pylons/waitress/issues/357 .
With thanks to Florian Schulze for testing/vaidating this fix!
Features
~~~~~~~~
- When the WSGI app starts sending data to the output buffer, we now attempt to
send data directly to the socket. This avoids needing to wake up the main
thread to start sending data. Allowing faster transmission of the first byte.
See https://github.com/Pylons/waitress/pull/364
With thanks to Michael Merickel for being a great rubber ducky!
- Add REQUEST_URI to the WSGI environment.
REQUEST_URI is similar to ``request_uri`` in nginx. It is a string that
contains the request path before separating the query string and
decoding ``%``-escaped characters.
|
2022-08-24 11:25:57 by Thomas Klausner | Files touched by this commit (17) |
Log message:
*: use coverage from versioned_dependencies.mk
|
2022-01-05 16:41:32 by Thomas Klausner | Files touched by this commit (289) |
Log message:
python: egg.mk: add USE_PKG_RESOURCES flag
This flag should be set for packages that import pkg_resources
and thus need setuptools after the build step.
Set this flag for packages that need it and bump PKGREVISION.
|
2022-01-04 21:55:40 by Thomas Klausner | Files touched by this commit (1595) |
Log message:
*: bump PKGREVISION for egg.mk users
They now have a tool dependency on py-setuptools instead of a DEPENDS
|
2021-10-26 13:31:15 by Nia Alarie | Files touched by this commit (1030) |
Log message:
www: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts):
www/nghttp2/distinfo
Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz
|
2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033) |
Log message:
www: Remove SHA1 hashes for distfiles
|
2020-05-13 16:43:28 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
py-waitress: updated to 1.4.3
1.4.3 (2020-02-02)
------------------
Security Fixes
~~~~~~~~~~~~~~
- In Waitress version 1.4.2 a new regular expression was added to validate the
headers that Waitress receives to make sure that it matches RFC7230.
Unfortunately the regular expression was written in a way that with invalid
input it leads to catastrophic backtracking which allows for a Denial of
Service and CPU usage going to a 100%.
This was reported by Fil Zembowicz to the Pylons Project. Please see
https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc
for more information.
1.4.2 (2020-01-02)
------------------
Security Fixes
~~~~~~~~~~~~~~
- This is a follow-up to the fix introduced in 1.4.1 to tighten up the way
Waitress strips whitespace from header values. This makes sure Waitress won't
accidentally treat non-printable characters as whitespace and lead to a
potental HTTP request smuggling/splitting security issue.
Thanks to ZeddYu Lu for the extra test cases.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
CVE-ID: CVE-2019-16789
Bugfixes
~~~~~~~~
- Updated the regex used to validate header-field content to match the errata
that was published for RFC7230.
See: https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189
1.4.1 (2019-12-24)
------------------
Security Fixes
~~~~~~~~~~~~~~
- Waitress did not properly validate that the HTTP headers it received were
properly formed, thereby potentially allowing a front-end server to treat a
request different from Waitress. This could lead to HTTP request
smuggling/splitting.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
CVE-ID: CVE-2019-16789
1.4.0 (2019-12-20)
------------------
Bugfixes
~~~~~~~~
- Waitress used to slam the door shut on HTTP pipelined requests without
setting the ``Connection: close`` header as appropriate in the response. This
is of course not very friendly. Waitress now explicitly sets the header when
responding with an internally generated error such as 400 Bad Request or 500
Internal Server Error to notify the remote client that it will be closing the
connection after the response is sent.
- Waitress no longer allows any spaces to exist between the header field-name
and the colon. While waitress did not strip the space and thereby was not
vulnerable to any potential header field-name confusion, it should have sent
back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273
Security Fixes
~~~~~~~~~~~~~~
- Waitress implemented a "MAY" part of the RFC7230
(https://tools.ietf.org/html/rfc7230#section-3.5) which states:
Although the line terminator for the start-line and header fields is
the sequence CRLF, a recipient MAY recognize a single LF as a line
terminator and ignore any preceding CR.
Unfortunately if a front-end server does not parse header fields with an LF
the same way as it does those with a CRLF it can lead to the front-end and
the back-end server parsing the same HTTP message in two different ways. This
can lead to a potential for HTTP request smuggling/splitting whereby Waitress
may see two requests while the front-end server only sees a single HTTP
message.
For more information I can highly recommend the blog post by ZeddYu Lu
https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p
CVE-ID: CVE-2019-16785
- Waitress used to treat LF the same as CRLF in ``Transfer-Encoding: chunked``
requests, while the maintainer doesn't believe this could lead to a security
issue, this is no longer supported and all chunks are now validated to be
properly framed with CRLF as required by RFC7230.
- Waitress now validates that the ``Transfer-Encoding`` header contains only
transfer codes that it is able to decode. At the moment that includes the
only valid header value being ``chunked``.
That means that if the following header is sent:
``Transfer-Encoding: gzip, chunked``
Waitress will send back a 501 Not Implemented with an error message stating
as such, as while Waitress supports ``chunked`` encoding it does not support
``gzip`` and it is unable to pass that to the underlying WSGI environment
correctly.
Waitress DOES NOT implement support for ``Transfer-Encoding: identity``
eventhough ``identity`` was valid in RFC2616, it was removed in RFC7230.
Please update your clients to remove the ``Transfer-Encoding`` header if the
only transfer coding is ``identity`` or update your client to use
``Transfer-Encoding: chunked`` instead of ``Transfer-Encoding: identity,
chunked``.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p
CVE-ID: CVE-2019-16786
- While validating the ``Transfer-Encoding`` header, Waitress now properly
handles line-folded ``Transfer-Encoding`` headers or those that contain
multiple comma seperated values. This closes a potential issue where a
front-end server may treat the request as being a chunked request (and thus
ignoring the Content-Length) and Waitress using the Content-Length as it was
looking for the single value ``chunked`` and did not support comma seperated
values.
- Waitress used to explicitly set the Content-Length header to 0 if it was
unable to parse it as an integer (for example if the Content-Length header
was sent twice (and thus folded together), or was invalid) thereby allowing
for a potential request to be split and treated as two requests by HTTP
pipelining support in Waitress. If Waitress is now unable to parse the
Content-Length header, a 400 Bad Request is sent back to the client.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
|
2019-09-13 11:53:30 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
py-waitress: updated to 1.3.1
1.3.1:
Bugfixes
- Waitress won't accidentally throw away part of the path if it starts with a
double slash (GET //testing/whatever HTTP/1.0). WSGI applications will
now receive a PATH_INFO in the environment that contains
//testing/whatever as required.
|
2019-07-03 22:36:51 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-waitress: updated to 1.3.0
1.3.0:
Deprecations
- The send_bytes adjustment now defaults to 1 and is deprecated
pending removal in a future release.
Features
- Add a new outbuf_high_watermark adjustment which is used to apply
backpressure on the app_iter to avoid letting it spin faster than data
can be written to the socket. This stabilizes responses that iterate quickly
with a lot of data.
- Stop early and close the app_iter when attempting to write to a closed
socket due to a client disconnect. This should notify a long-lived streaming
response when a client hangs up.
- Adjust the flush to output SO_SNDBUF bytes instead of whatever was
set in the send_bytes adjustment. send_bytes now only controls how
much waitress will buffer internally before flushing to the kernel, whereas
previously it used to also throttle how much data was sent to the kernel.
This change enables a streaming app_iter containing small chunks to
still be flushed efficiently.
Bugfixes
- Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will
no longer set the version to the string value "None". See
- When a client closes a socket unexpectedly there was potential for memory
leaks in which data was written to the buffers after they were closed,
causing them to reopen.
- Fix the queue depth warnings to only show when all threads are busy.
- Trigger the app_iter to close as part of shutdown. This will only be
noticeable for users of the internal server api. In more typical operations
the server will die before benefiting from these changes.
- Fix a bug in which a streaming app_iter may never cleanup data that has
already been sent. This would cause buffers in waitress to grow without
bounds. These buffers now properly rotate and release their data.
- Fix a bug in which non-seekable subclasses of io.IOBase would trigger
an exception when passed to the wsgi.file_wrapper callback.
|