![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / www / py-waitress
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.12 / (download) - annotate - [select for diffs], Wed Aug 24 09:25:57 2022 UTC (15 months, 1 week ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2023Q3-base,
pkgsrc-2023Q3,
pkgsrc-2023Q2-base,
pkgsrc-2023Q2,
pkgsrc-2023Q1-base,
pkgsrc-2023Q1,
pkgsrc-2022Q4-base,
pkgsrc-2022Q4,
pkgsrc-2022Q3-base,
pkgsrc-2022Q3,
HEAD
Changes since 1.11: +4 -2
lines
Diff to previous 1.11 (colored)
*: use coverage from versioned_dependencies.mk
Revision 1.11 / (download) - annotate - [select for diffs], Wed Jan 5 15:41:31 2022 UTC (22 months, 4 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base,
pkgsrc-2022Q2,
pkgsrc-2022Q1-base,
pkgsrc-2022Q1
Changes since 1.10: +4 -2
lines
Diff to previous 1.10 (colored)
python: egg.mk: add USE_PKG_RESOURCES flag This flag should be set for packages that import pkg_resources and thus need setuptools after the build step. Set this flag for packages that need it and bump PKGREVISION.
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jan 4 20:55:37 2022 UTC (22 months, 4 weeks ago) by wiz
Branch: MAIN
Changes since 1.9: +2 -1
lines
Diff to previous 1.9 (colored)
*: bump PKGREVISION for egg.mk users They now have a tool dependency on py-setuptools instead of a DEPENDS
Revision 1.9 / (download) - annotate - [select for diffs], Wed May 13 14:43:28 2020 UTC (3 years, 6 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base,
pkgsrc-2021Q4,
pkgsrc-2021Q3-base,
pkgsrc-2021Q3,
pkgsrc-2021Q2-base,
pkgsrc-2021Q2,
pkgsrc-2021Q1-base,
pkgsrc-2021Q1,
pkgsrc-2020Q4-base,
pkgsrc-2020Q4,
pkgsrc-2020Q3-base,
pkgsrc-2020Q3,
pkgsrc-2020Q2-base,
pkgsrc-2020Q2
Changes since 1.8: +3 -3
lines
Diff to previous 1.8 (colored)
py-waitress: updated to 1.4.3
1.4.3 (2020-02-02)
------------------
Security Fixes
~~~~~~~~~~~~~~
- In Waitress version 1.4.2 a new regular expression was added to validate the
headers that Waitress receives to make sure that it matches RFC7230.
Unfortunately the regular expression was written in a way that with invalid
input it leads to catastrophic backtracking which allows for a Denial of
Service and CPU usage going to a 100%.
This was reported by Fil Zembowicz to the Pylons Project. Please see
https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc
for more information.
1.4.2 (2020-01-02)
------------------
Security Fixes
~~~~~~~~~~~~~~
- This is a follow-up to the fix introduced in 1.4.1 to tighten up the way
Waitress strips whitespace from header values. This makes sure Waitress won't
accidentally treat non-printable characters as whitespace and lead to a
potental HTTP request smuggling/splitting security issue.
Thanks to ZeddYu Lu for the extra test cases.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
CVE-ID: CVE-2019-16789
Bugfixes
~~~~~~~~
- Updated the regex used to validate header-field content to match the errata
that was published for RFC7230.
See: https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189
1.4.1 (2019-12-24)
------------------
Security Fixes
~~~~~~~~~~~~~~
- Waitress did not properly validate that the HTTP headers it received were
properly formed, thereby potentially allowing a front-end server to treat a
request different from Waitress. This could lead to HTTP request
smuggling/splitting.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
CVE-ID: CVE-2019-16789
1.4.0 (2019-12-20)
------------------
Bugfixes
~~~~~~~~
- Waitress used to slam the door shut on HTTP pipelined requests without
setting the ``Connection: close`` header as appropriate in the response. This
is of course not very friendly. Waitress now explicitly sets the header when
responding with an internally generated error such as 400 Bad Request or 500
Internal Server Error to notify the remote client that it will be closing the
connection after the response is sent.
- Waitress no longer allows any spaces to exist between the header field-name
and the colon. While waitress did not strip the space and thereby was not
vulnerable to any potential header field-name confusion, it should have sent
back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273
Security Fixes
~~~~~~~~~~~~~~
- Waitress implemented a "MAY" part of the RFC7230
(https://tools.ietf.org/html/rfc7230#section-3.5) which states:
Although the line terminator for the start-line and header fields is
the sequence CRLF, a recipient MAY recognize a single LF as a line
terminator and ignore any preceding CR.
Unfortunately if a front-end server does not parse header fields with an LF
the same way as it does those with a CRLF it can lead to the front-end and
the back-end server parsing the same HTTP message in two different ways. This
can lead to a potential for HTTP request smuggling/splitting whereby Waitress
may see two requests while the front-end server only sees a single HTTP
message.
For more information I can highly recommend the blog post by ZeddYu Lu
https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p
CVE-ID: CVE-2019-16785
- Waitress used to treat LF the same as CRLF in ``Transfer-Encoding: chunked``
requests, while the maintainer doesn't believe this could lead to a security
issue, this is no longer supported and all chunks are now validated to be
properly framed with CRLF as required by RFC7230.
- Waitress now validates that the ``Transfer-Encoding`` header contains only
transfer codes that it is able to decode. At the moment that includes the
only valid header value being ``chunked``.
That means that if the following header is sent:
``Transfer-Encoding: gzip, chunked``
Waitress will send back a 501 Not Implemented with an error message stating
as such, as while Waitress supports ``chunked`` encoding it does not support
``gzip`` and it is unable to pass that to the underlying WSGI environment
correctly.
Waitress DOES NOT implement support for ``Transfer-Encoding: identity``
eventhough ``identity`` was valid in RFC2616, it was removed in RFC7230.
Please update your clients to remove the ``Transfer-Encoding`` header if the
only transfer coding is ``identity`` or update your client to use
``Transfer-Encoding: chunked`` instead of ``Transfer-Encoding: identity,
chunked``.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p
CVE-ID: CVE-2019-16786
- While validating the ``Transfer-Encoding`` header, Waitress now properly
handles line-folded ``Transfer-Encoding`` headers or those that contain
multiple comma seperated values. This closes a potential issue where a
front-end server may treat the request as being a chunked request (and thus
ignoring the Content-Length) and Waitress using the Content-Length as it was
looking for the single value ``chunked`` and did not support comma seperated
values.
- Waitress used to explicitly set the Content-Length header to 0 if it was
unable to parse it as an integer (for example if the Content-Length header
was sent twice (and thus folded together), or was invalid) thereby allowing
for a potential request to be split and treated as two requests by HTTP
pipelining support in Waitress. If Waitress is now unable to parse the
Content-Length header, a 400 Bad Request is sent back to the client.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
Revision 1.8 / (download) - annotate - [select for diffs], Fri Sep 13 09:53:30 2019 UTC (4 years, 2 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base,
pkgsrc-2020Q1,
pkgsrc-2019Q4-base,
pkgsrc-2019Q4,
pkgsrc-2019Q3-base,
pkgsrc-2019Q3
Changes since 1.7: +2 -2
lines
Diff to previous 1.7 (colored)
py-waitress: updated to 1.3.1 1.3.1: Bugfixes - Waitress won't accidentally throw away part of the path if it starts with a double slash (GET //testing/whatever HTTP/1.0). WSGI applications will now receive a PATH_INFO in the environment that contains //testing/whatever as required.
Revision 1.7 / (download) - annotate - [select for diffs], Wed Jul 3 20:36:51 2019 UTC (4 years, 5 months ago) by adam
Branch: MAIN
Changes since 1.6: +2 -2
lines
Diff to previous 1.6 (colored)
py-waitress: updated to 1.3.0 1.3.0: Deprecations - The send_bytes adjustment now defaults to 1 and is deprecated pending removal in a future release. Features - Add a new outbuf_high_watermark adjustment which is used to apply backpressure on the app_iter to avoid letting it spin faster than data can be written to the socket. This stabilizes responses that iterate quickly with a lot of data. - Stop early and close the app_iter when attempting to write to a closed socket due to a client disconnect. This should notify a long-lived streaming response when a client hangs up. - Adjust the flush to output SO_SNDBUF bytes instead of whatever was set in the send_bytes adjustment. send_bytes now only controls how much waitress will buffer internally before flushing to the kernel, whereas previously it used to also throttle how much data was sent to the kernel. This change enables a streaming app_iter containing small chunks to still be flushed efficiently. Bugfixes - Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will no longer set the version to the string value "None". See - When a client closes a socket unexpectedly there was potential for memory leaks in which data was written to the buffers after they were closed, causing them to reopen. - Fix the queue depth warnings to only show when all threads are busy. - Trigger the app_iter to close as part of shutdown. This will only be noticeable for users of the internal server api. In more typical operations the server will die before benefiting from these changes. - Fix a bug in which a streaming app_iter may never cleanup data that has already been sent. This would cause buffers in waitress to grow without bounds. These buffers now properly rotate and release their data. - Fix a bug in which non-seekable subclasses of io.IOBase would trigger an exception when passed to the wsgi.file_wrapper callback.
Revision 1.6 / (download) - annotate - [select for diffs], Tue Jan 29 14:30:03 2019 UTC (4 years, 10 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base,
pkgsrc-2019Q2,
pkgsrc-2019Q1-base,
pkgsrc-2019Q1
Changes since 1.5: +2 -2
lines
Diff to previous 1.5 (colored)
py-waitress: updated to 1.2.1 1.2.1: Bugfixes - When given an IPv6 address in X-Forwarded-For or Forwarded for= waitress was placing the IP address in REMOTE_ADDR with brackets: [2001:db8::0], this does not match the requirements in the CGI spec which REMOTE_ADDR was lifted from. Waitress will now place the bare IPv6 address in REMOTE_ADDR: 2001:db8::0.
Revision 1.5 / (download) - annotate - [select for diffs], Sun Jan 20 13:20:02 2019 UTC (4 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.4: +5 -5
lines
Diff to previous 1.4 (colored)
py-waitress: updated to 1.2.0 1.2.0: No changes since the last beta release. Enjoy Waitress! 1.2.0b3: Bugfixes - Modified clear_untrusted_proxy_headers to be usable without a trusted_proxy. - Modified trusted_proxy_count to error when used without a trusted_proxy. 1.2.0b2: Bugfixes - Fixed logic to no longer warn on writes where the output is required to have a body but there may not be any data to be written. Solves issue posted on the Pylons Project mailing list with 1.2.0b1. 1.2.0b1: Happy New Year! Features - Setting the trusted_proxy setting to '*' (wildcard) will allow all upstreams to be considered trusted proxies, thereby allowing services behind Cloudflare/ELBs to function correctly whereby there may not be a singular IP address that requests are received from. Using this setting is potentially dangerous if your server is also available from anywhere on the internet, and further protections should be used to lock down access to Waitress. - Waitress has increased its support of the X-Forwarded-* headers and includes Forwarded (RFC7239) support. This may be used to allow proxy servers to influence the WSGI environment. This also provides a new security feature when using Waitress behind a proxy in that it is possible to remove untrusted proxy headers thereby making sure that downstream WSGI applications don't accidentally use those proxy headers to make security decisions. The documentation has more information, see the following new arguments: - trusted_proxy_count - trusted_proxy_headers - clear_untrusted_proxy_headers - log_untrusted_proxy_headers (useful for debugging) Be aware that the defaults for these are currently backwards compatible with older versions of Waitress, this will change in a future release of waitress. If you expect to need this behaviour please explicitly set these variables in your configuration, or pin this version of waitress. Documentation: https://docs.pylonsproject.org/projects/waitress/en/latest/reverse-proxy.html - Waitress can now accept a list of sockets that are already pre-bound rather than creating its own to allow for socket activation. Support for init systems/other systems that create said activated sockets is not included. - Server header can be omitted by specifying ident=None or ident=''. Bugfixes - Waitress will no longer send Transfer-Encoding or Content-Length for 1xx, 204, or 304 responses, and will completely ignore any message body sent by the WSGI application, making sure to follow the HTTP standard. Compatibility - Waitress has now "vendored" asyncore into itself as waitress.wasyncore. This is to cope with the eventuality that asyncore will be removed from the Python standard library in 3.8 or so. Documentation - Bring in documentation of paste.translogger from Pyramid. Reorganize and clean up documentation.
Revision 1.4 / (download) - annotate - [select for diffs], Mon Oct 16 12:07:24 2017 UTC (6 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base,
pkgsrc-2018Q4,
pkgsrc-2018Q3-base,
pkgsrc-2018Q3,
pkgsrc-2018Q2-base,
pkgsrc-2018Q2,
pkgsrc-2018Q1-base,
pkgsrc-2018Q1,
pkgsrc-2017Q4-base,
pkgsrc-2017Q4
Changes since 1.3: +2 -2
lines
Diff to previous 1.3 (colored)
py-waitress: update to 1.1.0 1.1.0: Features * Waitress now has a __main__ and thus may be called with python -mwaitress Bugfixes * Waitress no longer allows lowercase HTTP verbs. This change was made to fall in line with most HTTP servers. * When receiving non-ascii bytes in the request URL, waitress will no longer abruptly close the connection, instead returning a 400 Bad Request.
Revision 1.3 / (download) - annotate - [select for diffs], Sun Jul 9 21:24:24 2017 UTC (6 years, 4 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base,
pkgsrc-2017Q3
Changes since 1.2: +9 -2
lines
Diff to previous 1.2 (colored)
1.0.2: Features - Python 3.6 is now officially supported in Waitress Bugfixes - Add a work-around for libc issue on Linux not following the documented standards. If getnameinfo() fails because of DNS not being available it should return the IP address instead of the reverse DNS entry, however instead getnameinfo() raises. We catch this, and ask getnameinfo() for the same information again, explicitly asking for IP address instead of reverse DNS hostname.
Revision 1.2 / (download) - annotate - [select for diffs], Wed Jun 8 17:43:43 2016 UTC (7 years, 5 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base,
pkgsrc-2017Q2,
pkgsrc-2017Q1-base,
pkgsrc-2017Q1,
pkgsrc-2016Q4-base,
pkgsrc-2016Q4,
pkgsrc-2016Q3-base,
pkgsrc-2016Q3,
pkgsrc-2016Q2-base,
pkgsrc-2016Q2
Changes since 1.1: +2 -2
lines
Diff to previous 1.1 (colored)
Switch to MASTER_SITES_PYPI.
Revision 1.1 / (download) - annotate - [select for diffs], Wed Jul 15 18:23:55 2015 UTC (8 years, 4 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base,
pkgsrc-2016Q1,
pkgsrc-2015Q4-base,
pkgsrc-2015Q4,
pkgsrc-2015Q3-base,
pkgsrc-2015Q3
Import py-waitress-0.8.9 as www/py-waitress. Waitress is meant to be a production-quality pure-Python WSGI server with very acceptable performance. It has no dependencies except ones which live in the Python standard library. It supports HTTP/1.0 and HTTP/1.1.