Skip to content

Commit

Permalink
Prep for 2.1.1
Browse files Browse the repository at this point in the history
  • Loading branch information
digitalresistor committed Mar 16, 2022
1 parent bd22869 commit b28c9e8
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 1 deletion.
26 changes: 26 additions & 0 deletions CHANGES.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,29 @@
2.1.1
-----

Security Bugfix
~~~~~~~~~~~~~~~

- Waitress now validates that chunked encoding extensions are valid, and don't
contain invalid characters that are not allowed. They are still skipped/not
processed, but if they contain invalid data we no longer continue in and
return a 400 Bad Request. This stops potential HTTP desync/HTTP request
smuggling. Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36

- Waitress now validates that the chunk length is only valid hex digits when
parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no
longer supported. This stops potential HTTP desync/HTTP request smuggling.
Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36

- Waitress now validates that the Content-Length sent by a remote contains only
digits in accordance with RFC7230 and will return a 400 Bad Request when the
Content-Length header contains invalid data, such as ``+10`` which would
previously get parsed as ``10`` and accepted. This stops potential HTTP
desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36

2.1.0
-----

Expand Down
2 changes: 1 addition & 1 deletion setup.cfg
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[metadata]
name = waitress
version = 2.1.0
version = 2.1.1
description = Waitress WSGI server
long_description = file: README.rst, CHANGES.txt
long_description_content_type = text/x-rst
Expand Down

0 comments on commit b28c9e8

Please sign in to comment.