Pheonix-waitress

-----

Security Bugfix
~~~~~~~~~~~~~~~

- Waitress now validates that chunked encoding extensions are valid, and don't
contain invalid characters that are not allowed. They are still skipped/not
processed, but if they contain invalid data we no longer continue in and
return a 400 Bad Request. This stops potential HTTP desync/HTTP request
smuggling. Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36

- Waitress now validates that the chunk length is only valid hex digits when
parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no
longer supported. This stops potential HTTP desync/HTTP request smuggling.
Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36

- Waitress now validates that the Content-Length sent by a remote contains only
digits in accordance with RFC7230 and will return a 400 Bad Request when the
Content-Length header contains invalid data, such as ``+10`` which would
previously get parsed as ``10`` and accepted. This stops potential HTTP
desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36

-----

Python Version Support
~~~~~~~~~~~~~~~~~~~~~~

- Python 3.6 is no longer supported by Waitress

- Python 3.10 is fully supported by Waitress

Bugfix
~~~~~~

- ``wsgi.file_wrapper`` now sets the ``seekable``, ``seek``, and ``tell``
attributes from the underlying file if the underlying file is seekable. This
allows WSGI middleware to implement things like range requests for example

See https://github.com/Pylons/waitress/issues/359 and
https://github.com/Pylons/waitress/pull/363

- In Python 3 ``OSError`` is no longer subscriptable, this caused failures on
Windows attempting to loop to find an socket that would work for use in the
trigger.

See https://github.com/Pylons/waitress/pull/361

- Fixed an issue whereby ``BytesIO`` objects were not properly closed, and
thereby would not get cleaned up until garbage collection would get around to
it.

This led to potential for random memory spikes/memory issues, see
https://github.com/Pylons/waitress/pull/358 and
https://github.com/Pylons/waitress/issues/357 .

With thanks to Florian Schulze for testing/vaidating this fix!

Features
~~~~~~~~

- When the WSGI app starts sending data to the output buffer, we now attempt to
send data directly to the socket. This avoids needing to wake up the main
thread to start sending data. Allowing faster transmission of the first byte.
See https://github.com/Pylons/waitress/pull/364

With thanks to Michael Merickel for being a great rubber ducky!

- Add REQUEST_URI to the WSGI environment.

REQUEST_URI is similar to ``request_uri`` in nginx. It is a string that
contains the request path before separating the query string and
decoding ``%``-escaped characters.

------------------

Friendly Reminder
~~~~~~~~~~~~~~~~~

This release still contains a variety of deprecation notices about defaults
that can be set for a variety of options.

Please note that this is your last warning, and you should update your
configuration if you do NOT want to use the new defaults.

See the arguments documentation page for all supported options, and pay
attention to the warnings:

https://docs.pylonsproject.org/projects/waitress/en/stable/arguments.html

Without further ado, here's a short list of great changes thanks to our
contributors!

Bugfixes/Features
~~~~~~~~~~~~~~~~~

- Fix a crash on startup when listening to multiple interfaces.
See https://github.com/Pylons/waitress/pull/332

- Waitress no longer attempts to guess at what the ``server_name`` should be for
a listen socket, instead it always use a new adjustment/argument named
``server_name``.

Please see the documentation for ``server_name`` in
https://docs.pylonsproject.org/projects/waitress/en/latest/arguments.html and
see https://github.com/Pylons/waitress/pull/329

- Allow tasks to notice if the client disconnected.

This inserts a callable ``waitress.client_disconnected`` into the environment
that allows the task to check if the client disconnected while waiting for
the response at strategic points in the execution and to cancel the
operation.

It requires setting the new adjustment ``channel_request_lookahead`` to a value
larger than 0, which continues to read requests from a channel even if a
request is already being processed on that channel, up to the given count,
since a client disconnect is detected by reading from a readable socket and
receiving an empty result.

See https://github.com/Pylons/waitress/pull/310

- Drop Python 2.7 and 3.5 support

- The server now issues warning output when it there are enough open
connections (controlled by "connection_limit"), that it is no longer
accepting new connections. This situation was previously difficult to
diagnose.
See https://github.com/Pylons/waitress/pull/322

------------------

- Fix an issue with keep-alive connections in which memory usage was higher
than expected because output buffers were being reused across requests on
a long-lived connection and each buffer would not be freed until it was full
or the connection was closed. Buffers are now rotated per-request to
stabilize their behavior.

See https://github.com/Pylons/waitress/pull/300

- Waitress threads have been updated to contain their thread number. This will
allow loggers that use that information to print the thread that the log is
coming from.

See https://github.com/Pylons/waitress/pull/302

------------------

Security Fixes
~~~~~~~~~~~~~~

- In Waitress version 1.4.2 a new regular expression was added to validate the
headers that Waitress receives to make sure that it matches RFC7230.
Unfortunately the regular expression was written in a way that with invalid
input it leads to catastrophic backtracking which allows for a Denial of
Service and CPU usage going to a 100%.

This was reported by Fil Zembowicz to the Pylons Project. Please see
https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc
for more information.

------------------

Security Fixes
~~~~~~~~~~~~~~

- This is a follow-up to the fix introduced in 1.4.1 to tighten up the way
Waitress strips whitespace from header values. This makes sure Waitress won't
accidentally treat non-printable characters as whitespace and lead to a
potental HTTP request smuggling/splitting security issue.

Thanks to ZeddYu Lu for the extra test cases.

Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4

CVE-ID: CVE-2019-16789

Bugfixes
~~~~~~~~

- Updated the regex used to validate header-field content to match the errata
that was published for RFC7230.

See: https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189