Pheonix-waitress

------------------

Bugfixes
~~~~~~~~

- Removed `AI_ADDRCONFIG` from the call to `getaddrinfo`, this resolves an
issue whereby `getaddrinfo` wouldn't return any addresses to `bind` to on
hosts where there is no internet connection but localhost is requested to be
bound to. See https://github.com/Pylons/waitress/issues/131 for more
information.

Deprecations
~~~~~~~~~~~~

- Python 2.6 is no longer supported.

Features
~~~~~~~~

- IPv6 support

- Waitress is now able to listen on multiple sockets, including IPv4 and IPv6.
Instead of passing in a host/port combination you now provide waitress with a
space delineated list, and it will create as many sockets as required.

.. code-block:: python

from waitress import serve
serve(wsgiapp, listen='0.0.0.0:8080 [::]:9090 *:6543')

Security
~~~~~~~~

- Waitress will now drop HTTP headers that contain an underscore in the key
when received from a client. This is to stop any possible underscore/dash
conflation that may lead to security issues. See
https://github.com/Pylons/waitress/pull/80 and
https://www.djangoproject.com/weblog/2015/jan/13/security/

------------------

Deprecations
~~~~~~~~~~~~

- Python 3.2 is no longer supported by Waitress.

- Python 2.6 will no longer be supported by Waitress in future releases.

Security/Protections
~~~~~~~~~~~~~~~~~~~~

- Building on the changes made in pull request 117, add in checking for line
feed/carriage return HTTP Response Splitting in the status line, as well as
the key of a header. See https://github.com/Pylons/waitress/pull/124 and
https://github.com/Pylons/waitress/issues/122.

- Waitress will no longer accept headers or status lines with
newline/carriage returns in them, thereby disallowing HTTP Response
Splitting. See https://github.com/Pylons/waitress/issues/117 for
more information, as well as
https://www.owasp.org/index.php/HTTP_Response_Splitting.

Bugfixes
~~~~~~~~

- FileBasedBuffer and more important ReadOnlyFileBasedBuffer no longer report
False when tested with bool(), instead always returning True, and becoming
more iterator like.
See: https://github.com/Pylons/waitress/pull/82 and
https://github.com/Pylons/waitress/issues/76

- Call prune() on the output buffer at the end of a request so that it doesn't
continue to grow without bounds. See
https://github.com/Pylons/waitress/issues/111 for more information.

-------------------

- Add support for Python 3.4, 3.5b2, and PyPy3.

- Use a nonglobal asyncore socket map by default, trying to prevent conflicts
with apps and libs that use the asyncore global socket map ala
https://github.com/Pylons/waitress/issues/63. You can get the old
use-global-socket-map behavior back by passing ``asyncore.socket_map`` to the
``create_server`` function as the ``map`` argument.

- Waitress violated PEP 3333 with respect to reraising an exception when
``start_response`` was called with an ``exc_info`` argument. It would
reraise the exception even if no data had been sent to the client. It now
only reraises the exception if data has actually been sent to the client.
See https://github.com/Pylons/waitress/pull/52 and
https://github.com/Pylons/waitress/issues/51

- Add a ``docs`` section to tox.ini that, when run, ensures docs can be built.

- If an ``application`` value of ``None`` is supplied to the ``create_server``
constructor function, a ValueError is now raised eagerly instead of an error
occuring during runtime. See https://github.com/Pylons/waitress/pull/60

- Fix parsing of multi-line (folded) headers.
See https://github.com/Pylons/waitress/issues/53 and
https://github.com/Pylons/waitress/pull/90

- Switch from the low level Python thread/_thread module to the threading
module.

- Improved exception information should module import go awry.

------------------

- Fix tests under Windows. NB: to run tests under Windows, you cannot run
"setup.py test" or "setup.py nosetests". Instead you must run ``python.exe
-c "import nose; nose.main()"``. If you try to run the tests using the
normal method under Windows, each subprocess created by the test suite will
attempt to run the test suite again. See
https://github.com/nose-devs/nose/issues/407 for more information.

- Give the WSGI app_iter generated when ``wsgi.file_wrapper`` is used
(ReadOnlyFileBasedBuffer) a ``close`` method. Do not call ``close`` on an
instance of such a class when it's used as a WSGI app_iter, however. This is
part of a fix which prevents a leakage of file descriptors; the other part of
the fix was in WebOb
(https://github.com/Pylons/webob/commit/951a41ce57bd853947f842028bccb500bd5237da).

- Allow trusted proxies to override ``wsgi.url_scheme`` via a request header,
``X_FORWARDED_PROTO``. Allows proxies which serve mixed HTTP / HTTPS
requests to control signal which are served as HTTPS. See
https://github.com/Pylons/waitress/pull/42.

------------------

- Fix some cases where the creation of extremely large output buffers (greater
than 2GB, suspected to be buffers added via ``wsgi.file_wrapper``) might
cause an OverflowError on Python 2. See
https://github.com/Pylons/waitress/issues/47.

- When the ``url_prefix`` adjustment starts with more than one slash, all
slashes except one will be stripped from its beginning. This differs from
older behavior where more than one leading slash would be preserved in
``url_prefix``.

- If a client somehow manages to send an empty path, we no longer convert the
empty path to a single slash in ``PATH_INFO``. Instead, the path remains
empty. According to RFC 2616 section "5.1.2 Request-URI", the scenario of a
client sending an empty path is actually not possible because the request URI
portion cannot be empty.

- If the ``url_prefix`` adjustment matches the request path exactly, we now
compute ``SCRIPT_NAME`` and ``PATH_INFO`` properly. Previously, if the
``url_prefix`` was ``/foo`` and the path received from a client was ``/foo``,
we would set *both* ``SCRIPT_NAME`` and ``PATH_INFO`` to ``/foo``. This was
incorrect. Now in such a case we set ``PATH_INFO`` to the empty string and
we set ``SCRIPT_NAME`` to ``/foo``. Note that the change we made has no
effect on paths that do not match the ``url_prefix`` exactly (such as
``/foo/bar``); these continue to operate as they did. See
https://github.com/Pylons/waitress/issues/46

- Preserve header ordering of headers with the same name as per RFC 2616. See
https://github.com/Pylons/waitress/pull/44

- When waitress receives a ``Transfer-Encoding: chunked`` request, we no longer
send the ``TRANSFER_ENCODING`` nor the ``HTTP_TRANSFER_ENCODING`` value to
the application in the environment. Instead, we pop this header. Since we
cope with chunked requests by buffering the data in the server, we also know
when a chunked request has ended, and therefore we know the content length.
We set the content-length header in the environment, such that applications
effectively never know the original request was a T-E: chunked request; it
will appear to them as if the request is a non-chunked request with an
accurate content-length.

- Cope with the fact that the ``Transfer-Encoding`` value is case-insensitive.

- When the ``--unix-socket-perms`` option was used as an argument to
``waitress-serve``, a ``TypeError`` would be raised. See
https://github.com/Pylons/waitress/issues/50.

------------------

- The HTTP version of the response returned by waitress when it catches an
exception will now match the HTTP request version.

- Fix: CONNECTION header will be HTTP_CONNECTION and not CONNECTION_TYPE
(see https://github.com/Pylons/waitress/issues/13)