Changelog
### 2.0.0
```
------------------
Friendly Reminder
~~~~~~~~~~~~~~~~~
This release still contains a variety of deprecation notices about defaults
that can be set for a variety of options.
Please note that this is your last warning, and you should update your
configuration if you do NOT want to use the new defaults.
See the arguments documentation page for all supported options, and pay
attention to the warnings:
https://docs.pylonsproject.org/projects/waitress/en/stable/arguments.html
Without further ado, here's a short list of great changes thanks to our
contributors!
Bugfixes/Features
~~~~~~~~~~~~~~~~~
- Fix a crash on startup when listening to multiple interfaces.
See https://github.com/Pylons/waitress/pull/332
- Waitress no longer attempts to guess at what the ``server_name`` should be for
a listen socket, instead it always use a new adjustment/argument named
``server_name``.
Please see the documentation for ``server_name`` in
https://docs.pylonsproject.org/projects/waitress/en/latest/arguments.html and
see https://github.com/Pylons/waitress/pull/329
- Allow tasks to notice if the client disconnected.
This inserts a callable ``waitress.client_disconnected`` into the environment
that allows the task to check if the client disconnected while waiting for
the response at strategic points in the execution and to cancel the
operation.
It requires setting the new adjustment ``channel_request_lookahead`` to a value
larger than 0, which continues to read requests from a channel even if a
request is already being processed on that channel, up to the given count,
since a client disconnect is detected by reading from a readable socket and
receiving an empty result.
See https://github.com/Pylons/waitress/pull/310
- Drop Python 2.7 and 3.5 support
- The server now issues warning output when it there are enough open
connections (controlled by "connection_limit"), that it is no longer
accepting new connections. This situation was previously difficult to
diagnose.
See https://github.com/Pylons/waitress/pull/322
```
### 1.4.4
```
------------------
- Fix an issue with keep-alive connections in which memory usage was higher
than expected because output buffers were being reused across requests on
a long-lived connection and each buffer would not be freed until it was full
or the connection was closed. Buffers are now rotated per-request to
stabilize their behavior.
See https://github.com/Pylons/waitress/pull/300
- Waitress threads have been updated to contain their thread number. This will
allow loggers that use that information to print the thread that the log is
coming from.
See https://github.com/Pylons/waitress/pull/302
```
### 1.4.3
```
------------------
Security Fixes
~~~~~~~~~~~~~~
- In Waitress version 1.4.2 a new regular expression was added to validate the
headers that Waitress receives to make sure that it matches RFC7230.
Unfortunately the regular expression was written in a way that with invalid
input it leads to catastrophic backtracking which allows for a Denial of
Service and CPU usage going to a 100%.
This was reported by Fil Zembowicz to the Pylons Project. Please see
https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc
for more information.
```
### 1.4.2
```
------------------
Security Fixes
~~~~~~~~~~~~~~
- This is a follow-up to the fix introduced in 1.4.1 to tighten up the way
Waitress strips whitespace from header values. This makes sure Waitress won't
accidentally treat non-printable characters as whitespace and lead to a
potental HTTP request smuggling/splitting security issue.
Thanks to ZeddYu Lu for the extra test cases.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
CVE-ID: CVE-2019-16789
Bugfixes
~~~~~~~~
- Updated the regex used to validate header-field content to match the errata
that was published for RFC7230.
See: https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189
```
### 1.4.1
```
------------------
Security Fixes
~~~~~~~~~~~~~~
- Waitress did not properly validate that the HTTP headers it received were
properly formed, thereby potentially allowing a front-end server to treat a
request different from Waitress. This could lead to HTTP request
smuggling/splitting.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
CVE-ID: CVE-2019-16789
```
### 1.4.0
```
------------------
Bugfixes
~~~~~~~~
- Waitress used to slam the door shut on HTTP pipelined requests without
setting the ``Connection: close`` header as appropriate in the response. This
is of course not very friendly. Waitress now explicitly sets the header when
responding with an internally generated error such as 400 Bad Request or 500
Internal Server Error to notify the remote client that it will be closing the
connection after the response is sent.
- Waitress no longer allows any spaces to exist between the header field-name
and the colon. While waitress did not strip the space and thereby was not
vulnerable to any potential header field-name confusion, it should have sent
back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273
Security Fixes
~~~~~~~~~~~~~~
- Waitress implemented a "MAY" part of the RFC7230
(https://tools.ietf.org/html/rfc7230#section-3.5) which states:
Although the line terminator for the start-line and header fields is
the sequence CRLF, a recipient MAY recognize a single LF as a line
terminator and ignore any preceding CR.
Unfortunately if a front-end server does not parse header fields with an LF
the same way as it does those with a CRLF it can lead to the front-end and
the back-end server parsing the same HTTP message in two different ways. This
can lead to a potential for HTTP request smuggling/splitting whereby Waitress
may see two requests while the front-end server only sees a single HTTP
message.
For more information I can highly recommend the blog post by ZeddYu Lu
https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p
CVE-ID: CVE-2019-16785
- Waitress used to treat LF the same as CRLF in ``Transfer-Encoding: chunked``
requests, while the maintainer doesn't believe this could lead to a security
issue, this is no longer supported and all chunks are now validated to be
properly framed with CRLF as required by RFC7230.
- Waitress now validates that the ``Transfer-Encoding`` header contains only
transfer codes that it is able to decode. At the moment that includes the
only valid header value being ``chunked``.
That means that if the following header is sent:
``Transfer-Encoding: gzip, chunked``
Waitress will send back a 501 Not Implemented with an error message stating
as such, as while Waitress supports ``chunked`` encoding it does not support
``gzip`` and it is unable to pass that to the underlying WSGI environment
correctly.
Waitress DOES NOT implement support for ``Transfer-Encoding: identity``
eventhough ``identity`` was valid in RFC2616, it was removed in RFC7230.
Please update your clients to remove the ``Transfer-Encoding`` header if the
only transfer coding is ``identity`` or update your client to use
``Transfer-Encoding: chunked`` instead of ``Transfer-Encoding: identity,
chunked``.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p
CVE-ID: CVE-2019-16786
- While validating the ``Transfer-Encoding`` header, Waitress now properly
handles line-folded ``Transfer-Encoding`` headers or those that contain
multiple comma seperated values. This closes a potential issue where a
front-end server may treat the request as being a chunked request (and thus
ignoring the Content-Length) and Waitress using the Content-Length as it was
looking for the single value ``chunked`` and did not support comma seperated
values.
- Waitress used to explicitly set the Content-Length header to 0 if it was
unable to parse it as an integer (for example if the Content-Length header
was sent twice (and thus folded together), or was invalid) thereby allowing
for a potential request to be split and treated as two requests by HTTP
pipelining support in Waitress. If Waitress is now unable to parse the
Content-Length header, a 400 Bad Request is sent back to the client.
Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
```
### 1.3.1
```
------------------
Bugfixes
~~~~~~~~
- Waitress won't accidentally throw away part of the path if it starts with a
double slash (``GET //testing/whatever HTTP/1.0``). WSGI applications will
now receive a ``PATH_INFO`` in the environment that contains
``//testing/whatever`` as required. See
https://github.com/Pylons/waitress/issues/260 and
https://github.com/Pylons/waitress/pull/261
```
### 1.3.0
```
------------------
Deprecations
~~~~~~~~~~~~
- The ``send_bytes`` adjustment now defaults to ``1`` and is deprecated
pending removal in a future release.
and https://github.com/Pylons/waitress/pull/246
Features
~~~~~~~~
- Add a new ``outbuf_high_watermark`` adjustment which is used to apply
backpressure on the ``app_iter`` to avoid letting it spin faster than data
can be written to the socket. This stabilizes responses that iterate quickly
with a lot of data.
See https://github.com/Pylons/waitress/pull/242
- Stop early and close the ``app_iter`` when attempting to write to a closed
socket due to a client disconnect. This should notify a long-lived streaming
response when a client hangs up.
See https://github.com/Pylons/waitress/pull/238
and https://github.com/Pylons/waitress/pull/240
and https://github.com/Pylons/waitress/pull/241
- Adjust the flush to output ``SO_SNDBUF`` bytes instead of whatever was
set in the ``send_bytes`` adjustment. ``send_bytes`` now only controls how
much waitress will buffer internally before flushing to the kernel, whereas
previously it used to also throttle how much data was sent to the kernel.
This change enables a streaming ``app_iter`` containing small chunks to
still be flushed efficiently.
See https://github.com/Pylons/waitress/pull/246
Bugfixes
~~~~~~~~
- Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will
no longer set the version to the string value "None". See
https://github.com/Pylons/waitress/pull/252 and
https://github.com/Pylons/waitress/issues/110
- When a client closes a socket unexpectedly there was potential for memory
leaks in which data was written to the buffers after they were closed,
causing them to reopen.
See https://github.com/Pylons/waitress/pull/239
- Fix the queue depth warnings to only show when all threads are busy.
See https://github.com/Pylons/waitress/pull/243
and https://github.com/Pylons/waitress/pull/247
- Trigger the ``app_iter`` to close as part of shutdown. This will only be
noticeable for users of the internal server api. In more typical operations
the server will die before benefiting from these changes.
See https://github.com/Pylons/waitress/pull/245
- Fix a bug in which a streaming ``app_iter`` may never cleanup data that has
already been sent. This would cause buffers in waitress to grow without
bounds. These buffers now properly rotate and release their data.
See https://github.com/Pylons/waitress/pull/242
- Fix a bug in which non-seekable subclasses of ``io.IOBase`` would trigger
an exception when passed to the ``wsgi.file_wrapper`` callback.
See https://github.com/Pylons/waitress/pull/249
```
### 1.2.1
```
------------------
Bugfixes
~~~~~~~~
- When given an IPv6 address in ``X-Forwarded-For`` or ``Forwarded for=``
waitress was placing the IP address in ``REMOTE_ADDR`` with brackets:
``[2001:db8::0]``, this does not match the requirements in the CGI spec which
``REMOTE_ADDR`` was lifted from. Waitress will now place the bare IPv6
address in ``REMOTE_ADDR``: ``2001:db8::0``. See
https://github.com/Pylons/waitress/pull/232 and
https://github.com/Pylons/waitress/issues/230
```
### 1.2.0
```
------------------
No changes since the last beta release. Enjoy Waitress!
```
### 1.2.0b3
```
--------------------
Bugfixes
~~~~~~~~
- Modified ``clear_untrusted_proxy_headers`` to be usable without a
``trusted_proxy``.
https://github.com/Pylons/waitress/pull/228
- Modified ``trusted_proxy_count`` to error when used without a
``trusted_proxy``.
https://github.com/Pylons/waitress/pull/228
```
### 1.2.0b2
```
--------------------
Bugfixes
~~~~~~~~
- Fixed logic to no longer warn on writes where the output is required to have
a body but there may not be any data to be written. Solves issue posted on
the Pylons Project mailing list with 1.2.0b1.
```
### 1.2.0b1
```
--------------------
Happy New Year!
Features
~~~~~~~~
- Setting the ``trusted_proxy`` setting to ``'*'`` (wildcard) will allow all
upstreams to be considered trusted proxies, thereby allowing services behind
Cloudflare/ELBs to function correctly whereby there may not be a singular IP
address that requests are received from.
Using this setting is potentially dangerous if your server is also available
from anywhere on the internet, and further protections should be used to lock
down access to Waitress. See https://github.com/Pylons/waitress/pull/224
- Waitress has increased its support of the X-Forwarded-* headers and includes
Forwarded (RFC7239) support. This may be used to allow proxy servers to
influence the WSGI environment. See
https://github.com/Pylons/waitress/pull/209
This also provides a new security feature when using Waitress behind a proxy
in that it is possible to remove untrusted proxy headers thereby making sure
that downstream WSGI applications don't accidentally use those proxy headers
to make security decisions.
The documentation has more information, see the following new arguments:
- trusted_proxy_count
- trusted_proxy_headers
- clear_untrusted_proxy_headers
- log_untrusted_proxy_headers (useful for debugging)
Be aware that the defaults for these are currently backwards compatible with
older versions of Waitress, this will change in a future release of waitress.
If you expect to need this behaviour please explicitly set these variables in
your configuration, or pin this version of waitress.
Documentation:
https://docs.pylonsproject.org/projects/waitress/en/latest/reverse-proxy.html
- Waitress can now accept a list of sockets that are already pre-bound rather
than creating its own to allow for socket activation. Support for init
systems/other systems that create said activated sockets is not included. See
https://github.com/Pylons/waitress/pull/215
- Server header can be omitted by specifying ``ident=None`` or ``ident=''``.
See https://github.com/Pylons/waitress/pull/187
Bugfixes
~~~~~~~~
- Waitress will no longer send Transfer-Encoding or Content-Length for 1xx,
204, or 304 responses, and will completely ignore any message body sent by
the WSGI application, making sure to follow the HTTP standard. See
https://github.com/Pylons/waitress/pull/166,
https://github.com/Pylons/waitress/issues/165,
https://github.com/Pylons/waitress/issues/152, and
https://github.com/Pylons/waitress/pull/202
Compatibility
~~~~~~~~~~~~~
- Waitress has now "vendored" asyncore into itself as ``waitress.wasyncore``.
This is to cope with the eventuality that asyncore will be removed from
the Python standard library in 3.8 or so.
Documentation
~~~~~~~~~~~~~
- Bring in documentation of paste.translogger from Pyramid. Reorganize and
clean up documentation. See
https://github.com/Pylons/waitress/pull/205
https://github.com/Pylons/waitress/pull/70
https://github.com/Pylons/waitress/pull/206
```
### 1.1.0
```
------------------
Features
~~~~~~~~
- Waitress now has a __main__ and thus may be called with ``python -mwaitress``
Bugfixes
~~~~~~~~
- Waitress no longer allows lowercase HTTP verbs. This change was made to fall
in line with most HTTP servers. See https://github.com/Pylons/waitress/pull/170
- When receiving non-ascii bytes in the request URL, waitress will no longer
abruptly close the connection, instead returning a 400 Bad Request. See
https://github.com/Pylons/waitress/pull/162 and
https://github.com/Pylons/waitress/issues/64
```
### 1.0.2
```
------------------
Features
~~~~~~~~
- Python 3.6 is now officially supported in Waitress
Bugfixes
~~~~~~~~
- Add a work-around for libc issue on Linux not following the documented
standards. If getnameinfo() fails because of DNS not being available it
should return the IP address instead of the reverse DNS entry, however
instead getnameinfo() raises. We catch this, and ask getnameinfo()
for the same information again, explicitly asking for IP address instead of
reverse DNS hostname. See https://github.com/Pylons/waitress/issues/149 and
https://github.com/Pylons/waitress/pull/153
```
### 1.0.1
```
------------------
Bugfixes
~~~~~~~~
- IPv6 support on Windows was broken due to missing constants in the socket
module. This has been resolved by setting the constants on Windows if they
are missing. See https://github.com/Pylons/waitress/issues/138
- A ValueError was raised on Windows when passing a string for the port, on
Windows in Python 2 using service names instead of port numbers doesn't work
with `getaddrinfo`. This has been resolved by attempting to convert the port
number to an integer, if that fails a ValueError will be raised. See
https://github.com/Pylons/waitress/issues/139
```
### 1.0.0
```
------------------
Bugfixes
~~~~~~~~
- Removed `AI_ADDRCONFIG` from the call to `getaddrinfo`, this resolves an
issue whereby `getaddrinfo` wouldn't return any addresses to `bind` to on
hosts where there is no internet connection but localhost is requested to be
bound to. See https://github.com/Pylons/waitress/issues/131 for more
information.
Deprecations
~~~~~~~~~~~~
- Python 2.6 is no longer supported.
Features
~~~~~~~~
- IPv6 support
- Waitress is now able to listen on multiple sockets, including IPv4 and IPv6.
Instead of passing in a host/port combination you now provide waitress with a
space delineated list, and it will create as many sockets as required.
.. code-block:: python
from waitress import serve
serve(wsgiapp, listen='0.0.0.0:8080 [::]:9090 *:6543')
Security
~~~~~~~~
- Waitress will now drop HTTP headers that contain an underscore in the key
when received from a client. This is to stop any possible underscore/dash
conflation that may lead to security issues. See
https://github.com/Pylons/waitress/pull/80 and
https://www.djangoproject.com/weblog/2015/jan/13/security/
```
### 0.9.0
```
------------------
Deprecations
~~~~~~~~~~~~
- Python 3.2 is no longer supported by Waitress.
- Python 2.6 will no longer be supported by Waitress in future releases.
Security/Protections
~~~~~~~~~~~~~~~~~~~~
- Building on the changes made in pull request 117, add in checking for line
feed/carriage return HTTP Response Splitting in the status line, as well as
the key of a header. See https://github.com/Pylons/waitress/pull/124 and
https://github.com/Pylons/waitress/issues/122.
- Waitress will no longer accept headers or status lines with
newline/carriage returns in them, thereby disallowing HTTP Response
Splitting. See https://github.com/Pylons/waitress/issues/117 for
more information, as well as
https://www.owasp.org/index.php/HTTP_Response_Splitting.
Bugfixes
~~~~~~~~
- FileBasedBuffer and more important ReadOnlyFileBasedBuffer no longer report
False when tested with bool(), instead always returning True, and becoming
more iterator like.
See: https://github.com/Pylons/waitress/pull/82 and
https://github.com/Pylons/waitress/issues/76
- Call prune() on the output buffer at the end of a request so that it doesn't
continue to grow without bounds. See
https://github.com/Pylons/waitress/issues/111 for more information.
```
### 0.8.10
```
-------------------
- Add support for Python 3.4, 3.5b2, and PyPy3.
- Use a nonglobal asyncore socket map by default, trying to prevent conflicts
with apps and libs that use the asyncore global socket map ala
https://github.com/Pylons/waitress/issues/63. You can get the old
use-global-socket-map behavior back by passing ``asyncore.socket_map`` to the
``create_server`` function as the ``map`` argument.
- Waitress violated PEP 3333 with respect to reraising an exception when
``start_response`` was called with an ``exc_info`` argument. It would
reraise the exception even if no data had been sent to the client. It now
only reraises the exception if data has actually been sent to the client.
See https://github.com/Pylons/waitress/pull/52 and
https://github.com/Pylons/waitress/issues/51
- Add a ``docs`` section to tox.ini that, when run, ensures docs can be built.
- If an ``application`` value of ``None`` is supplied to the ``create_server``
constructor function, a ValueError is now raised eagerly instead of an error
occuring during runtime. See https://github.com/Pylons/waitress/pull/60
- Fix parsing of multi-line (folded) headers.
See https://github.com/Pylons/waitress/issues/53 and
https://github.com/Pylons/waitress/pull/90
- Switch from the low level Python thread/_thread module to the threading
module.
- Improved exception information should module import go awry.
```
### 0.8.9
```
------------------
- Fix tests under Windows. NB: to run tests under Windows, you cannot run
"setup.py test" or "setup.py nosetests". Instead you must run ``python.exe
-c "import nose; nose.main()"``. If you try to run the tests using the
normal method under Windows, each subprocess created by the test suite will
attempt to run the test suite again. See
https://github.com/nose-devs/nose/issues/407 for more information.
- Give the WSGI app_iter generated when ``wsgi.file_wrapper`` is used
(ReadOnlyFileBasedBuffer) a ``close`` method. Do not call ``close`` on an
instance of such a class when it's used as a WSGI app_iter, however. This is
part of a fix which prevents a leakage of file descriptors; the other part of
the fix was in WebOb
(https://github.com/Pylons/webob/commit/951a41ce57bd853947f842028bccb500bd5237da).
- Allow trusted proxies to override ``wsgi.url_scheme`` via a request header,
``X_FORWARDED_PROTO``. Allows proxies which serve mixed HTTP / HTTPS
requests to control signal which are served as HTTPS. See
https://github.com/Pylons/waitress/pull/42.
```
### 0.8.8
```
------------------
- Fix some cases where the creation of extremely large output buffers (greater
than 2GB, suspected to be buffers added via ``wsgi.file_wrapper``) might
cause an OverflowError on Python 2. See
https://github.com/Pylons/waitress/issues/47.
- When the ``url_prefix`` adjustment starts with more than one slash, all
slashes except one will be stripped from its beginning. This differs from
older behavior where more than one leading slash would be preserved in
``url_prefix``.
- If a client somehow manages to send an empty path, we no longer convert the
empty path to a single slash in ``PATH_INFO``. Instead, the path remains
empty. According to RFC 2616 section "5.1.2 Request-URI", the scenario of a
client sending an empty path is actually not possible because the request URI
portion cannot be empty.
- If the ``url_prefix`` adjustment matches the request path exactly, we now
compute ``SCRIPT_NAME`` and ``PATH_INFO`` properly. Previously, if the
``url_prefix`` was ``/foo`` and the path received from a client was ``/foo``,
we would set *both* ``SCRIPT_NAME`` and ``PATH_INFO`` to ``/foo``. This was
incorrect. Now in such a case we set ``PATH_INFO`` to the empty string and
we set ``SCRIPT_NAME`` to ``/foo``. Note that the change we made has no
effect on paths that do not match the ``url_prefix`` exactly (such as
``/foo/bar``); these continue to operate as they did. See
https://github.com/Pylons/waitress/issues/46
- Preserve header ordering of headers with the same name as per RFC 2616. See
https://github.com/Pylons/waitress/pull/44
- When waitress receives a ``Transfer-Encoding: chunked`` request, we no longer
send the ``TRANSFER_ENCODING`` nor the ``HTTP_TRANSFER_ENCODING`` value to
the application in the environment. Instead, we pop this header. Since we
cope with chunked requests by buffering the data in the server, we also know
when a chunked request has ended, and therefore we know the content length.
We set the content-length header in the environment, such that applications
effectively never know the original request was a T-E: chunked request; it
will appear to them as if the request is a non-chunked request with an
accurate content-length.
- Cope with the fact that the ``Transfer-Encoding`` value is case-insensitive.
- When the ``--unix-socket-perms`` option was used as an argument to
``waitress-serve``, a ``TypeError`` would be raised. See
https://github.com/Pylons/waitress/issues/50.
```
### 0.8.7
```
------------------
- The HTTP version of the response returned by waitress when it catches an
exception will now match the HTTP request version.
- Fix: CONNECTION header will be HTTP_CONNECTION and not CONNECTION_TYPE
(see https://github.com/Pylons/waitress/issues/13)
```
### 0.8.6
```
------------------
- Do alternate type of checking for UNIX socket support, instead of checking
for platform == windows.
- Functional tests now use multiprocessing module instead of subprocess module,
speeding up test suite and making concurrent execution more reliable.
- Runner now appends the current working directory to ``sys.path`` to support
running WSGI applications from a directory (i.e., not installed in a
virtualenv).
- Add a ``url_prefix`` adjustment setting. You can use it by passing
``script_name='/foo'`` to ``waitress.serve`` or you can use it in a
``PasteDeploy`` ini file as ``script_name = /foo``. This will cause the WSGI
``SCRIPT_NAME`` value to be the value passed minus any trailing slashes you
add, and it will cause the ``PATH_INFO`` of any request which is prefixed
with this value to be stripped of the prefix. You can use this instead of
PasteDeploy's ``prefixmiddleware`` to always prefix the path.
```
### 0.8.5
```
------------------
- Fix runner multisegment imports in some Python 2 revisions (see
https://github.com/Pylons/waitress/pull/34).
- For compatibility, WSGIServer is now an alias of TcpWSGIServer. The
signature of BaseWSGIServer is now compatible with WSGIServer pre-0.8.4.
```
### 0.8.4
```
------------------
- Add a command-line runner called ``waitress-serve`` to allow Waitress
to run WSGI applications without any addional machinery. This is
essentially a thin wrapper around the ``waitress.serve()`` function.
- Allow parallel testing (e.g., under ``detox`` or ``nosetests --processes``)
using PID-dependent port / socket for functest servers.
- Fix integer overflow errors on large buffers. Thanks to Marcin Kuzminski
for the patch. See: https://github.com/Pylons/waitress/issues/22
- Add support for listening on Unix domain sockets.
```
### 0.8.3
```
------------------
Features
~~~~~~~~
- Add an ``asyncore_loop_timeout`` adjustment value, which controls the
``timeout`` value passed to ``asyncore.loop``; defaults to 1.
Bug Fixes
~~~~~~~~~
- The default asyncore loop timeout is now 1 second. This prevents slow
shutdown on Windows. See https://github.com/Pylons/waitress/issues/6 . This
shouldn't matter to anyone in particular, but it can be changed via the
``asyncore_loop_timeout`` adjustment (it used to previously default to 30
seconds).
- Don't complain if there's a response to a HEAD request that contains a
Content-Length > 0. See https://github.com/Pylons/waitress/pull/7.
- Fix bug in HTTP Expect/Continue support. See
https://github.com/Pylons/waitress/issues/9 .
```
### 0.8.2
```
------------------
Bug Fixes
~~~~~~~~~
- https://corte.si/posts/code/pathod/pythonservers/index.html pointed out that
sending a bad header resulted in an exception leading to a 500 response
instead of the more proper 400 response without an exception.
- Fix a race condition in the test suite.
- Allow "ident" to be used as a keyword to ``serve()`` as per docs.
- Add py33 to tox.ini.
```
### 0.8.1
```
------------------
Bug Fixes
~~~~~~~~~
- A brown-bag bug prevented request concurrency. A slow request would block
subsequent the responses of subsequent requests until the slow request's
response was fully generated. This was due to a "task lock" being declared
as a class attribute rather than as an instance attribute on HTTPChannel.
Also took the opportunity to move another lock named "outbuf lock" to the
channel instance rather than the class. See
https://github.com/Pylons/waitress/pull/1 .
```
### 0.8
```
----------------
Features
~~~~~~~~
- Support the WSGI ``wsgi.file_wrapper`` protocol as per
https://www.python.org/dev/peps/pep-0333/#optional-platform-specific-file-handling.
Here's a usage example::
import os
here = os.path.dirname(os.path.abspath(__file__))
def myapp(environ, start_response):
f = open(os.path.join(here, 'myphoto.jpg'), 'rb')
headers = [('Content-Type', 'image/jpeg')]
start_response(
'200 OK',
headers
)
return environ['wsgi.file_wrapper'](f, 32768)
The signature of the file wrapper constructor is ``(filelike_object,
block_size)``. Both arguments must be passed as positional (not keyword)
arguments. The result of creating a file wrapper should be **returned** as
the ``app_iter`` from a WSGI application.
The object passed as ``filelike_object`` to the wrapper must be a file-like
object which supports *at least* the ``read()`` method, and the ``read()``
method must support an optional size hint argument. It *should* support
the ``seek()`` and ``tell()`` methods. If it does not, normal iteration
over the filelike object using the provided block_size is used (and copying
is done, negating any benefit of the file wrapper). It *should* support a
``close()`` method.
The specified ``block_size`` argument to the file wrapper constructor will
be used only when the ``filelike_object`` doesn't support ``seek`` and/or
``tell`` methods. Waitress needs to use normal iteration to serve the file
in this degenerate case (as per the WSGI spec), and this block size will be
used as the iteration chunk size. The ``block_size`` argument is optional;
if it is not passed, a default value``32768`` is used.
Waitress will set a ``Content-Length`` header on the behalf of an
application when a file wrapper with a sufficiently filelike object is used
if the application hasn't already set one.
The machinery which handles a file wrapper currently doesn't do anything
particularly special using fancy system calls (it doesn't use ``sendfile``
for example); using it currently just prevents the system from needing to
copy data to a temporary buffer in order to send it to the client. No
copying of data is done when a WSGI app returns a file wrapper that wraps a
sufficiently filelike object. It may do something fancier in the future.
```
### 0.7
```
----------------
Features
~~~~~~~~
- Default ``send_bytes`` value is now 18000 instead of 9000. The larger
default value prevents asyncore from needing to execute select so many
times to serve large files, speeding up file serving by about 15%-20% or
so. This is probably only an optimization for LAN communications, and
could slow things down across a WAN (due to higher TCP overhead), but we're
likely to be behind a reverse proxy on a LAN anyway if in production.
- Added an (undocumented) profiling feature to the ``serve()`` command.
```
### 0.6.1
```
------------------
Bug Fixes
~~~~~~~~~
- Remove performance-sapping call to ``pull_trigger`` in the channel's
``write_soon`` method added mistakenly in 0.6.
```
### 0.6
```
----------------
Bug Fixes
~~~~~~~~~
- A logic error prevented the internal outbuf buffer of a channel from being
flushed when the client could not accept the entire contents of the output
buffer in a single succession of socket.send calls when the channel was in
a "pending close" state. The socket in such a case would be closed
prematurely, sometimes resulting in partially delivered content. This was
discovered by a user using waitress behind an Nginx reverse proxy, which
apparently is not always ready to receive data. The symptom was that he
received "half" of a large CSS file (110K) while serving content via
waitress behind the proxy.
```
### 0.5
```
----------------
Bug Fixes
~~~~~~~~~
- Fix PATH_INFO encoding/decoding on Python 3 (as per PEP 3333, tunnel
bytes-in-unicode-as-latin-1-after-unquoting).
```
### 0.4
```
----------------
Features
~~~~~~~~
- Added "design" document to docs.
Bug Fixes
~~~~~~~~~
- Set default ``connection_limit`` back to 100 for benefit of maximal
platform compatibility.
- Normalize setting of ``last_activity`` during send.
- Minor resource cleanups during tests.
- Channel timeout cleanup was broken.
```
### 0.3
```
----------------
Features
~~~~~~~~
- Dont hang a thread up trying to send data to slow clients.
- Use self.logger to log socket errors instead of self.log_info (normalize).
- Remove pointless handle_error method from channel.
- Queue requests instead of tasks in a channel.
Bug Fixes
~~~~~~~~~
- Expect: 100-continue responses were broken.
```
### 0.2
```
----------------
Bug Fixes
~~~~~~~~~
- Set up logging by calling logging.basicConfig() when ``serve`` is called
(show tracebacks and other warnings to console by default).
- Disallow WSGI applications to set "hop-by-hop" headers (Connection,
Transfer-Encoding, etc).
- Don't treat 304 status responses specially in HTTP/1.1 mode.
- Remove out of date ``interfaces.py`` file.
- Normalize logging (all output is now sent to the ``waitress`` logger rather
than in degenerate cases some output being sent directly to stderr).
Features
~~~~~~~~
- Support HTTP/1.1 ``Transfer-Encoding: chunked`` responses.
- Slightly better docs about logging.
```
### 0.1
```
----------------
- Initial release.
```
Links
- PyPI: https://pypi.org/project/waitress
- Changelog: https://pyup.io/changelogs/waitress/
- Repo: https://github.com/Pylons/waitress
Update waitress from 1.4.4 to 2.0.0.
Changelog
### 2.0.0 ``` ------------------ Friendly Reminder ~~~~~~~~~~~~~~~~~ This release still contains a variety of deprecation notices about defaults that can be set for a variety of options. Please note that this is your last warning, and you should update your configuration if you do NOT want to use the new defaults. See the arguments documentation page for all supported options, and pay attention to the warnings: https://docs.pylonsproject.org/projects/waitress/en/stable/arguments.html Without further ado, here's a short list of great changes thanks to our contributors! Bugfixes/Features ~~~~~~~~~~~~~~~~~ - Fix a crash on startup when listening to multiple interfaces. See https://github.com/Pylons/waitress/pull/332 - Waitress no longer attempts to guess at what the ``server_name`` should be for a listen socket, instead it always use a new adjustment/argument named ``server_name``. Please see the documentation for ``server_name`` in https://docs.pylonsproject.org/projects/waitress/en/latest/arguments.html and see https://github.com/Pylons/waitress/pull/329 - Allow tasks to notice if the client disconnected. This inserts a callable ``waitress.client_disconnected`` into the environment that allows the task to check if the client disconnected while waiting for the response at strategic points in the execution and to cancel the operation. It requires setting the new adjustment ``channel_request_lookahead`` to a value larger than 0, which continues to read requests from a channel even if a request is already being processed on that channel, up to the given count, since a client disconnect is detected by reading from a readable socket and receiving an empty result. See https://github.com/Pylons/waitress/pull/310 - Drop Python 2.7 and 3.5 support - The server now issues warning output when it there are enough open connections (controlled by "connection_limit"), that it is no longer accepting new connections. This situation was previously difficult to diagnose. See https://github.com/Pylons/waitress/pull/322 ``` ### 1.4.4 ``` ------------------ - Fix an issue with keep-alive connections in which memory usage was higher than expected because output buffers were being reused across requests on a long-lived connection and each buffer would not be freed until it was full or the connection was closed. Buffers are now rotated per-request to stabilize their behavior. See https://github.com/Pylons/waitress/pull/300 - Waitress threads have been updated to contain their thread number. This will allow loggers that use that information to print the thread that the log is coming from. See https://github.com/Pylons/waitress/pull/302 ``` ### 1.4.3 ``` ------------------ Security Fixes ~~~~~~~~~~~~~~ - In Waitress version 1.4.2 a new regular expression was added to validate the headers that Waitress receives to make sure that it matches RFC7230. Unfortunately the regular expression was written in a way that with invalid input it leads to catastrophic backtracking which allows for a Denial of Service and CPU usage going to a 100%. This was reported by Fil Zembowicz to the Pylons Project. Please see https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc for more information. ``` ### 1.4.2 ``` ------------------ Security Fixes ~~~~~~~~~~~~~~ - This is a follow-up to the fix introduced in 1.4.1 to tighten up the way Waitress strips whitespace from header values. This makes sure Waitress won't accidentally treat non-printable characters as whitespace and lead to a potental HTTP request smuggling/splitting security issue. Thanks to ZeddYu Lu for the extra test cases. Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 CVE-ID: CVE-2019-16789 Bugfixes ~~~~~~~~ - Updated the regex used to validate header-field content to match the errata that was published for RFC7230. See: https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189 ``` ### 1.4.1 ``` ------------------ Security Fixes ~~~~~~~~~~~~~~ - Waitress did not properly validate that the HTTP headers it received were properly formed, thereby potentially allowing a front-end server to treat a request different from Waitress. This could lead to HTTP request smuggling/splitting. Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 CVE-ID: CVE-2019-16789 ``` ### 1.4.0 ``` ------------------ Bugfixes ~~~~~~~~ - Waitress used to slam the door shut on HTTP pipelined requests without setting the ``Connection: close`` header as appropriate in the response. This is of course not very friendly. Waitress now explicitly sets the header when responding with an internally generated error such as 400 Bad Request or 500 Internal Server Error to notify the remote client that it will be closing the connection after the response is sent. - Waitress no longer allows any spaces to exist between the header field-name and the colon. While waitress did not strip the space and thereby was not vulnerable to any potential header field-name confusion, it should have sent back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273 Security Fixes ~~~~~~~~~~~~~~ - Waitress implemented a "MAY" part of the RFC7230 (https://tools.ietf.org/html/rfc7230#section-3.5) which states: Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR. Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message. For more information I can highly recommend the blog post by ZeddYu Lu https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/ Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 - Waitress used to treat LF the same as CRLF in ``Transfer-Encoding: chunked`` requests, while the maintainer doesn't believe this could lead to a security issue, this is no longer supported and all chunks are now validated to be properly framed with CRLF as required by RFC7230. - Waitress now validates that the ``Transfer-Encoding`` header contains only transfer codes that it is able to decode. At the moment that includes the only valid header value being ``chunked``. That means that if the following header is sent: ``Transfer-Encoding: gzip, chunked`` Waitress will send back a 501 Not Implemented with an error message stating as such, as while Waitress supports ``chunked`` encoding it does not support ``gzip`` and it is unable to pass that to the underlying WSGI environment correctly. Waitress DOES NOT implement support for ``Transfer-Encoding: identity`` eventhough ``identity`` was valid in RFC2616, it was removed in RFC7230. Please update your clients to remove the ``Transfer-Encoding`` header if the only transfer coding is ``identity`` or update your client to use ``Transfer-Encoding: chunked`` instead of ``Transfer-Encoding: identity, chunked``. Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p CVE-ID: CVE-2019-16786 - While validating the ``Transfer-Encoding`` header, Waitress now properly handles line-folded ``Transfer-Encoding`` headers or those that contain multiple comma seperated values. This closes a potential issue where a front-end server may treat the request as being a chunked request (and thus ignoring the Content-Length) and Waitress using the Content-Length as it was looking for the single value ``chunked`` and did not support comma seperated values. - Waitress used to explicitly set the Content-Length header to 0 if it was unable to parse it as an integer (for example if the Content-Length header was sent twice (and thus folded together), or was invalid) thereby allowing for a potential request to be split and treated as two requests by HTTP pipelining support in Waitress. If Waitress is now unable to parse the Content-Length header, a 400 Bad Request is sent back to the client. Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6 ``` ### 1.3.1 ``` ------------------ Bugfixes ~~~~~~~~ - Waitress won't accidentally throw away part of the path if it starts with a double slash (``GET //testing/whatever HTTP/1.0``). WSGI applications will now receive a ``PATH_INFO`` in the environment that contains ``//testing/whatever`` as required. See https://github.com/Pylons/waitress/issues/260 and https://github.com/Pylons/waitress/pull/261 ``` ### 1.3.0 ``` ------------------ Deprecations ~~~~~~~~~~~~ - The ``send_bytes`` adjustment now defaults to ``1`` and is deprecated pending removal in a future release. and https://github.com/Pylons/waitress/pull/246 Features ~~~~~~~~ - Add a new ``outbuf_high_watermark`` adjustment which is used to apply backpressure on the ``app_iter`` to avoid letting it spin faster than data can be written to the socket. This stabilizes responses that iterate quickly with a lot of data. See https://github.com/Pylons/waitress/pull/242 - Stop early and close the ``app_iter`` when attempting to write to a closed socket due to a client disconnect. This should notify a long-lived streaming response when a client hangs up. See https://github.com/Pylons/waitress/pull/238 and https://github.com/Pylons/waitress/pull/240 and https://github.com/Pylons/waitress/pull/241 - Adjust the flush to output ``SO_SNDBUF`` bytes instead of whatever was set in the ``send_bytes`` adjustment. ``send_bytes`` now only controls how much waitress will buffer internally before flushing to the kernel, whereas previously it used to also throttle how much data was sent to the kernel. This change enables a streaming ``app_iter`` containing small chunks to still be flushed efficiently. See https://github.com/Pylons/waitress/pull/246 Bugfixes ~~~~~~~~ - Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will no longer set the version to the string value "None". See https://github.com/Pylons/waitress/pull/252 and https://github.com/Pylons/waitress/issues/110 - When a client closes a socket unexpectedly there was potential for memory leaks in which data was written to the buffers after they were closed, causing them to reopen. See https://github.com/Pylons/waitress/pull/239 - Fix the queue depth warnings to only show when all threads are busy. See https://github.com/Pylons/waitress/pull/243 and https://github.com/Pylons/waitress/pull/247 - Trigger the ``app_iter`` to close as part of shutdown. This will only be noticeable for users of the internal server api. In more typical operations the server will die before benefiting from these changes. See https://github.com/Pylons/waitress/pull/245 - Fix a bug in which a streaming ``app_iter`` may never cleanup data that has already been sent. This would cause buffers in waitress to grow without bounds. These buffers now properly rotate and release their data. See https://github.com/Pylons/waitress/pull/242 - Fix a bug in which non-seekable subclasses of ``io.IOBase`` would trigger an exception when passed to the ``wsgi.file_wrapper`` callback. See https://github.com/Pylons/waitress/pull/249 ``` ### 1.2.1 ``` ------------------ Bugfixes ~~~~~~~~ - When given an IPv6 address in ``X-Forwarded-For`` or ``Forwarded for=`` waitress was placing the IP address in ``REMOTE_ADDR`` with brackets: ``[2001:db8::0]``, this does not match the requirements in the CGI spec which ``REMOTE_ADDR`` was lifted from. Waitress will now place the bare IPv6 address in ``REMOTE_ADDR``: ``2001:db8::0``. See https://github.com/Pylons/waitress/pull/232 and https://github.com/Pylons/waitress/issues/230 ``` ### 1.2.0 ``` ------------------ No changes since the last beta release. Enjoy Waitress! ``` ### 1.2.0b3 ``` -------------------- Bugfixes ~~~~~~~~ - Modified ``clear_untrusted_proxy_headers`` to be usable without a ``trusted_proxy``. https://github.com/Pylons/waitress/pull/228 - Modified ``trusted_proxy_count`` to error when used without a ``trusted_proxy``. https://github.com/Pylons/waitress/pull/228 ``` ### 1.2.0b2 ``` -------------------- Bugfixes ~~~~~~~~ - Fixed logic to no longer warn on writes where the output is required to have a body but there may not be any data to be written. Solves issue posted on the Pylons Project mailing list with 1.2.0b1. ``` ### 1.2.0b1 ``` -------------------- Happy New Year! Features ~~~~~~~~ - Setting the ``trusted_proxy`` setting to ``'*'`` (wildcard) will allow all upstreams to be considered trusted proxies, thereby allowing services behind Cloudflare/ELBs to function correctly whereby there may not be a singular IP address that requests are received from. Using this setting is potentially dangerous if your server is also available from anywhere on the internet, and further protections should be used to lock down access to Waitress. See https://github.com/Pylons/waitress/pull/224 - Waitress has increased its support of the X-Forwarded-* headers and includes Forwarded (RFC7239) support. This may be used to allow proxy servers to influence the WSGI environment. See https://github.com/Pylons/waitress/pull/209 This also provides a new security feature when using Waitress behind a proxy in that it is possible to remove untrusted proxy headers thereby making sure that downstream WSGI applications don't accidentally use those proxy headers to make security decisions. The documentation has more information, see the following new arguments: - trusted_proxy_count - trusted_proxy_headers - clear_untrusted_proxy_headers - log_untrusted_proxy_headers (useful for debugging) Be aware that the defaults for these are currently backwards compatible with older versions of Waitress, this will change in a future release of waitress. If you expect to need this behaviour please explicitly set these variables in your configuration, or pin this version of waitress. Documentation: https://docs.pylonsproject.org/projects/waitress/en/latest/reverse-proxy.html - Waitress can now accept a list of sockets that are already pre-bound rather than creating its own to allow for socket activation. Support for init systems/other systems that create said activated sockets is not included. See https://github.com/Pylons/waitress/pull/215 - Server header can be omitted by specifying ``ident=None`` or ``ident=''``. See https://github.com/Pylons/waitress/pull/187 Bugfixes ~~~~~~~~ - Waitress will no longer send Transfer-Encoding or Content-Length for 1xx, 204, or 304 responses, and will completely ignore any message body sent by the WSGI application, making sure to follow the HTTP standard. See https://github.com/Pylons/waitress/pull/166, https://github.com/Pylons/waitress/issues/165, https://github.com/Pylons/waitress/issues/152, and https://github.com/Pylons/waitress/pull/202 Compatibility ~~~~~~~~~~~~~ - Waitress has now "vendored" asyncore into itself as ``waitress.wasyncore``. This is to cope with the eventuality that asyncore will be removed from the Python standard library in 3.8 or so. Documentation ~~~~~~~~~~~~~ - Bring in documentation of paste.translogger from Pyramid. Reorganize and clean up documentation. See https://github.com/Pylons/waitress/pull/205 https://github.com/Pylons/waitress/pull/70 https://github.com/Pylons/waitress/pull/206 ``` ### 1.1.0 ``` ------------------ Features ~~~~~~~~ - Waitress now has a __main__ and thus may be called with ``python -mwaitress`` Bugfixes ~~~~~~~~ - Waitress no longer allows lowercase HTTP verbs. This change was made to fall in line with most HTTP servers. See https://github.com/Pylons/waitress/pull/170 - When receiving non-ascii bytes in the request URL, waitress will no longer abruptly close the connection, instead returning a 400 Bad Request. See https://github.com/Pylons/waitress/pull/162 and https://github.com/Pylons/waitress/issues/64 ``` ### 1.0.2 ``` ------------------ Features ~~~~~~~~ - Python 3.6 is now officially supported in Waitress Bugfixes ~~~~~~~~ - Add a work-around for libc issue on Linux not following the documented standards. If getnameinfo() fails because of DNS not being available it should return the IP address instead of the reverse DNS entry, however instead getnameinfo() raises. We catch this, and ask getnameinfo() for the same information again, explicitly asking for IP address instead of reverse DNS hostname. See https://github.com/Pylons/waitress/issues/149 and https://github.com/Pylons/waitress/pull/153 ``` ### 1.0.1 ``` ------------------ Bugfixes ~~~~~~~~ - IPv6 support on Windows was broken due to missing constants in the socket module. This has been resolved by setting the constants on Windows if they are missing. See https://github.com/Pylons/waitress/issues/138 - A ValueError was raised on Windows when passing a string for the port, on Windows in Python 2 using service names instead of port numbers doesn't work with `getaddrinfo`. This has been resolved by attempting to convert the port number to an integer, if that fails a ValueError will be raised. See https://github.com/Pylons/waitress/issues/139 ``` ### 1.0.0 ``` ------------------ Bugfixes ~~~~~~~~ - Removed `AI_ADDRCONFIG` from the call to `getaddrinfo`, this resolves an issue whereby `getaddrinfo` wouldn't return any addresses to `bind` to on hosts where there is no internet connection but localhost is requested to be bound to. See https://github.com/Pylons/waitress/issues/131 for more information. Deprecations ~~~~~~~~~~~~ - Python 2.6 is no longer supported. Features ~~~~~~~~ - IPv6 support - Waitress is now able to listen on multiple sockets, including IPv4 and IPv6. Instead of passing in a host/port combination you now provide waitress with a space delineated list, and it will create as many sockets as required. .. code-block:: python from waitress import serve serve(wsgiapp, listen='0.0.0.0:8080 [::]:9090 *:6543') Security ~~~~~~~~ - Waitress will now drop HTTP headers that contain an underscore in the key when received from a client. This is to stop any possible underscore/dash conflation that may lead to security issues. See https://github.com/Pylons/waitress/pull/80 and https://www.djangoproject.com/weblog/2015/jan/13/security/ ``` ### 0.9.0 ``` ------------------ Deprecations ~~~~~~~~~~~~ - Python 3.2 is no longer supported by Waitress. - Python 2.6 will no longer be supported by Waitress in future releases. Security/Protections ~~~~~~~~~~~~~~~~~~~~ - Building on the changes made in pull request 117, add in checking for line feed/carriage return HTTP Response Splitting in the status line, as well as the key of a header. See https://github.com/Pylons/waitress/pull/124 and https://github.com/Pylons/waitress/issues/122. - Waitress will no longer accept headers or status lines with newline/carriage returns in them, thereby disallowing HTTP Response Splitting. See https://github.com/Pylons/waitress/issues/117 for more information, as well as https://www.owasp.org/index.php/HTTP_Response_Splitting. Bugfixes ~~~~~~~~ - FileBasedBuffer and more important ReadOnlyFileBasedBuffer no longer report False when tested with bool(), instead always returning True, and becoming more iterator like. See: https://github.com/Pylons/waitress/pull/82 and https://github.com/Pylons/waitress/issues/76 - Call prune() on the output buffer at the end of a request so that it doesn't continue to grow without bounds. See https://github.com/Pylons/waitress/issues/111 for more information. ``` ### 0.8.10 ``` ------------------- - Add support for Python 3.4, 3.5b2, and PyPy3. - Use a nonglobal asyncore socket map by default, trying to prevent conflicts with apps and libs that use the asyncore global socket map ala https://github.com/Pylons/waitress/issues/63. You can get the old use-global-socket-map behavior back by passing ``asyncore.socket_map`` to the ``create_server`` function as the ``map`` argument. - Waitress violated PEP 3333 with respect to reraising an exception when ``start_response`` was called with an ``exc_info`` argument. It would reraise the exception even if no data had been sent to the client. It now only reraises the exception if data has actually been sent to the client. See https://github.com/Pylons/waitress/pull/52 and https://github.com/Pylons/waitress/issues/51 - Add a ``docs`` section to tox.ini that, when run, ensures docs can be built. - If an ``application`` value of ``None`` is supplied to the ``create_server`` constructor function, a ValueError is now raised eagerly instead of an error occuring during runtime. See https://github.com/Pylons/waitress/pull/60 - Fix parsing of multi-line (folded) headers. See https://github.com/Pylons/waitress/issues/53 and https://github.com/Pylons/waitress/pull/90 - Switch from the low level Python thread/_thread module to the threading module. - Improved exception information should module import go awry. ``` ### 0.8.9 ``` ------------------ - Fix tests under Windows. NB: to run tests under Windows, you cannot run "setup.py test" or "setup.py nosetests". Instead you must run ``python.exe -c "import nose; nose.main()"``. If you try to run the tests using the normal method under Windows, each subprocess created by the test suite will attempt to run the test suite again. See https://github.com/nose-devs/nose/issues/407 for more information. - Give the WSGI app_iter generated when ``wsgi.file_wrapper`` is used (ReadOnlyFileBasedBuffer) a ``close`` method. Do not call ``close`` on an instance of such a class when it's used as a WSGI app_iter, however. This is part of a fix which prevents a leakage of file descriptors; the other part of the fix was in WebOb (https://github.com/Pylons/webob/commit/951a41ce57bd853947f842028bccb500bd5237da). - Allow trusted proxies to override ``wsgi.url_scheme`` via a request header, ``X_FORWARDED_PROTO``. Allows proxies which serve mixed HTTP / HTTPS requests to control signal which are served as HTTPS. See https://github.com/Pylons/waitress/pull/42. ``` ### 0.8.8 ``` ------------------ - Fix some cases where the creation of extremely large output buffers (greater than 2GB, suspected to be buffers added via ``wsgi.file_wrapper``) might cause an OverflowError on Python 2. See https://github.com/Pylons/waitress/issues/47. - When the ``url_prefix`` adjustment starts with more than one slash, all slashes except one will be stripped from its beginning. This differs from older behavior where more than one leading slash would be preserved in ``url_prefix``. - If a client somehow manages to send an empty path, we no longer convert the empty path to a single slash in ``PATH_INFO``. Instead, the path remains empty. According to RFC 2616 section "5.1.2 Request-URI", the scenario of a client sending an empty path is actually not possible because the request URI portion cannot be empty. - If the ``url_prefix`` adjustment matches the request path exactly, we now compute ``SCRIPT_NAME`` and ``PATH_INFO`` properly. Previously, if the ``url_prefix`` was ``/foo`` and the path received from a client was ``/foo``, we would set *both* ``SCRIPT_NAME`` and ``PATH_INFO`` to ``/foo``. This was incorrect. Now in such a case we set ``PATH_INFO`` to the empty string and we set ``SCRIPT_NAME`` to ``/foo``. Note that the change we made has no effect on paths that do not match the ``url_prefix`` exactly (such as ``/foo/bar``); these continue to operate as they did. See https://github.com/Pylons/waitress/issues/46 - Preserve header ordering of headers with the same name as per RFC 2616. See https://github.com/Pylons/waitress/pull/44 - When waitress receives a ``Transfer-Encoding: chunked`` request, we no longer send the ``TRANSFER_ENCODING`` nor the ``HTTP_TRANSFER_ENCODING`` value to the application in the environment. Instead, we pop this header. Since we cope with chunked requests by buffering the data in the server, we also know when a chunked request has ended, and therefore we know the content length. We set the content-length header in the environment, such that applications effectively never know the original request was a T-E: chunked request; it will appear to them as if the request is a non-chunked request with an accurate content-length. - Cope with the fact that the ``Transfer-Encoding`` value is case-insensitive. - When the ``--unix-socket-perms`` option was used as an argument to ``waitress-serve``, a ``TypeError`` would be raised. See https://github.com/Pylons/waitress/issues/50. ``` ### 0.8.7 ``` ------------------ - The HTTP version of the response returned by waitress when it catches an exception will now match the HTTP request version. - Fix: CONNECTION header will be HTTP_CONNECTION and not CONNECTION_TYPE (see https://github.com/Pylons/waitress/issues/13) ``` ### 0.8.6 ``` ------------------ - Do alternate type of checking for UNIX socket support, instead of checking for platform == windows. - Functional tests now use multiprocessing module instead of subprocess module, speeding up test suite and making concurrent execution more reliable. - Runner now appends the current working directory to ``sys.path`` to support running WSGI applications from a directory (i.e., not installed in a virtualenv). - Add a ``url_prefix`` adjustment setting. You can use it by passing ``script_name='/foo'`` to ``waitress.serve`` or you can use it in a ``PasteDeploy`` ini file as ``script_name = /foo``. This will cause the WSGI ``SCRIPT_NAME`` value to be the value passed minus any trailing slashes you add, and it will cause the ``PATH_INFO`` of any request which is prefixed with this value to be stripped of the prefix. You can use this instead of PasteDeploy's ``prefixmiddleware`` to always prefix the path. ``` ### 0.8.5 ``` ------------------ - Fix runner multisegment imports in some Python 2 revisions (see https://github.com/Pylons/waitress/pull/34). - For compatibility, WSGIServer is now an alias of TcpWSGIServer. The signature of BaseWSGIServer is now compatible with WSGIServer pre-0.8.4. ``` ### 0.8.4 ``` ------------------ - Add a command-line runner called ``waitress-serve`` to allow Waitress to run WSGI applications without any addional machinery. This is essentially a thin wrapper around the ``waitress.serve()`` function. - Allow parallel testing (e.g., under ``detox`` or ``nosetests --processes``) using PID-dependent port / socket for functest servers. - Fix integer overflow errors on large buffers. Thanks to Marcin Kuzminski for the patch. See: https://github.com/Pylons/waitress/issues/22 - Add support for listening on Unix domain sockets. ``` ### 0.8.3 ``` ------------------ Features ~~~~~~~~ - Add an ``asyncore_loop_timeout`` adjustment value, which controls the ``timeout`` value passed to ``asyncore.loop``; defaults to 1. Bug Fixes ~~~~~~~~~ - The default asyncore loop timeout is now 1 second. This prevents slow shutdown on Windows. See https://github.com/Pylons/waitress/issues/6 . This shouldn't matter to anyone in particular, but it can be changed via the ``asyncore_loop_timeout`` adjustment (it used to previously default to 30 seconds). - Don't complain if there's a response to a HEAD request that contains a Content-Length > 0. See https://github.com/Pylons/waitress/pull/7. - Fix bug in HTTP Expect/Continue support. See https://github.com/Pylons/waitress/issues/9 . ``` ### 0.8.2 ``` ------------------ Bug Fixes ~~~~~~~~~ - https://corte.si/posts/code/pathod/pythonservers/index.html pointed out that sending a bad header resulted in an exception leading to a 500 response instead of the more proper 400 response without an exception. - Fix a race condition in the test suite. - Allow "ident" to be used as a keyword to ``serve()`` as per docs. - Add py33 to tox.ini. ``` ### 0.8.1 ``` ------------------ Bug Fixes ~~~~~~~~~ - A brown-bag bug prevented request concurrency. A slow request would block subsequent the responses of subsequent requests until the slow request's response was fully generated. This was due to a "task lock" being declared as a class attribute rather than as an instance attribute on HTTPChannel. Also took the opportunity to move another lock named "outbuf lock" to the channel instance rather than the class. See https://github.com/Pylons/waitress/pull/1 . ``` ### 0.8 ``` ---------------- Features ~~~~~~~~ - Support the WSGI ``wsgi.file_wrapper`` protocol as per https://www.python.org/dev/peps/pep-0333/#optional-platform-specific-file-handling. Here's a usage example:: import os here = os.path.dirname(os.path.abspath(__file__)) def myapp(environ, start_response): f = open(os.path.join(here, 'myphoto.jpg'), 'rb') headers = [('Content-Type', 'image/jpeg')] start_response( '200 OK', headers ) return environ['wsgi.file_wrapper'](f, 32768) The signature of the file wrapper constructor is ``(filelike_object, block_size)``. Both arguments must be passed as positional (not keyword) arguments. The result of creating a file wrapper should be **returned** as the ``app_iter`` from a WSGI application. The object passed as ``filelike_object`` to the wrapper must be a file-like object which supports *at least* the ``read()`` method, and the ``read()`` method must support an optional size hint argument. It *should* support the ``seek()`` and ``tell()`` methods. If it does not, normal iteration over the filelike object using the provided block_size is used (and copying is done, negating any benefit of the file wrapper). It *should* support a ``close()`` method. The specified ``block_size`` argument to the file wrapper constructor will be used only when the ``filelike_object`` doesn't support ``seek`` and/or ``tell`` methods. Waitress needs to use normal iteration to serve the file in this degenerate case (as per the WSGI spec), and this block size will be used as the iteration chunk size. The ``block_size`` argument is optional; if it is not passed, a default value``32768`` is used. Waitress will set a ``Content-Length`` header on the behalf of an application when a file wrapper with a sufficiently filelike object is used if the application hasn't already set one. The machinery which handles a file wrapper currently doesn't do anything particularly special using fancy system calls (it doesn't use ``sendfile`` for example); using it currently just prevents the system from needing to copy data to a temporary buffer in order to send it to the client. No copying of data is done when a WSGI app returns a file wrapper that wraps a sufficiently filelike object. It may do something fancier in the future. ``` ### 0.7 ``` ---------------- Features ~~~~~~~~ - Default ``send_bytes`` value is now 18000 instead of 9000. The larger default value prevents asyncore from needing to execute select so many times to serve large files, speeding up file serving by about 15%-20% or so. This is probably only an optimization for LAN communications, and could slow things down across a WAN (due to higher TCP overhead), but we're likely to be behind a reverse proxy on a LAN anyway if in production. - Added an (undocumented) profiling feature to the ``serve()`` command. ``` ### 0.6.1 ``` ------------------ Bug Fixes ~~~~~~~~~ - Remove performance-sapping call to ``pull_trigger`` in the channel's ``write_soon`` method added mistakenly in 0.6. ``` ### 0.6 ``` ---------------- Bug Fixes ~~~~~~~~~ - A logic error prevented the internal outbuf buffer of a channel from being flushed when the client could not accept the entire contents of the output buffer in a single succession of socket.send calls when the channel was in a "pending close" state. The socket in such a case would be closed prematurely, sometimes resulting in partially delivered content. This was discovered by a user using waitress behind an Nginx reverse proxy, which apparently is not always ready to receive data. The symptom was that he received "half" of a large CSS file (110K) while serving content via waitress behind the proxy. ``` ### 0.5 ``` ---------------- Bug Fixes ~~~~~~~~~ - Fix PATH_INFO encoding/decoding on Python 3 (as per PEP 3333, tunnel bytes-in-unicode-as-latin-1-after-unquoting). ``` ### 0.4 ``` ---------------- Features ~~~~~~~~ - Added "design" document to docs. Bug Fixes ~~~~~~~~~ - Set default ``connection_limit`` back to 100 for benefit of maximal platform compatibility. - Normalize setting of ``last_activity`` during send. - Minor resource cleanups during tests. - Channel timeout cleanup was broken. ``` ### 0.3 ``` ---------------- Features ~~~~~~~~ - Dont hang a thread up trying to send data to slow clients. - Use self.logger to log socket errors instead of self.log_info (normalize). - Remove pointless handle_error method from channel. - Queue requests instead of tasks in a channel. Bug Fixes ~~~~~~~~~ - Expect: 100-continue responses were broken. ``` ### 0.2 ``` ---------------- Bug Fixes ~~~~~~~~~ - Set up logging by calling logging.basicConfig() when ``serve`` is called (show tracebacks and other warnings to console by default). - Disallow WSGI applications to set "hop-by-hop" headers (Connection, Transfer-Encoding, etc). - Don't treat 304 status responses specially in HTTP/1.1 mode. - Remove out of date ``interfaces.py`` file. - Normalize logging (all output is now sent to the ``waitress`` logger rather than in degenerate cases some output being sent directly to stderr). Features ~~~~~~~~ - Support HTTP/1.1 ``Transfer-Encoding: chunked`` responses. - Slightly better docs about logging. ``` ### 0.1 ``` ---------------- - Initial release. ```Links
- PyPI: https://pypi.org/project/waitress - Changelog: https://pyup.io/changelogs/waitress/ - Repo: https://github.com/Pylons/waitress