| 2.0.0 (2021-03-07) |
| ------------------ |
| |
| Friendly Reminder |
| ~~~~~~~~~~~~~~~~~ |
| |
| This release still contains a variety of deprecation notices about defaults |
| that can be set for a variety of options. |
| |
| Please note that this is your last warning, and you should update your |
| configuration if you do NOT want to use the new defaults. |
| |
| See the arguments documentation page for all supported options, and pay |
| attention to the warnings: |
| |
| https://docs.pylonsproject.org/projects/waitress/en/stable/arguments.html |
| |
| Without further ado, here's a short list of great changes thanks to our |
| contributors! |
| |
| Bugfixes/Features |
| ~~~~~~~~~~~~~~~~~ |
| |
| - Fix a crash on startup when listening to multiple interfaces. |
| See https://github.com/Pylons/waitress/pull/332 |
| |
| - Waitress no longer attempts to guess at what the ``server_name`` should be for |
| a listen socket, instead it always use a new adjustment/argument named |
| ``server_name``. |
| |
| Please see the documentation for ``server_name`` in |
| https://docs.pylonsproject.org/projects/waitress/en/latest/arguments.html and |
| see https://github.com/Pylons/waitress/pull/329 |
| |
| - Allow tasks to notice if the client disconnected. |
| |
| This inserts a callable ``waitress.client_disconnected`` into the environment |
| that allows the task to check if the client disconnected while waiting for |
| the response at strategic points in the execution and to cancel the |
| operation. |
| |
| It requires setting the new adjustment ``channel_request_lookahead`` to a value |
| larger than 0, which continues to read requests from a channel even if a |
| request is already being processed on that channel, up to the given count, |
| since a client disconnect is detected by reading from a readable socket and |
| receiving an empty result. |
| |
| See https://github.com/Pylons/waitress/pull/310 |
| |
| - Drop Python 2.7 and 3.5 support |
| |
| - The server now issues warning output when it there are enough open |
| connections (controlled by "connection_limit"), that it is no longer |
| accepting new connections. This situation was previously difficult to |
| diagnose. |
| See https://github.com/Pylons/waitress/pull/322 |
| |
| 1.4.4 (2020-06-01) |
| ------------------ |
| |
| - Fix an issue with keep-alive connections in which memory usage was higher |
| than expected because output buffers were being reused across requests on |
| a long-lived connection and each buffer would not be freed until it was full |
| or the connection was closed. Buffers are now rotated per-request to |
| stabilize their behavior. |
| |
| See https://github.com/Pylons/waitress/pull/300 |
| |
| - Waitress threads have been updated to contain their thread number. This will |
| allow loggers that use that information to print the thread that the log is |
| coming from. |
| |
| See https://github.com/Pylons/waitress/pull/302 |
| |
| 1.4.3 (2020-02-02) |
| ------------------ |
| |
| Security Fixes |
| ~~~~~~~~~~~~~~ |
| |
| - In Waitress version 1.4.2 a new regular expression was added to validate the |
| headers that Waitress receives to make sure that it matches RFC7230. |
| Unfortunately the regular expression was written in a way that with invalid |
| input it leads to catastrophic backtracking which allows for a Denial of |
| Service and CPU usage going to a 100%. |
| |
| This was reported by Fil Zembowicz to the Pylons Project. Please see |
| https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc |
| for more information. |
| |
| 1.4.2 (2020-01-02) |
| ------------------ |
| |
| Security Fixes |
| ~~~~~~~~~~~~~~ |
| |
| - This is a follow-up to the fix introduced in 1.4.1 to tighten up the way |
| Waitress strips whitespace from header values. This makes sure Waitress won't |
| accidentally treat non-printable characters as whitespace and lead to a |
| potental HTTP request smuggling/splitting security issue. |
| |
| Thanks to ZeddYu Lu for the extra test cases. |
| |
| Please see the security advisory for more information: |
| https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 |
| |
| CVE-ID: CVE-2019-16789 |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - Updated the regex used to validate header-field content to match the errata |
| that was published for RFC7230. |
| |
| See: https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189 |
| |
| |
| 1.4.1 (2019-12-24) |
| ------------------ |
| |
| Security Fixes |
| ~~~~~~~~~~~~~~ |
| |
| - Waitress did not properly validate that the HTTP headers it received were |
| properly formed, thereby potentially allowing a front-end server to treat a |
| request different from Waitress. This could lead to HTTP request |
| smuggling/splitting. |
| |
| Please see the security advisory for more information: |
| https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 |
| |
| CVE-ID: CVE-2019-16789 |
| |
| 1.4.0 (2019-12-20) |
| ------------------ |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - Waitress used to slam the door shut on HTTP pipelined requests without |
| setting the ``Connection: close`` header as appropriate in the response. This |
| is of course not very friendly. Waitress now explicitly sets the header when |
| responding with an internally generated error such as 400 Bad Request or 500 |
| Internal Server Error to notify the remote client that it will be closing the |
| connection after the response is sent. |
| |
| - Waitress no longer allows any spaces to exist between the header field-name |
| and the colon. While waitress did not strip the space and thereby was not |
| vulnerable to any potential header field-name confusion, it should have sent |
| back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273 |
| |
| Security Fixes |
| ~~~~~~~~~~~~~~ |
| |
| - Waitress implemented a "MAY" part of the RFC7230 |
| (https://tools.ietf.org/html/rfc7230#section-3.5) which states: |
| |
| Although the line terminator for the start-line and header fields is |
| the sequence CRLF, a recipient MAY recognize a single LF as a line |
| terminator and ignore any preceding CR. |
| |
| Unfortunately if a front-end server does not parse header fields with an LF |
| the same way as it does those with a CRLF it can lead to the front-end and |
| the back-end server parsing the same HTTP message in two different ways. This |
| can lead to a potential for HTTP request smuggling/splitting whereby Waitress |
| may see two requests while the front-end server only sees a single HTTP |
| message. |
| |
| For more information I can highly recommend the blog post by ZeddYu Lu |
| https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/ |
| |
| Please see the security advisory for more information: |
| https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p |
| |
| CVE-ID: CVE-2019-16785 |
| |
| - Waitress used to treat LF the same as CRLF in ``Transfer-Encoding: chunked`` |
| requests, while the maintainer doesn't believe this could lead to a security |
| issue, this is no longer supported and all chunks are now validated to be |
| properly framed with CRLF as required by RFC7230. |
| |
| - Waitress now validates that the ``Transfer-Encoding`` header contains only |
| transfer codes that it is able to decode. At the moment that includes the |
| only valid header value being ``chunked``. |
| |
| That means that if the following header is sent: |
| |
| ``Transfer-Encoding: gzip, chunked`` |
| |
| Waitress will send back a 501 Not Implemented with an error message stating |
| as such, as while Waitress supports ``chunked`` encoding it does not support |
| ``gzip`` and it is unable to pass that to the underlying WSGI environment |
| correctly. |
| |
| Waitress DOES NOT implement support for ``Transfer-Encoding: identity`` |
| eventhough ``identity`` was valid in RFC2616, it was removed in RFC7230. |
| Please update your clients to remove the ``Transfer-Encoding`` header if the |
| only transfer coding is ``identity`` or update your client to use |
| ``Transfer-Encoding: chunked`` instead of ``Transfer-Encoding: identity, |
| chunked``. |
| |
| Please see the security advisory for more information: |
| https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p |
| |
| CVE-ID: CVE-2019-16786 |
| |
| - While validating the ``Transfer-Encoding`` header, Waitress now properly |
| handles line-folded ``Transfer-Encoding`` headers or those that contain |
| multiple comma seperated values. This closes a potential issue where a |
| front-end server may treat the request as being a chunked request (and thus |
| ignoring the Content-Length) and Waitress using the Content-Length as it was |
| looking for the single value ``chunked`` and did not support comma seperated |
| values. |
| |
| - Waitress used to explicitly set the Content-Length header to 0 if it was |
| unable to parse it as an integer (for example if the Content-Length header |
| was sent twice (and thus folded together), or was invalid) thereby allowing |
| for a potential request to be split and treated as two requests by HTTP |
| pipelining support in Waitress. If Waitress is now unable to parse the |
| Content-Length header, a 400 Bad Request is sent back to the client. |
| |
| Please see the security advisory for more information: |
| https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6 |
| |
| 1.3.1 (2019-08-27) |
| ------------------ |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - Waitress won't accidentally throw away part of the path if it starts with a |
| double slash (``GET //testing/whatever HTTP/1.0``). WSGI applications will |
| now receive a ``PATH_INFO`` in the environment that contains |
| ``//testing/whatever`` as required. See |
| https://github.com/Pylons/waitress/issues/260 and |
| https://github.com/Pylons/waitress/pull/261 |
| |
| |
| 1.3.0 (2019-04-22) |
| ------------------ |
| |
| Deprecations |
| ~~~~~~~~~~~~ |
| |
| - The ``send_bytes`` adjustment now defaults to ``1`` and is deprecated |
| pending removal in a future release. |
| and https://github.com/Pylons/waitress/pull/246 |
| |
| Features |
| ~~~~~~~~ |
| |
| - Add a new ``outbuf_high_watermark`` adjustment which is used to apply |
| backpressure on the ``app_iter`` to avoid letting it spin faster than data |
| can be written to the socket. This stabilizes responses that iterate quickly |
| with a lot of data. |
| See https://github.com/Pylons/waitress/pull/242 |
| |
| - Stop early and close the ``app_iter`` when attempting to write to a closed |
| socket due to a client disconnect. This should notify a long-lived streaming |
| response when a client hangs up. |
| See https://github.com/Pylons/waitress/pull/238 |
| and https://github.com/Pylons/waitress/pull/240 |
| and https://github.com/Pylons/waitress/pull/241 |
| |
| - Adjust the flush to output ``SO_SNDBUF`` bytes instead of whatever was |
| set in the ``send_bytes`` adjustment. ``send_bytes`` now only controls how |
| much waitress will buffer internally before flushing to the kernel, whereas |
| previously it used to also throttle how much data was sent to the kernel. |
| This change enables a streaming ``app_iter`` containing small chunks to |
| still be flushed efficiently. |
| See https://github.com/Pylons/waitress/pull/246 |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will |
| no longer set the version to the string value "None". See |
| https://github.com/Pylons/waitress/pull/252 and |
| https://github.com/Pylons/waitress/issues/110 |
| |
| - When a client closes a socket unexpectedly there was potential for memory |
| leaks in which data was written to the buffers after they were closed, |
| causing them to reopen. |
| See https://github.com/Pylons/waitress/pull/239 |
| |
| - Fix the queue depth warnings to only show when all threads are busy. |
| See https://github.com/Pylons/waitress/pull/243 |
| and https://github.com/Pylons/waitress/pull/247 |
| |
| - Trigger the ``app_iter`` to close as part of shutdown. This will only be |
| noticeable for users of the internal server api. In more typical operations |
| the server will die before benefiting from these changes. |
| See https://github.com/Pylons/waitress/pull/245 |
| |
| - Fix a bug in which a streaming ``app_iter`` may never cleanup data that has |
| already been sent. This would cause buffers in waitress to grow without |
| bounds. These buffers now properly rotate and release their data. |
| See https://github.com/Pylons/waitress/pull/242 |
| |
| - Fix a bug in which non-seekable subclasses of ``io.IOBase`` would trigger |
| an exception when passed to the ``wsgi.file_wrapper`` callback. |
| See https://github.com/Pylons/waitress/pull/249 |
| |
| 1.2.1 (2019-01-25) |
| ------------------ |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - When given an IPv6 address in ``X-Forwarded-For`` or ``Forwarded for=`` |
| waitress was placing the IP address in ``REMOTE_ADDR`` with brackets: |
| ``[2001:db8::0]``, this does not match the requirements in the CGI spec which |
| ``REMOTE_ADDR`` was lifted from. Waitress will now place the bare IPv6 |
| address in ``REMOTE_ADDR``: ``2001:db8::0``. See |
| https://github.com/Pylons/waitress/pull/232 and |
| https://github.com/Pylons/waitress/issues/230 |
| |
| 1.2.0 (2019-01-15) |
| ------------------ |
| |
| No changes since the last beta release. Enjoy Waitress! |
| |
| 1.2.0b3 (2019-01-07) |
| -------------------- |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - Modified ``clear_untrusted_proxy_headers`` to be usable without a |
| ``trusted_proxy``. |
| https://github.com/Pylons/waitress/pull/228 |
| |
| - Modified ``trusted_proxy_count`` to error when used without a |
| ``trusted_proxy``. |
| https://github.com/Pylons/waitress/pull/228 |
| |
| 1.2.0b2 (2019-02-02) |
| -------------------- |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - Fixed logic to no longer warn on writes where the output is required to have |
| a body but there may not be any data to be written. Solves issue posted on |
| the Pylons Project mailing list with 1.2.0b1. |
| |
| 1.2.0b1 (2018-12-31) |
| -------------------- |
| |
| Happy New Year! |
| |
| Features |
| ~~~~~~~~ |
| |
| - Setting the ``trusted_proxy`` setting to ``'*'`` (wildcard) will allow all |
| upstreams to be considered trusted proxies, thereby allowing services behind |
| Cloudflare/ELBs to function correctly whereby there may not be a singular IP |
| address that requests are received from. |
| |
| Using this setting is potentially dangerous if your server is also available |
| from anywhere on the internet, and further protections should be used to lock |
| down access to Waitress. See https://github.com/Pylons/waitress/pull/224 |
| |
| - Waitress has increased its support of the X-Forwarded-* headers and includes |
| Forwarded (RFC7239) support. This may be used to allow proxy servers to |
| influence the WSGI environment. See |
| https://github.com/Pylons/waitress/pull/209 |
| |
| This also provides a new security feature when using Waitress behind a proxy |
| in that it is possible to remove untrusted proxy headers thereby making sure |
| that downstream WSGI applications don't accidentally use those proxy headers |
| to make security decisions. |
| |
| The documentation has more information, see the following new arguments: |
| |
| - trusted_proxy_count |
| - trusted_proxy_headers |
| - clear_untrusted_proxy_headers |
| - log_untrusted_proxy_headers (useful for debugging) |
| |
| Be aware that the defaults for these are currently backwards compatible with |
| older versions of Waitress, this will change in a future release of waitress. |
| If you expect to need this behaviour please explicitly set these variables in |
| your configuration, or pin this version of waitress. |
| |
| Documentation: |
| https://docs.pylonsproject.org/projects/waitress/en/latest/reverse-proxy.html |
| |
| - Waitress can now accept a list of sockets that are already pre-bound rather |
| than creating its own to allow for socket activation. Support for init |
| systems/other systems that create said activated sockets is not included. See |
| https://github.com/Pylons/waitress/pull/215 |
| |
| - Server header can be omitted by specifying ``ident=None`` or ``ident=''``. |
| See https://github.com/Pylons/waitress/pull/187 |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - Waitress will no longer send Transfer-Encoding or Content-Length for 1xx, |
| 204, or 304 responses, and will completely ignore any message body sent by |
| the WSGI application, making sure to follow the HTTP standard. See |
| https://github.com/Pylons/waitress/pull/166, |
| https://github.com/Pylons/waitress/issues/165, |
| https://github.com/Pylons/waitress/issues/152, and |
| https://github.com/Pylons/waitress/pull/202 |
| |
| Compatibility |
| ~~~~~~~~~~~~~ |
| |
| - Waitress has now "vendored" asyncore into itself as ``waitress.wasyncore``. |
| This is to cope with the eventuality that asyncore will be removed from |
| the Python standard library in 3.8 or so. |
| |
| Documentation |
| ~~~~~~~~~~~~~ |
| |
| - Bring in documentation of paste.translogger from Pyramid. Reorganize and |
| clean up documentation. See |
| https://github.com/Pylons/waitress/pull/205 |
| https://github.com/Pylons/waitress/pull/70 |
| https://github.com/Pylons/waitress/pull/206 |
| |
| 1.1.0 (2017-10-10) |
| ------------------ |
| |
| Features |
| ~~~~~~~~ |
| |
| - Waitress now has a __main__ and thus may be called with ``python -mwaitress`` |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - Waitress no longer allows lowercase HTTP verbs. This change was made to fall |
| in line with most HTTP servers. See https://github.com/Pylons/waitress/pull/170 |
| |
| - When receiving non-ascii bytes in the request URL, waitress will no longer |
| abruptly close the connection, instead returning a 400 Bad Request. See |
| https://github.com/Pylons/waitress/pull/162 and |
| https://github.com/Pylons/waitress/issues/64 |
| |
| 1.0.2 (2017-02-04) |
| ------------------ |
| |
| Features |
| ~~~~~~~~ |
| |
| - Python 3.6 is now officially supported in Waitress |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - Add a work-around for libc issue on Linux not following the documented |
| standards. If getnameinfo() fails because of DNS not being available it |
| should return the IP address instead of the reverse DNS entry, however |
| instead getnameinfo() raises. We catch this, and ask getnameinfo() |
| for the same information again, explicitly asking for IP address instead of |
| reverse DNS hostname. See https://github.com/Pylons/waitress/issues/149 and |
| https://github.com/Pylons/waitress/pull/153 |
| |
| 1.0.1 (2016-10-22) |
| ------------------ |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - IPv6 support on Windows was broken due to missing constants in the socket |
| module. This has been resolved by setting the constants on Windows if they |
| are missing. See https://github.com/Pylons/waitress/issues/138 |
| |
| - A ValueError was raised on Windows when passing a string for the port, on |
| Windows in Python 2 using service names instead of port numbers doesn't work |
| with `getaddrinfo`. This has been resolved by attempting to convert the port |
| number to an integer, if that fails a ValueError will be raised. See |
| https://github.com/Pylons/waitress/issues/139 |
| |
| |
| 1.0.0 (2016-08-31) |
| ------------------ |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - Removed `AI_ADDRCONFIG` from the call to `getaddrinfo`, this resolves an |
| issue whereby `getaddrinfo` wouldn't return any addresses to `bind` to on |
| hosts where there is no internet connection but localhost is requested to be |
| bound to. See https://github.com/Pylons/waitress/issues/131 for more |
| information. |
| |
| Deprecations |
| ~~~~~~~~~~~~ |
| |
| - Python 2.6 is no longer supported. |
| |
| Features |
| ~~~~~~~~ |
| |
| - IPv6 support |
| |
| - Waitress is now able to listen on multiple sockets, including IPv4 and IPv6. |
| Instead of passing in a host/port combination you now provide waitress with a |
| space delineated list, and it will create as many sockets as required. |
| |
| .. code-block:: python |
| |
| from waitress import serve |
| serve(wsgiapp, listen='0.0.0.0:8080 [::]:9090 *:6543') |
| |
| Security |
| ~~~~~~~~ |
| |
| - Waitress will now drop HTTP headers that contain an underscore in the key |
| when received from a client. This is to stop any possible underscore/dash |
| conflation that may lead to security issues. See |
| https://github.com/Pylons/waitress/pull/80 and |
| https://www.djangoproject.com/weblog/2015/jan/13/security/ |
| |
| 0.9.0 (2016-04-15) |
| ------------------ |
| |
| Deprecations |
| ~~~~~~~~~~~~ |
| |
| - Python 3.2 is no longer supported by Waitress. |
| |
| - Python 2.6 will no longer be supported by Waitress in future releases. |
| |
| Security/Protections |
| ~~~~~~~~~~~~~~~~~~~~ |
| |
| - Building on the changes made in pull request 117, add in checking for line |
| feed/carriage return HTTP Response Splitting in the status line, as well as |
| the key of a header. See https://github.com/Pylons/waitress/pull/124 and |
| https://github.com/Pylons/waitress/issues/122. |
| |
| - Waitress will no longer accept headers or status lines with |
| newline/carriage returns in them, thereby disallowing HTTP Response |
| Splitting. See https://github.com/Pylons/waitress/issues/117 for |
| more information, as well as |
| https://www.owasp.org/index.php/HTTP_Response_Splitting. |
| |
| Bugfixes |
| ~~~~~~~~ |
| |
| - FileBasedBuffer and more important ReadOnlyFileBasedBuffer no longer report |
| False when tested with bool(), instead always returning True, and becoming |
| more iterator like. |
| See: https://github.com/Pylons/waitress/pull/82 and |
| https://github.com/Pylons/waitress/issues/76 |
| |
| - Call prune() on the output buffer at the end of a request so that it doesn't |
| continue to grow without bounds. See |
| https://github.com/Pylons/waitress/issues/111 for more information. |
| |
| 0.8.10 (2015-09-02) |
| ------------------- |
| |
| - Add support for Python 3.4, 3.5b2, and PyPy3. |
| |
| - Use a nonglobal asyncore socket map by default, trying to prevent conflicts |
| with apps and libs that use the asyncore global socket map ala |
| https://github.com/Pylons/waitress/issues/63. You can get the old |
| use-global-socket-map behavior back by passing ``asyncore.socket_map`` to the |
| ``create_server`` function as the ``map`` argument. |
| |
| - Waitress violated PEP 3333 with respect to reraising an exception when |
| ``start_response`` was called with an ``exc_info`` argument. It would |
| reraise the exception even if no data had been sent to the client. It now |
| only reraises the exception if data has actually been sent to the client. |
| See https://github.com/Pylons/waitress/pull/52 and |
| https://github.com/Pylons/waitress/issues/51 |
| |
| - Add a ``docs`` section to tox.ini that, when run, ensures docs can be built. |
| |
| - If an ``application`` value of ``None`` is supplied to the ``create_server`` |
| constructor function, a ValueError is now raised eagerly instead of an error |
| occuring during runtime. See https://github.com/Pylons/waitress/pull/60 |
| |
| - Fix parsing of multi-line (folded) headers. |
| See https://github.com/Pylons/waitress/issues/53 and |
| https://github.com/Pylons/waitress/pull/90 |
| |
| - Switch from the low level Python thread/_thread module to the threading |
| module. |
| |
| - Improved exception information should module import go awry. |
| |
| 0.8.9 (2014-05-16) |
| ------------------ |
| |
| - Fix tests under Windows. NB: to run tests under Windows, you cannot run |
| "setup.py test" or "setup.py nosetests". Instead you must run ``python.exe |
| -c "import nose; nose.main()"``. If you try to run the tests using the |
| normal method under Windows, each subprocess created by the test suite will |
| attempt to run the test suite again. See |
| https://github.com/nose-devs/nose/issues/407 for more information. |
| |
| - Give the WSGI app_iter generated when ``wsgi.file_wrapper`` is used |
| (ReadOnlyFileBasedBuffer) a ``close`` method. Do not call ``close`` on an |
| instance of such a class when it's used as a WSGI app_iter, however. This is |
| part of a fix which prevents a leakage of file descriptors; the other part of |
| the fix was in WebOb |
| (https://github.com/Pylons/webob/commit/951a41ce57bd853947f842028bccb500bd5237da). |
| |
| - Allow trusted proxies to override ``wsgi.url_scheme`` via a request header, |
| ``X_FORWARDED_PROTO``. Allows proxies which serve mixed HTTP / HTTPS |
| requests to control signal which are served as HTTPS. See |
| https://github.com/Pylons/waitress/pull/42. |
| |
| 0.8.8 (2013-11-30) |
| ------------------ |
| |
| - Fix some cases where the creation of extremely large output buffers (greater |
| than 2GB, suspected to be buffers added via ``wsgi.file_wrapper``) might |
| cause an OverflowError on Python 2. See |
| https://github.com/Pylons/waitress/issues/47. |
| |
| - When the ``url_prefix`` adjustment starts with more than one slash, all |
| slashes except one will be stripped from its beginning. This differs from |
| older behavior where more than one leading slash would be preserved in |
| ``url_prefix``. |
| |
| - If a client somehow manages to send an empty path, we no longer convert the |
| empty path to a single slash in ``PATH_INFO``. Instead, the path remains |
| empty. According to RFC 2616 section "5.1.2 Request-URI", the scenario of a |
| client sending an empty path is actually not possible because the request URI |
| portion cannot be empty. |
| |
| - If the ``url_prefix`` adjustment matches the request path exactly, we now |
| compute ``SCRIPT_NAME`` and ``PATH_INFO`` properly. Previously, if the |
| ``url_prefix`` was ``/foo`` and the path received from a client was ``/foo``, |
| we would set *both* ``SCRIPT_NAME`` and ``PATH_INFO`` to ``/foo``. This was |
| incorrect. Now in such a case we set ``PATH_INFO`` to the empty string and |
| we set ``SCRIPT_NAME`` to ``/foo``. Note that the change we made has no |
| effect on paths that do not match the ``url_prefix`` exactly (such as |
| ``/foo/bar``); these continue to operate as they did. See |
| https://github.com/Pylons/waitress/issues/46 |
| |
| - Preserve header ordering of headers with the same name as per RFC 2616. See |
| https://github.com/Pylons/waitress/pull/44 |
| |
| - When waitress receives a ``Transfer-Encoding: chunked`` request, we no longer |
| send the ``TRANSFER_ENCODING`` nor the ``HTTP_TRANSFER_ENCODING`` value to |
| the application in the environment. Instead, we pop this header. Since we |
| cope with chunked requests by buffering the data in the server, we also know |
| when a chunked request has ended, and therefore we know the content length. |
| We set the content-length header in the environment, such that applications |
| effectively never know the original request was a T-E: chunked request; it |
| will appear to them as if the request is a non-chunked request with an |
| accurate content-length. |
| |
| - Cope with the fact that the ``Transfer-Encoding`` value is case-insensitive. |
| |
| - When the ``--unix-socket-perms`` option was used as an argument to |
| ``waitress-serve``, a ``TypeError`` would be raised. See |
| https://github.com/Pylons/waitress/issues/50. |
| |
| 0.8.7 (2013-08-29) |
| ------------------ |
| |
| - The HTTP version of the response returned by waitress when it catches an |
| exception will now match the HTTP request version. |
| |
| - Fix: CONNECTION header will be HTTP_CONNECTION and not CONNECTION_TYPE |
| (see https://github.com/Pylons/waitress/issues/13) |
| |
| 0.8.6 (2013-08-12) |
| ------------------ |
| |
| - Do alternate type of checking for UNIX socket support, instead of checking |
| for platform == windows. |
| |
| - Functional tests now use multiprocessing module instead of subprocess module, |
| speeding up test suite and making concurrent execution more reliable. |
| |
| - Runner now appends the current working directory to ``sys.path`` to support |
| running WSGI applications from a directory (i.e., not installed in a |
| virtualenv). |
| |
| - Add a ``url_prefix`` adjustment setting. You can use it by passing |
| ``script_name='/foo'`` to ``waitress.serve`` or you can use it in a |
| ``PasteDeploy`` ini file as ``script_name = /foo``. This will cause the WSGI |
| ``SCRIPT_NAME`` value to be the value passed minus any trailing slashes you |
| add, and it will cause the ``PATH_INFO`` of any request which is prefixed |
| with this value to be stripped of the prefix. You can use this instead of |
| PasteDeploy's ``prefixmiddleware`` to always prefix the path. |
| |
| 0.8.5 (2013-05-27) |
| ------------------ |
| |
| - Fix runner multisegment imports in some Python 2 revisions (see |
| https://github.com/Pylons/waitress/pull/34). |
| |
| - For compatibility, WSGIServer is now an alias of TcpWSGIServer. The |
| signature of BaseWSGIServer is now compatible with WSGIServer pre-0.8.4. |
| |
| 0.8.4 (2013-05-24) |
| ------------------ |
| |
| - Add a command-line runner called ``waitress-serve`` to allow Waitress |
| to run WSGI applications without any addional machinery. This is |
| essentially a thin wrapper around the ``waitress.serve()`` function. |
| |
| - Allow parallel testing (e.g., under ``detox`` or ``nosetests --processes``) |
| using PID-dependent port / socket for functest servers. |
| |
| - Fix integer overflow errors on large buffers. Thanks to Marcin Kuzminski |
| for the patch. See: https://github.com/Pylons/waitress/issues/22 |
| |
| - Add support for listening on Unix domain sockets. |
| |
| 0.8.3 (2013-04-28) |
| ------------------ |
| |
| Features |
| ~~~~~~~~ |
| |
| - Add an ``asyncore_loop_timeout`` adjustment value, which controls the |
| ``timeout`` value passed to ``asyncore.loop``; defaults to 1. |
| |
| Bug Fixes |
| ~~~~~~~~~ |
| |
| - The default asyncore loop timeout is now 1 second. This prevents slow |
| shutdown on Windows. See https://github.com/Pylons/waitress/issues/6 . This |
| shouldn't matter to anyone in particular, but it can be changed via the |
| ``asyncore_loop_timeout`` adjustment (it used to previously default to 30 |
| seconds). |
| |
| - Don't complain if there's a response to a HEAD request that contains a |
| Content-Length > 0. See https://github.com/Pylons/waitress/pull/7. |
| |
| - Fix bug in HTTP Expect/Continue support. See |
| https://github.com/Pylons/waitress/issues/9 . |
| |
| |
| 0.8.2 (2012-11-14) |
| ------------------ |
| |
| Bug Fixes |
| ~~~~~~~~~ |
| |
| - https://corte.si/posts/code/pathod/pythonservers/index.html pointed out that |
| sending a bad header resulted in an exception leading to a 500 response |
| instead of the more proper 400 response without an exception. |
| |
| - Fix a race condition in the test suite. |
| |
| - Allow "ident" to be used as a keyword to ``serve()`` as per docs. |
| |
| - Add py33 to tox.ini. |
| |
| 0.8.1 (2012-02-13) |
| ------------------ |
| |
| Bug Fixes |
| ~~~~~~~~~ |
| |
| - A brown-bag bug prevented request concurrency. A slow request would block |
| subsequent the responses of subsequent requests until the slow request's |
| response was fully generated. This was due to a "task lock" being declared |
| as a class attribute rather than as an instance attribute on HTTPChannel. |
| Also took the opportunity to move another lock named "outbuf lock" to the |
| channel instance rather than the class. See |
| https://github.com/Pylons/waitress/pull/1 . |
| |
| 0.8 (2012-01-31) |
| ---------------- |
| |
| Features |
| ~~~~~~~~ |
| |
| - Support the WSGI ``wsgi.file_wrapper`` protocol as per |
| https://www.python.org/dev/peps/pep-0333/#optional-platform-specific-file-handling. |
| Here's a usage example:: |
| |
| import os |
| |
| here = os.path.dirname(os.path.abspath(__file__)) |
| |
| def myapp(environ, start_response): |
| f = open(os.path.join(here, 'myphoto.jpg'), 'rb') |
| headers = [('Content-Type', 'image/jpeg')] |
| start_response( |
| '200 OK', |
| headers |
| ) |
| return environ['wsgi.file_wrapper'](f, 32768) |
| |
| The signature of the file wrapper constructor is ``(filelike_object, |
| block_size)``. Both arguments must be passed as positional (not keyword) |
| arguments. The result of creating a file wrapper should be **returned** as |
| the ``app_iter`` from a WSGI application. |
| |
| The object passed as ``filelike_object`` to the wrapper must be a file-like |
| object which supports *at least* the ``read()`` method, and the ``read()`` |
| method must support an optional size hint argument. It *should* support |
| the ``seek()`` and ``tell()`` methods. If it does not, normal iteration |
| over the filelike object using the provided block_size is used (and copying |
| is done, negating any benefit of the file wrapper). It *should* support a |
| ``close()`` method. |
| |
| The specified ``block_size`` argument to the file wrapper constructor will |
| be used only when the ``filelike_object`` doesn't support ``seek`` and/or |
| ``tell`` methods. Waitress needs to use normal iteration to serve the file |
| in this degenerate case (as per the WSGI spec), and this block size will be |
| used as the iteration chunk size. The ``block_size`` argument is optional; |
| if it is not passed, a default value``32768`` is used. |
| |
| Waitress will set a ``Content-Length`` header on the behalf of an |
| application when a file wrapper with a sufficiently filelike object is used |
| if the application hasn't already set one. |
| |
| The machinery which handles a file wrapper currently doesn't do anything |
| particularly special using fancy system calls (it doesn't use ``sendfile`` |
| for example); using it currently just prevents the system from needing to |
| copy data to a temporary buffer in order to send it to the client. No |
| copying of data is done when a WSGI app returns a file wrapper that wraps a |
| sufficiently filelike object. It may do something fancier in the future. |
| |
| 0.7 (2012-01-11) |
| ---------------- |
| |
| Features |
| ~~~~~~~~ |
| |
| - Default ``send_bytes`` value is now 18000 instead of 9000. The larger |
| default value prevents asyncore from needing to execute select so many |
| times to serve large files, speeding up file serving by about 15%-20% or |
| so. This is probably only an optimization for LAN communications, and |
| could slow things down across a WAN (due to higher TCP overhead), but we're |
| likely to be behind a reverse proxy on a LAN anyway if in production. |
| |
| - Added an (undocumented) profiling feature to the ``serve()`` command. |
| |
| 0.6.1 (2012-01-08) |
| ------------------ |
| |
| Bug Fixes |
| ~~~~~~~~~ |
| |
| - Remove performance-sapping call to ``pull_trigger`` in the channel's |
| ``write_soon`` method added mistakenly in 0.6. |
| |
| 0.6 (2012-01-07) |
| ---------------- |
| |
| Bug Fixes |
| ~~~~~~~~~ |
| |
| - A logic error prevented the internal outbuf buffer of a channel from being |
| flushed when the client could not accept the entire contents of the output |
| buffer in a single succession of socket.send calls when the channel was in |
| a "pending close" state. The socket in such a case would be closed |
| prematurely, sometimes resulting in partially delivered content. This was |
| discovered by a user using waitress behind an Nginx reverse proxy, which |
| apparently is not always ready to receive data. The symptom was that he |
| received "half" of a large CSS file (110K) while serving content via |
| waitress behind the proxy. |
| |
| 0.5 (2012-01-03) |
| ---------------- |
| |
| Bug Fixes |
| ~~~~~~~~~ |
| |
| - Fix PATH_INFO encoding/decoding on Python 3 (as per PEP 3333, tunnel |
| bytes-in-unicode-as-latin-1-after-unquoting). |
| |
| 0.4 (2012-01-02) |
| ---------------- |
| |
| Features |
| ~~~~~~~~ |
| |
| - Added "design" document to docs. |
| |
| Bug Fixes |
| ~~~~~~~~~ |
| |
| - Set default ``connection_limit`` back to 100 for benefit of maximal |
| platform compatibility. |
| |
| - Normalize setting of ``last_activity`` during send. |
| |
| - Minor resource cleanups during tests. |
| |
| - Channel timeout cleanup was broken. |
| |
| 0.3 (2012-01-02) |
| ---------------- |
| |
| Features |
| ~~~~~~~~ |
| |
| - Dont hang a thread up trying to send data to slow clients. |
| |
| - Use self.logger to log socket errors instead of self.log_info (normalize). |
| |
| - Remove pointless handle_error method from channel. |
| |
| - Queue requests instead of tasks in a channel. |
| |
| Bug Fixes |
| ~~~~~~~~~ |
| |
| - Expect: 100-continue responses were broken. |
| |
| |
| 0.2 (2011-12-31) |
| ---------------- |
| |
| Bug Fixes |
| ~~~~~~~~~ |
| |
| - Set up logging by calling logging.basicConfig() when ``serve`` is called |
| (show tracebacks and other warnings to console by default). |
| |
| - Disallow WSGI applications to set "hop-by-hop" headers (Connection, |
| Transfer-Encoding, etc). |
| |
| - Don't treat 304 status responses specially in HTTP/1.1 mode. |
| |
| - Remove out of date ``interfaces.py`` file. |
| |
| - Normalize logging (all output is now sent to the ``waitress`` logger rather |
| than in degenerate cases some output being sent directly to stderr). |
| |
| Features |
| ~~~~~~~~ |
| |
| - Support HTTP/1.1 ``Transfer-Encoding: chunked`` responses. |
| |
| - Slightly better docs about logging. |
| |
| 0.1 (2011-12-30) |
| ---------------- |
| |
| - Initial release. |