python-waitress/SOURCES/0007-Backport-security-fix-...

From 6e0af1e0e01f7c9a9a83431b99a82b0de5c6a5da Mon Sep 17 00:00:00 2001
From: Carl George <carlwgeorge@gmail.com>
Date: Tue, 25 Jun 2024 22:40:57 -0500
Subject: [PATCH 7/8] Backport security fix note

---
 CHANGES.txt | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/CHANGES.txt b/CHANGES.txt
index 701c2b0..f9d4c42 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,3 +1,26 @@
+Security Bugfix
+~~~~~~~~~~~~~~~
+
+- Waitress now validates that chunked encoding extensions are valid, and don't
+  contain invalid characters that are not allowed. They are still skipped/not
+  processed, but if they contain invalid data we no longer continue in and
+  return a 400 Bad Request. This stops potential HTTP desync/HTTP request
+  smuggling. Thanks to Zhang Zeyu for reporting this issue. See
+  https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
+
+- Waitress now validates that the chunk length is only valid hex digits when
+  parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no
+  longer supported. This stops potential HTTP desync/HTTP request smuggling.
+  Thanks to Zhang Zeyu for reporting this issue. See
+  https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
+
+- Waitress now validates that the Content-Length sent by a remote contains only
+  digits in accordance with RFC7230 and will return a 400 Bad Request when the
+  Content-Length header contains invalid data, such as ``+10`` which would
+  previously get parsed as ``10`` and accepted. This stops potential HTTP
+  desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See
+  https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
+
 1.4.3 (2020-02-02)
 ------------------
 
-- 
2.45.2
import python-waitress-1.4.3-2.el8 5 months ago			`From 6e0af1e0e01f7c9a9a83431b99a82b0de5c6a5da Mon Sep 17 00:00:00 2001`
			`From: Carl George <carlwgeorge@gmail.com>`
			`Date: Tue, 25 Jun 2024 22:40:57 -0500`
			`Subject: [PATCH 7/8] Backport security fix note`

			`---`
			`CHANGES.txt \| 23 +++++++++++++++++++++++`
			`1 file changed, 23 insertions(+)`

			`diff --git a/CHANGES.txt b/CHANGES.txt`
			`index 701c2b0..f9d4c42 100644`
			`--- a/CHANGES.txt`
			`+++ b/CHANGES.txt`
			`@@ -1,3 +1,26 @@`
			`+Security Bugfix`
			`+~~~~~~~~~~~~~~~`
			`+`
			`+- Waitress now validates that chunked encoding extensions are valid, and don't`
			`+ contain invalid characters that are not allowed. They are still skipped/not`
			`+ processed, but if they contain invalid data we no longer continue in and`
			`+ return a 400 Bad Request. This stops potential HTTP desync/HTTP request`
			`+ smuggling. Thanks to Zhang Zeyu for reporting this issue. See`
			`+ https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36`
			`+`
			`+- Waitress now validates that the chunk length is only valid hex digits when`
			+ parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no
			`+ longer supported. This stops potential HTTP desync/HTTP request smuggling.`
			`+ Thanks to Zhang Zeyu for reporting this issue. See`
			`+ https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36`
			`+`
			`+- Waitress now validates that the Content-Length sent by a remote contains only`
			`+ digits in accordance with RFC7230 and will return a 400 Bad Request when the`
			+ Content-Length header contains invalid data, such as ``+10`` which would
			+ previously get parsed as ``10`` and accepted. This stops potential HTTP
			`+ desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See`
			`+ https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36`
			`+`
			`1.4.3 (2020-02-02)`
			`------------------`

			`--`
			`2.45.2`