You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 lines
1.7 KiB
44 lines
1.7 KiB
From 6e0af1e0e01f7c9a9a83431b99a82b0de5c6a5da Mon Sep 17 00:00:00 2001
|
|
From: Carl George <carlwgeorge@gmail.com>
|
|
Date: Tue, 25 Jun 2024 22:40:57 -0500
|
|
Subject: [PATCH 7/8] Backport security fix note
|
|
|
|
---
|
|
CHANGES.txt | 23 +++++++++++++++++++++++
|
|
1 file changed, 23 insertions(+)
|
|
|
|
diff --git a/CHANGES.txt b/CHANGES.txt
|
|
index 701c2b0..f9d4c42 100644
|
|
--- a/CHANGES.txt
|
|
+++ b/CHANGES.txt
|
|
@@ -1,3 +1,26 @@
|
|
+Security Bugfix
|
|
+~~~~~~~~~~~~~~~
|
|
+
|
|
+- Waitress now validates that chunked encoding extensions are valid, and don't
|
|
+ contain invalid characters that are not allowed. They are still skipped/not
|
|
+ processed, but if they contain invalid data we no longer continue in and
|
|
+ return a 400 Bad Request. This stops potential HTTP desync/HTTP request
|
|
+ smuggling. Thanks to Zhang Zeyu for reporting this issue. See
|
|
+ https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
|
|
+
|
|
+- Waitress now validates that the chunk length is only valid hex digits when
|
|
+ parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no
|
|
+ longer supported. This stops potential HTTP desync/HTTP request smuggling.
|
|
+ Thanks to Zhang Zeyu for reporting this issue. See
|
|
+ https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
|
|
+
|
|
+- Waitress now validates that the Content-Length sent by a remote contains only
|
|
+ digits in accordance with RFC7230 and will return a 400 Bad Request when the
|
|
+ Content-Length header contains invalid data, such as ``+10`` which would
|
|
+ previously get parsed as ``10`` and accepted. This stops potential HTTP
|
|
+ desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See
|
|
+ https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
|
|
+
|
|
1.4.3 (2020-02-02)
|
|
------------------
|
|
|
|
--
|
|
2.45.2
|
|
|