https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/ Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue validated to be properly framed with CRLF as required by RFC7230. Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

GHSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue validated to be properly framed with CRLF as required by RFC7230. Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

GHSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue validated to be properly framed with CRLF as required by RFC7230. Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

GHSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue validated to be properly framed with CRLF as required by RFC7230. Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

name as per RFC 2616. See https://github.com/Pylons/waitress/pull/44 When waitress receives a Transfer-Encoding: chunked request, we no longer send the TRANSFER_ENCODING nor the HTTP_TRANSFER_ENCODING value request is a non-chunked request with an accurate content-length. Cope with the fact that the Transfer-Encoding value is case-insensitive. When the --unix-socket-perms option was used as an argument to waitress- to console by default). Disallow WSGI applications to set “hop-by-hop” headers (Connection, Transfer-Encoding, etc). Don’t treat 304 status responses specially in HTTP/1.1 mode. Remove out of date interfaces

now responds with a 400 error instead of simply closing the connection. Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses) curl_httpclient Improved debug logging on Python 3. tornado.httpserver Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses) is_coroutine_function identifies functions wrapped by coroutine or engine. tornado.http1connection The Transfer-Encoding header is now parsed case-insensitively. tornado.httpclient SimpleAsyncHTTPClient now follows

now responds with a 400 error instead of simply closing the connection. Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses) curl_httpclient Improved debug logging on Python 3. tornado.httpserver Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses) is_coroutine_function identifies functions wrapped by coroutine or engine. tornado.http1connection The Transfer-Encoding header is now parsed case-insensitively. tornado.httpclient SimpleAsyncHTTPClient now follows

[https://docs.python.org/3/library/functions.html#bool] Returns true if the headers specify Transfer-Encoding: chunked. Raise httputil.HTTPInputError if any other transfer encoding is used.Asynchronous CVE-2024-7592.What’s new in Tornado 6.4.1 Jun 6, 2024 Security Improvements Parsing of the Transfer-Encoding header is now stricter. Unexpected transfer- encoding values were previously ignored and treated in Tornado 6.3.3 Aug 11, 2023 Security improvements The Content-Length header and chunked Transfer-Encoding sizes are now parsed more strictly (according to the relevant RFCs) to avoid potential request-

now responds with a 400 error instead of simply closing the connection. Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses) curl_httpclient Improved debug logging on Python 3. tornado.httpserver Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses) is_coroutine_function identifies functions wrapped by coroutine or engine. tornado.http1connection The Transfer-Encoding header is now parsed case-insensitively. tornado.httpclient SimpleAsyncHTTPClient now follows

in Tornado 6.3.3 Aug 11, 2023 Security improvements The Content-Length header and chunked Transfer-Encoding sizes are now parsed more strictly (according to the relevant RFCs) to avoid potential request- now responds with a 400 error instead of simply closing the connection. Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses) curl_httpclient Improved debug logging on Python 3. tornado.httpserver Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses)