27 waitress Documentation, Release 1.4.3 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn’t believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

39 waitress Documentation, Release 2.1.2 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn’t believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

37 waitress Documentation, Release 2.1.1 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn’t believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

GHSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked 43 waitress Documentation, Release 3.0.1 Waitress will send back a 501 Not

https://github.com/Pylons/ waitress/pull/187 9.2 Bugfixes • Waitress will no longer send Transfer-Encoding or Content-Length for 1xx, 204, or 304 responses, and will completely ignore any message body as per RFC 2616. See https://github.com/Pylons/ waitress/pull/44 • When waitress receives a Transfer-Encoding: chunked request, we no longer send the TRANSFER_ENCODING nor the HTTP_TRANSFER_ENCODING value request is a non-chunked request with an accurate content-length. • Cope with the fact that the Transfer-Encoding value is case-insensitive. • When the --unix-socket-perms option was used as an argument to

is_transfer_encoding_chunked(headers: HTTPHeaders) → bool Returns true if the headers specify Transfer-Encoding: chunked. Raise httputil.HTTPInputError if any other transfer encoding is used. 6.4 Asynchronous Tornado 6.4.1 Jun 6, 2024 Security Improvements • Parsing of the Transfer-Encoding header is now stricter. Unexpected transfer-encoding values were previously ignored and treated as the HTTP/1.0 default Tornado 6.3.3 Aug 11, 2023 Security improvements • The Content-Length header and chunked Transfer-Encoding sizes are now parsed more strictly (according to the relevant RFCs) to avoid potential request-smuggling

chunk 是一个字符串，则第二个参数指定如何将这个字符串 编码成字节流，缺省情况下，编码为'utf8'。 注意:这是一个原始格式 http 报文体，和高层协议中的多段消息体编码格式({'Transfer-Encoding':'chunked'})无关。 第一次调用 response.write()时，此方法会将已经缓冲的消息头和第一块消息体发送给客户。 当第二次调用 response.write()的时候，node ClientRequest 对象 如果你就想要发送一个信息体，记得要在头信息里包含 Content-Length 项。如果你想要将 BODY 通过流的方式 传输发送，或许需要设置 Transfer-Encoding: chunked. 译注:大多数的站点相应用户请求时发送的 HTTP Headers 中包含 Content-Length 头.此头信息定义在 HTTP1.0协 议 RFC 1945 群：53090214 共同学习 NodeJS，欢迎加入。 38 那么浏览器就会白屏.这样导致比较糟糕的用户体验. 解决方法在 HTTP1.1协议.RFC2616中14.41章节中定义的 Transfer-Encoding:chunked 的头信息.chunked 编码定义在3.6.1中.根据此定义浏览器不需要等到内容字节全部下 载完成,只要接收到一个 chunked 块就可解析页面.并且可以下载 html

Tornado 6.3.3 Aug 11, 2023 Security improvements • The Content-Length header and chunked Transfer-Encoding sizes are now parsed more strictly (according to the relevant RFCs) to avoid potential request-smuggling now responds with a 400 error instead of simply closing the connection. • Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses) curl_httpclient • Improved debug logging on Python 3. tornado.httpserver • Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses)

Tornado 6.3.3 Aug 11, 2023 Security improvements • The Content-Length header and chunked Transfer-Encoding sizes are now parsed more strictly (according to the relevant RFCs) to avoid potential request-smuggling now responds with a 400 error instead of simply closing the connection. • Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses) curl_httpclient • Improved debug logging on Python 3. tornado.httpserver • Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses)

Tornado 6.3.3 Aug 11, 2023 Security improvements • The Content-Length header and chunked Transfer-Encoding sizes are now parsed more strictly (according to the relevant RFCs) to avoid potential request-smuggling now responds with a 400 error instead of simply closing the connection. • Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses) curl_httpclient • Improved debug logging on Python 3. tornado.httpserver • Content-Length and Transfer-Encoding headers are no longer sent with 1xx or 204 responses (this was already true of 304 responses)