https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/ Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue validated to be properly framed with CRLF as required by RFC7230. Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

GHSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue validated to be properly framed with CRLF as required by RFC7230. Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

GHSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue validated to be properly framed with CRLF as required by RFC7230. Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

27 waitress Documentation, Release 1.4.3 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn’t believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

GHSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue validated to be properly framed with CRLF as required by RFC7230. Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

39 waitress Documentation, Release 2.1.2 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn’t believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

37 waitress Documentation, Release 2.1.1 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn’t believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked Waitress will send back a 501 Not Implemented with an error message stating

GHSA-pg36-wpm5-g57p CVE-ID: CVE-2019-16785 • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue to be properly framed with CRLF as required by RFC7230. • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the the only valid header value being chunked. That means that if the following header is sent: Transfer-Encoding: gzip, chunked 43 waitress Documentation, Release 3.0.1 Waitress will send back a 501 Not

https://github.com/Pylons/ waitress/pull/187 9.2 Bugfixes • Waitress will no longer send Transfer-Encoding or Content-Length for 1xx, 204, or 304 responses, and will completely ignore any message body as per RFC 2616. See https://github.com/Pylons/ waitress/pull/44 • When waitress receives a Transfer-Encoding: chunked request, we no longer send the TRANSFER_ENCODING nor the HTTP_TRANSFER_ENCODING value request is a non-chunked request with an accurate content-length. • Cope with the fact that the Transfer-Encoding value is case-insensitive. • When the --unix-socket-perms option was used as an argument to

name as per RFC 2616. See https://github.com/Pylons/waitress/pull/44 When waitress receives a Transfer-Encoding: chunked request, we no longer send the TRANSFER_ENCODING nor the HTTP_TRANSFER_ENCODING value request is a non-chunked request with an accurate content-length. Cope with the fact that the Transfer-Encoding value is case-insensitive. When the --unix-socket-perms option was used as an argument to waitress- to console by default). Disallow WSGI applications to set “hop-by-hop” headers (Connection, Transfer-Encoding, etc). Don’t treat 304 status responses specially in HTTP/1.1 mode. Remove out of date interfaces