Bump waitress from 1.2.1 to 2.1.1 in /geoportal #2873

dependabot · 2022-03-21T22:17:25Z

Bumps waitress from 1.2.1 to 2.1.1.

Changelog

2.1.1

Security Bugfix


- Waitress now validates that chunked encoding extensions are valid, and don't
  contain invalid characters that are not allowed. They are still skipped/not
  processed, but if they contain invalid data we no longer continue in and
  return a 400 Bad Request. This stops potential HTTP desync/HTTP request
  smuggling. Thanks to Zhang Zeyu for reporting this issue. See
  https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36


Waitress now validates that the chunk length is only valid hex digits when
parsing chunked encoding, and values such as 0x01 and +01 are no
longer supported. This stops potential HTTP desync/HTTP request smuggling.
Thanks to Zhang Zeyu for reporting this issue. See
GHSA-4f7p-27jc-3c36


Waitress now validates that the Content-Length sent by a remote contains only
digits in accordance with RFC7230 and will return a 400 Bad Request when the
Content-Length header contains invalid data, such as +10 which would
previously get parsed as 10 and accepted. This stops potential HTTP
desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See
GHSA-4f7p-27jc-3c36


2.1.0
Python Version Support

Python 3.6 is no longer supported by Waitress
Python 3.10 is fully supported by Waitress

Bugfix

- ``wsgi.file_wrapper`` now sets the ``seekable``, ``seek``, and ``tell`` attributes from the underlying file if the underlying file is seekable. This allows WSGI middleware to implement things like range requests for example See Pylons/waitress#359 and Pylons/waitress#363 In Python 3 OSError is no longer subscriptable, this caused failures on Windows attempting to loop to find an socket that would work for use in the trigger.

</tr></table>

... (truncated)

Commits

9e0b8c8 Merge pull request from GHSA-4f7p-27jc-3c36
b28c9e8 Prep for 2.1.1
bd22869 Remove extraneous calls to .strip() in Chunked Encoding
d9bdfa0 Validate chunk size in Chunked Encoding are HEXDIG
d032a66 Error when receiving back Chunk Extension
884bed1 Update tests to remove invalid chunked encoding chunk-size
1f6059f Be more strict in parsing Content-Length
e75b0d9 Add new regular expressions for Chunked Encoding
22c0394 Merge pull request #367 from Pylons/fixup/collect-wasyncore-tests
dc15d9f Make sure to collect all wasyncore tests
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

… username to know if authenticated

new url

Remove id when it's null

Chargy attributes

Fix chargy

Get the legend for a layer

return a valid empty response

The map should not be broken when piwik is not loaded

Search by layer id if is available

add arcgis config

Disable systematic token check

use always graphhopper

Bumps [waitress](https://github.com/Pylons/waitress) from 1.2.1 to 2.1.1. - [Release notes](https://github.com/Pylons/waitress/releases) - [Changelog](https://github.com/Pylons/waitress/blob/master/CHANGES.txt) - [Commits](Pylons/waitress@v1.2.1...v2.1.1) --- updated-dependencies: - dependency-name: waitress dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot · 2023-02-10T09:02:08Z

Superseded by #3004.

llienher and others added 30 commits April 22, 2021 12:48

Set ZIndex for all background layers

f876793

Fix print controller iterating over the mask layer

b794b89

Set zIndex for measure vector layer

54ccc33

fix: use env variable for ES config

0d868fd

debug ES env variable

cdcd775

Use last ol-cesium version

0be8a30

Create blank layer with VectorLayer instead of TileLayer

e237231

Do not show print or offline mask in the layer manager

6e27a37

Fix blank layer (hide mapbox canvas)

70e7a02

Override login view to not check user from database

1d54b1b

Do not check login cookies in the front-end, check on the getUserInfo…

b5a30e5

… username to know if authenticated

Remove unused injected appAuthtktCookieName variable

fea8cb0

Fix scale selector and constraint zoom to integer values

182635c

Use correct attribute to get the role from a user object

b824521

Set gunicorn limit-request-line to 8190 bytes

883bb8c

Remove artifact on background for mvt topo layers

21f4d41

Fix login to admin interface

5328219

Fix bootstrap redirect url to be null as it is not used

183fb91

Enable jsapi

b005052

Reactivate jsdoc for jsapi

0ecd5ef

Fix loading the app with a feature written in permalink

12461f7

Fix jsapi to use Theme class instead of Entry

7755e20

Re-enable last commented lines for jsapi

3ce442f

Fix api documentation

2cc0646

Override is_mixed method from theme.py

5a02f0b

Upgrade to GeoMapFish 2.5.0.139

55d969a

Add missing available metadatas

9934e87

Move methods from jsapi python to luxtheme as it was misplaced

92c3a7c

Do not show offline mask in the layertree when the mask is active

eec0864

rebase

71dd3f9

rmichaelis and others added 24 commits March 2, 2022 19:41

new url

47f7d06

Merge pull request #2859 from Geoportail-Luxembourg/3d_tiles

60e9b94

new url

Remove id when it's null

b83cae0

Merge pull request #2860 from Geoportail-Luxembourg/fix_id

46e47c4

Remove id when it's null

Chargy attributes

00b8ab4

Merge pull request #2861 from Geoportail-Luxembourg/fix_chargy

7943c68

Chargy attributes

Split chargy response in many tooltips

e4c1f19

import at top of the file

6572dbe

Merge pull request #2862 from Geoportail-Luxembourg/fix_chargy

1215ad6

Fix chargy

Get the legend for a layer

9c9f1d7

Merge pull request #2863 from Geoportail-Luxembourg/fix_chargy

f83a6cb

Get the legend for a layer

return a valid empty response

63d7d5a

Merge pull request #2864 from Geoportail-Luxembourg/fix_catalog

129159c

return a valid empty response

The map should not be broken when piwik is not loaded

ddc68b3

Merge pull request #2865 from Geoportail-Luxembourg/fix_piwik

7a55e8c

The map should not be broken when piwik is not loaded

Search by layer id if is available

b6ad8fa

Merge pull request #2866 from Geoportail-Luxembourg/fix_ghost_layers

da70f40

Search by layer id if is available

add arcgis config

766c029

Merge pull request #2868 from Geoportail-Luxembourg/fix_config

b4c9037

add arcgis config

Disable systematic token check

ceb8043

Merge pull request #2869 from Geoportail-Luxembourg/fix_config

1d2f5f9

Disable systematic token check

use always graphhopper

1ee3197

Merge pull request #2872 from Geoportail-Luxembourg/fix_graphhopper

db2250c

use always graphhopper

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Mar 21, 2022

rmichaelis force-pushed the master branch from 8fbf6ce to c326441 Compare January 18, 2023 10:38

dependabot bot closed this Feb 10, 2023

dependabot bot deleted the dependabot/pip/geoportal/waitress-2.1.1 branch February 10, 2023 09:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump waitress from 1.2.1 to 2.1.1 in /geoportal #2873

Bump waitress from 1.2.1 to 2.1.1 in /geoportal #2873

dependabot bot commented on behalf of github Mar 21, 2022 •

edited

Loading

2.1.0

dependabot bot commented on behalf of github Feb 10, 2023

Bump waitress from 1.2.1 to 2.1.1 in /geoportal #2873

Bump waitress from 1.2.1 to 2.1.1 in /geoportal #2873

Conversation

dependabot bot commented on behalf of github Mar 21, 2022 • edited Loading

2.1.1

2.1.0

dependabot bot commented on behalf of github Feb 10, 2023

dependabot bot commented on behalf of github Mar 21, 2022 •

edited

Loading