Merge branch 'main' into vsock

.github/workflows/ci-tests.yml

@@ -1,113 +1,136 @@
 name: Build and test
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 on:
-    # Only on pushes to main or one of the release branches we build on push
-    push:
-        branches:
-            - main
-            - "[0-9].[0-9]+-branch"
-        tags:
-    # Build pull requests
-    pull_request:
+  # Only on pushes to main or one of the release branches we build on push
+  push:
+    branches:
+      - main
+      - "[0-9].[0-9]+-branch"
+    tags:
+      - "*"
+  # Build pull requests
+  pull_request:
 
 jobs:
-    test:
-        strategy:
-            matrix:
-                py:
-                    - "3.8"
-                    - "3.9"
-                    - "3.10"
-                    - "3.11"
-                    - "3.12"
-                    - "pypy-3.8"
-                    - "pypy-3.9"
-                    - "pypy-3.10"
-                    # Pre-release
-                os:
-                    - "ubuntu-latest"
-                    - "windows-latest"
-                    - "macos-latest"
-                architecture:
-                    - x64
-                    - x86
-                include:
-                  - py: "pypy-3.8"
-                    toxenv: "pypy38"
-                  - py: "pypy-3.9"
-                    toxenv: "pypy39"
-                  - py: "pypy-3.10"
-                    toxenv: "pypy310"
-                exclude:
-                    # Linux and macOS don't have x86 python
-                    - os: "ubuntu-latest"
-                      architecture: x86
-                    - os: "macos-latest"
-                      architecture: x86
-                    # Don't run all PyPy versions except latest on
-                    # Windows/macOS. They are expensive to run.
-                    - os: "windows-latest"
-                      py: "pypy-3.8"
-                    - os: "macos-latest"
-                      py: "pypy-3.8"
-                    - os: "windows-latest"
-                      py: "pypy-3.9"
-                    - os: "macos-latest"
-                      py: "pypy-3.9"
+  test:
+    strategy:
+      matrix:
+        py:
+          - "3.9"
+          - "3.10"
+          - "3.11"
+          - "3.12"
+          - "3.13"
+          - "pypy-3.9"
+          - "pypy-3.10"
+          # Pre-release
+        os:
+          - "ubuntu-22.04"
+          - "windows-latest"
+          - "macos-14" # arm64
+          - "macos-13" # x64
+        architecture:
+          - x64
+          - x86
+          - arm64
+        include:
+          - py: "pypy-3.9"
+            toxenv: "pypy39"
+          - py: "pypy-3.10"
+            toxenv: "pypy310"
+        exclude:
+          # Ubuntu does not have x86/arm64 Python
+          - os: "ubuntu-22.04"
+            architecture: x86
+          - os: "ubuntu-22.04"
+            architecture: arm64
+          # MacOS we need to make sure to remove x86 on all
+          # We need to run no arm64 on macos-13 (Intel), but some
+          # Python versions: 3.9/3.10
+          #
+          # From 3.11 onward, there is support for running x64 and
+          # arm64 on Apple Silicon based systems (macos-14)
+          - os: "macos-13"
+            architecture: x86
+          - os: "macos-13"
+            architecture: arm64
+          - os: "macos-14"
+            architecture: x86
+          - os: "macos-14"
+            architecture: x64
+            py: "3.9"
+          - os: "macos-14"
+            architecture: x64
+            py: "3.10"
+          # Windows does not have arm64 releases
+          - os: "windows-latest"
+            architecture: arm64
+          # Don't run all PyPy versions except latest on
+          # Windows/macOS. They are expensive to run.
+          - os: "windows-latest"
+            py: "pypy-3.9"
+          - os: "macos-13"
+            py: "pypy-3.9"
+          - os: "macos-14"
+            py: "pypy-3.9"
+    name: "Python: ${{ matrix.py }}-${{ matrix.architecture }} on ${{ matrix.os }}"
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.py }}
+          architecture: ${{ matrix.architecture }}
+      - run: pip install tox
+      - name: Running tox with specific toxenv
+        if: ${{ matrix.toxenv != '' }}
+        env:
+          TOXENV: ${{ matrix.toxenv }}
+        run: tox
+      - name: Running tox for current python version
+        if: ${{ matrix.toxenv == '' }}
+        run: tox -e py
 
-        name: "Python: ${{ matrix.py }}-${{ matrix.architecture }} on ${{ matrix.os }}"
-        runs-on: ${{ matrix.os }}
-        steps:
-            - uses: actions/checkout@v4
-            - name: Setup python
-              uses: actions/setup-python@v5
-              with:
-                  python-version: ${{ matrix.py }}
-                  architecture: ${{ matrix.architecture }}
-            - run: pip install tox
-            - name: Running tox with specific toxenv
-              if: ${{ matrix.toxenv != '' }}
-              env:
-                TOXENV: ${{ matrix.toxenv }}
-              run: tox
-            - name: Running tox for current python version
-              if: ${{ matrix.toxenv == '' }}
-              run: tox -e py
+  coverage:
+    runs-on: ubuntu-22.04
+    name: Validate coverage
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          architecture: x64
+      - run: pip install tox
+      - run: tox -e py313,coverage
 
-    coverage:
-        runs-on: ubuntu-latest
-        name: Validate coverage
-        steps:
-            - uses: actions/checkout@v4
-            - name: Setup python 3.10
-              uses: actions/setup-python@v5
-              with:
-                  python-version: "3.10"
-                  architecture: x64
+  docs:
+    runs-on: ubuntu-22.04
+    name: Build the documentation
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          architecture: x64
+      - run: pip install tox
+      - run: tox -e docs
 
-            - run: pip install tox
-            - run: tox -e py310,coverage
-    docs:
-        runs-on: ubuntu-latest
-        name: Build the documentation
-        steps:
-            - uses: actions/checkout@v4
-            - name: Setup python
-              uses: actions/setup-python@v5
-              with:
-                  python-version: "3.10"
-                  architecture: x64
-            - run: pip install tox
-            - run: tox -e docs
-    lint:
-        runs-on: ubuntu-latest
-        name: Lint the package
-        steps:
-            - uses: actions/checkout@v4
-            - name: Setup python
-              uses: actions/setup-python@v5
-              with:
-                  python-version: "3.10"
-                  architecture: x64
-            - run: pip install tox
-            - run: tox -e lint
+  lint:
+    runs-on: ubuntu-22.04
+    name: Lint the package
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          architecture: x64
+      - run: pip install tox
+      - run: tox -e lint

.readthedocs.yaml

@@ -0,0 +1,17 @@
+# https://docs.readthedocs.io/en/stable/config-file/v2.html
+version: 2
+build:
+  os: ubuntu-22.04
+  tools:
+    python: '3.12'
+sphinx:
+  configuration: docs/conf.py
+formats:
+  - pdf
+  - epub
+python:
+  install:
+    - method: pip
+      path: .
+      extra_requirements:
+        - docs

CHANGES.txt

@@ -1,4 +1,53 @@
-3.0.0 (Unreleased)
+3.0.2 (2024-11-16)
+------------------
+
+Security
+~~~~~~~~
+
+- When using Waitress to process trusted proxy headers, Waitress will now
+  update the headers to drop any untrusted values, thereby making sure that
+  WSGI apps only get trusted and validated values that Waitress itself used to
+  update the environ. See https://github.com/Pylons/waitress/pull/452 and
+  https://github.com/Pylons/waitress/issues/451
+
+
+3.0.1 (2024-10-28)
+------------------
+
+Backward Incompatibilities
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- Python 3.8 is no longer supported.
+  See https://github.com/Pylons/waitress/pull/445.
+
+Features
+~~~~~~~~
+
+- Added support for Python 3.13.
+  See https://github.com/Pylons/waitress/pull/445.
+
+Security
+~~~~~~~~
+
+- Fix a bug that would lead to Waitress busy looping on select() on a half-open
+  socket due to a race condition that existed when creating a new HTTPChannel.
+  See https://github.com/Pylons/waitress/pull/435,
+  https://github.com/Pylons/waitress/issues/418 and
+  https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6
+
+  With thanks to Dylan Jay and Dieter Maurer for their extensive debugging and
+  helping track this down.
+
+- No longer strip the header values before passing them to the WSGI environ.
+  See https://github.com/Pylons/waitress/pull/434 and
+  https://github.com/Pylons/waitress/issues/432
+
+- Fix a race condition in Waitress when `channel_request_lookahead` is enabled
+  that could lead to HTTP request smuggling.
+
+  See https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj
+
+3.0.0 (2024-02-04)
 ------------------
 
 - Rename "master" git branch to "main"
@@ -10,6 +59,23 @@
 - Fixed testing of vendored asyncore code to not rely on particular naming for
   errno's. See https://github.com/Pylons/waitress/pull/397
 
+- HTTP Request methods and versions are now validated to meet the HTTP
+  standards thereby dropping invalid requests on the floor. See
+  https://github.com/Pylons/waitress/pull/423
+
+- No longer close the connection when sending a HEAD request response. See
+  https://github.com/Pylons/waitress/pull/428
+
+- Always attempt to send the Connection: close response header when we are
+  going to close the connection to let the remote know in more instances.
+  https://github.com/Pylons/waitress/pull/429
+
+- Python 3.7 is no longer supported. Add support for Python 3.11, 3.12 and
+  PyPy 3.9, 3.10. See https://github.com/Pylons/waitress/pull/412
+
+- Document that trusted_proxy may be set to a wildcard value to trust all
+  proxies. See https://github.com/Pylons/waitress/pull/431
+
 Updated Defaults
 ~~~~~~~~~~~~~~~~
 

CONTRIBUTORS.txt

@@ -150,3 +150,5 @@ Contributors
 - Jonathan Vanasco, 2022-11-15
 
 - Ananth Bhaskararaman, 2023-04-05
+
+- Simon King, 2024-11-12

MANIFEST.in

@@ -14,7 +14,7 @@ include COPYRIGHT.txt
 
 include pyproject.toml setup.cfg
 include .coveragerc .flake8
-include tox.ini rtd.txt
+include tox.ini .readthedocs.yaml
 
 exclude TODO.txt
 prune docs/_build

README.rst

@@ -8,14 +8,14 @@ Waitress
 .. image:: https://github.com/Pylons/waitress/actions/workflows/ci-tests.yml/badge.svg
     :target: https://github.com/Pylons/waitress/actions/workflows/ci-tests.yml
 
-.. image:: https://readthedocs.org/projects/waitress/badge/?version=main
-        :target: https://docs.pylonsproject.org/projects/waitress/en/main
+.. image:: https://readthedocs.org/projects/waitress/badge/?version=stable
+        :target: https://docs.pylonsproject.org/projects/waitress/en/stable/
         :alt: main Documentation Status
 
 Waitress is a production-quality pure-Python WSGI server with very acceptable
 performance. It has no dependencies except ones which live in the Python
-standard library. It runs on CPython on Unix and Windows under Python 3.8+. It
-is also known to run on PyPy 3 (version 3.8 compatible python and above) on
+standard library. It runs on CPython on Unix and Windows under Python 3.9+. It
+is also known to run on PyPy 3 (version 3.9 compatible python and above) on
 UNIX. It supports HTTP/1.0 and HTTP/1.1.
 
 For more information, see the "docs" directory of the Waitress package or visit