PYSEC-2019-137

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/waitress/PYSEC-2019-137.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2019-137
Aliases
Published
2019-12-20T23:15:00Z
Modified
2023-11-01T05:19:21.265499Z
Summary
[none]
Details

Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.

References

Affected packages

PyPI / waitress

Package

Affected ranges

Type
GIT
Repo
https://github.com/Pylons/waitress
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.1

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6
0.6.1
0.7
0.8
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11b0
0.9.0b0
0.9.0b1
0.9.0

1.*

1.0a1
1.0a2
1.0.0
1.0.1
1.0.2
1.1.0
1.2.0b1
1.2.0b2
1.2.0b3
1.2.0
1.2.1
1.3.0b0
1.3.0