Description
Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230
which states: "Although the line terminator for the start-line and header
fields is the sequence CRLF, a recipient MAY recognize a single LF as a
line terminator and ignore any preceding CR." Unfortunately if a front-end
server does not parse header fields with an LF the same way as it does
those with a CRLF it can lead to the front-end and the back-end server
parsing the same HTTP message in two different ways. This can lead to a
potential for HTTP request smuggling/splitting whereby Waitress may see two
requests while the front-end server only sees a single HTTP message. This
issue is fixed in Waitress 1.4.0.
Updated: 2022-04-25 00:37:47 UTC (commit ecc1009cb19540b950de59270950018900f37f15)