Python 3.11, 3.12 and PyPy 3.9, 3.10. See https://github.com/Pylons/waitress/pull/412 Document that trusted_proxy may be set to a wildcard value to trust all proxies. See https://github.com/Pylons/waitress/pull/431 36 Waitress now validates that the Content-Length sent by a remote contains only digits in accordance with RFC7230 and will return a 400 Bad Request when the Content-Length header contains invalid data ff-3wj3-8ph4 CVE-ID: CVE-2019-16789 Bugfixes Updated the regex used to validate header-field content to match the errata that was published for RFC7230. See: https://www.rfc-editor.org/errata_search

and update the Procfile as following: web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers output to the console when we request a page: 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress's trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi

6 Waitress now validates that the Content-Length sent by a remote contains only digits in accordance with RFC7230 and will return a 400 Bad Request when the Content-Length header contains invalid data ff-3wj3-8ph4 CVE-ID: CVE-2019-16789 Bugfixes Updated the regex used to validate header-field content to match the errata that was published for RFC7230. See: https://www.rfc-editor.org/errata_search ignoring the Content- Length) and Waitress using the Content-Length as it was looking for the single value chunked and did not support comma seperated values. Waitress used to explicitly set the Content-Length

ff-3wj3-8ph4 CVE-ID: CVE-2019-16789 Bugfixes Updated the regex used to validate header-field content to match the errata that was published for RFC7230. See: https://www.rfc-editor.org/errata_search ignoring the Content- Length) and Waitress using the Content-Length as it was looking for the single value chunked and did not support comma seperated values. Waitress used to explicitly set the Content-Length Content-Length header to 0 if it was unable to parse it as an integer (for example if the Content-Length header was sent twice (and thus folded together), or was invalid) thereby allowing for a potential request to

file a update the Procfile as following: web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers output to the console when we request a page: 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress’s trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi

file a update the Procfile as following: web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers output to the console when we request a page: 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress’s trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi

the Content- Length) and Waitress using the Content-Length as it was looking for the single value chunked and did not support comma seperated values. Waitress used to explicitly set the Content-Length Content-Length header to 0 if it was unable to parse it as an integer (for example if the Content-Length header was sent twice (and thus folded together), or was invalid) thereby allowing for a potential request to treated as two requests by HTTP pipelining support in Waitress. If Waitress is now unable to parse the Content-Length header, a 400 Bad Request is sent back to the client. 1.3.1 (2019-08-27) Bugfixes Waitress

Logging 5 waitress Documentation, Release 1.4.3 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress’s trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi add to Apache: RequestHeader set X-Forwarded-Proto https Configure waitress’s trusted_proxy_headers as appropriate: trusted_proxy_headers = "x-forwarded-for x-forwarded-host x-forwarded-proto x- ˓→forwarded-port"

Logging 5 waitress Documentation, Release 1.3.1 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress’s trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi add to Apache: RequestHeader set X-Forwarded-Proto https Configure waitress’s trusted_proxy_headers as appropriate: trusted_proxy_headers = "x-forwarded-for x-forwarded-host x-forwarded-proto x- ˓→forwarded-port"

mathematics, computations and their rich media output. Notebook documents: a representation of all content visible in the web application, including inputs and outputs of the computations, explanatory text untrusted code from executing on users’ behalf when notebooks open, we store a signature of each trusted notebook. The notebook server verifies this signature when a notebook is opened. If no matching signature by re-executing the cells. Any notebook that you have fully executed yourself will be considered trusted, and its HTML and Javascript output will be displayed on load. If you need to see HTML or Javascript