# HG changeset patch # User Laurent Peuch # Date 1557344233 -7200 # Node ID a5d7fcde74c9e0ea129c957955ae5792c94de1a2 # Parent 85f82900f1c32f4735a1f97c5b87cf65d847a16c DeprecationWarning: In future versions of Waitress clear_untrusted_proxy_headers will be set to True by default. You may opt-out by setting this value to False, or opt-in explicitly by setting this to True. Source: https://docs.pylonsproject.org/projects/waitress/en/stable/arguments.html?highlight=clear_untrusted_proxy_headers > This tells Waitress to remove any untrusted proxy headers ("Forwarded", > "X-Forwared-For", "X-Forwarded-By", "X-Forwarded-Host", "X-Forwarded-Port", > "X-Forwarded-Proto") not explicitly allowed by trusted_proxy_headers. According to grep we don't use any of those headers so let's turn it on for security reasons. diff -r 85f82900f1c3 -r a5d7fcde74c9 cubicweb/pyramid/pyramidctl.py --- a/cubicweb/pyramid/pyramidctl.py Wed May 08 21:30:44 2019 +0200 +++ b/cubicweb/pyramid/pyramidctl.py Wed May 08 21:37:13 2019 +0200 @@ -388,7 +388,8 @@ 'anymore; use the standalone "scheduler" command if needed' ) try: - waitress.serve(app, host=host, port=port, url_scheme=url_scheme) + waitress.serve(app, host=host, port=port, url_scheme=url_scheme, + clear_untrusted_proxy_headers=True) finally: repo.shutdown() if self._needreload: