Revisions of python-Werkzeug
Daniel Garcia (dgarcia)
committed
(revision 92)
- Update to 3.0.3: * Only allow ``localhost``, ``.localhost``, ``127.0.0.1``, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. :ghsa:`2g68-c3qc-8985` (CVE-2024-34069, bsc#1223979) * Make reloader more robust when ``""`` is in ``sys.path``. :pr:`2823` * Better TLS cert format with ``adhoc`` dev certs. :pr:`2891` * Inform Python < 3.12 how to handle ``itms-services`` URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. :issue:`2828` * Type annotation for ``Rule.endpoint`` and other uses of ``endpoint`` is ``Any``. :issue:`2836` - Update to 3.0.2: * Ensure setting ``merge_slashes`` to ``False`` results in ``NotFound`` for repeated-slash requests against single slash routes. :issue:`2834` * Fix handling of ``TypeError`` in ``TypeConversionDict.get()`` to match ``ValueError``. :issue:`2843` * Fix ``response_wrapper`` type check in test client. :issue:`2831` * Make the return type of ``MultiPartParser.parse`` more precise. :issue:`2840` * Raise an error if converter arguments cannot be parsed. :issue:`2822`
buildservice-autocommit
accepted
request 1120656
from
Steve Kowalik (StevenK)
(revision 91)
baserev update by copy to link target
Steve Kowalik (StevenK)
committed
(revision 90)
- Update to 3.0.1: * Fix slow multipart parsing for large parts potentially enabling DoS attacks. (CVE-2023-46136, bsc#1216581) * Remove previously deprecated code. * Deprecate the ``__version__`` attribute. Use feature detection, or ``importlib.metadata.version("werkzeug")``, instead. * ``generate_password_hash`` uses scrypt by default. * Add the ``"werkzeug.profiler"`` item to the WSGI ``environ`` dictionary passed to `ProfilerMiddleware`'s `filename_format` function. It contains the ``elapsed`` and ``time`` values for the profiled request. * Explicitly marked the PathConverter as non path isolating.
buildservice-autocommit
accepted
request 1113325
from
Steve Kowalik (StevenK)
(revision 89)
baserev update by copy to link target
Steve Kowalik (StevenK)
committed
(revision 88)
- Update to 2.3.7: * Use ``flit_core`` instead of ``setuptools`` as build backend. * Fix parsing of multipart bodies. Adjust index of last newline in data start. * ``_plain_int`` and ``_plain_float`` strip whitespace before type enforcement. * Fix empty file streaming when testing. * Clearer error message when URL rule does not start with slash. * ``Accept`` ``q`` value can be a float without a decimal part. - Drop captialisation again.
buildservice-autocommit
accepted
request 1110948
from
Factory Maintainer (factory-maintainer)
(revision 87)
baserev update by copy to link target
Dirk Mueller (dirkmueller)
committed
(revision 86)
* drops 0001-limit-the-maximum-number-of-multipart-form-parts.patch in older dists
buildservice-autocommit
accepted
request 1093788
from
Matej Cepl (mcepl)
(revision 85)
baserev update by copy to link target
Matej Cepl (mcepl)
committed
(revision 84)
Update changelog
Matej Cepl (mcepl)
committed
(revision 83)
Remove unnecessary setup.py
Matej Cepl (mcepl)
committed
(revision 82)
WIP
Matej Cepl (mcepl)
accepted
request 1093739
from
Antonio Larrosa (alarrosa)
(revision 81)
- Update to 2.3.6: * FileStorage.content_length does not fail if the form data did not provide a value. - Update to 2.3.5: * Python 3.12 compatibility. * Fix handling of invalid base64 values in Authorization.from_header. * The debugger escapes the exception message in the page title. * When binding routing.Map, a long IDNA server_name with a port does not fail encoding. * iri_to_uri shows a deprecation warning instead of an error when passing bytes. * When parsing numbers in HTTP request headers such as Content-Length, only ASCII digits are accepted rather than any format that Python’s int and float accept. - Update to 2.3.4: * Authorization.from_header and WWWAuthenticate.from_header detects tokens that end with base64 padding (=). * Remove usage of warnings.catch_warnings. * Remove max_form_parts restriction from standard form data parsing and only use if for multipart content. * Response will avoid converting the Location header in some cases to preserve invalid URL schemes like itms-services. - Update to 2.3.3: * Fix parsing of large multipart bodies. Remove invalid leading newline, and restore parsing speed. * The cookie Path attribute is set to / by default again, to prevent clients from falling back to RFC 6265’s default-path behavior. - Update to 2.3.2: * Parse the cookie Expires attribute correctly in the test client. * max_content_length can only be enforced on streaming requests if the
buildservice-autocommit
accepted
request 1082016
from
Dirk Mueller (dirkmueller)
(revision 80)
baserev update by copy to link target
Dirk Mueller (dirkmueller)
accepted
request 1081318
from
Dirk Mueller (dirkmueller)
(revision 79)
SR for python stack proposal
buildservice-autocommit
accepted
request 1071237
from
Dirk Mueller (dirkmueller)
(revision 78)
baserev update by copy to link target
Dirk Mueller (dirkmueller)
committed
(revision 77)
Dirk Mueller (dirkmueller)
committed
(revision 76)
- update to 2.2.3 (bsc#1208283, CVE-2023-25577): * Ensure that URL rules using path converters will redirect with strict slashes when the trailing slash is missing. * Type signature for ``get_json`` specifies that return type is not optional when ``silent=False``. * ``parse_content_range_header`` returns ``None`` for a value like ``bytes */-1`` where the length is invalid, instead of raising an ``AssertionError``. * Address remaining ``ResourceWarning`` related to the socket used by ``run_simple``. * Remove ``prepare_socket``, which now happens when creating the server. * Update pre-existing headers for ``multipart/form-data`` requests with the test client. * Fix handling of header extended parameters such that they are no longer quoted. * ``LimitedStream.read`` works correctly when wrapping a stream that may not return the requested size in one ``read`` call. * A cookie header that starts with ``=`` is treated as an empty key and discarded, rather than stripping the leading ``==``. * Specify a maximum number of multipart parts, default 1000, after which a ``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS attack where a larger number of form/file parts would result in disproportionate resource use.
buildservice-autocommit
accepted
request 1003681
from
Matej Cepl (mcepl)
(revision 75)
baserev update by copy to link target
Matej Cepl (mcepl)
accepted
request 1003613
from
Benjamin Greiner (bnavigator)
(revision 74)
Superseding because there was a (incomplete) direct commit to the devel project in between - Clean some unused python2 python36 code from specfile - Move MarkupSafe to runtime requirement. Versioned. This is checked in multibuild test flavor as build requirement.
Markéta Machová (mcalabkova)
committed
(revision 73)
clean up
Displaying revisions 1 - 20 of 92