Revisions of python-Werkzeug
Ana Guerrero (anag+factory)
accepted
request 1120656
from
Steve Kowalik (StevenK)
(revision 45)
- Update to 3.0.1: * Fix slow multipart parsing for large parts potentially enabling DoS attacks. (CVE-2023-46136, bsc#1216581) * Remove previously deprecated code. * Deprecate the ``__version__`` attribute. Use feature detection, or ``importlib.metadata.version("werkzeug")``, instead. * ``generate_password_hash`` uses scrypt by default. * Add the ``"werkzeug.profiler"`` item to the WSGI ``environ`` dictionary passed to `ProfilerMiddleware`'s `filename_format` function. It contains the ``elapsed`` and ``time`` values for the profiled request. * Explicitly marked the PathConverter as non path isolating.
Ana Guerrero (anag+factory)
accepted
request 1113325
from
Steve Kowalik (StevenK)
(revision 44)
- Update to 2.3.7: * Use ``flit_core`` instead of ``setuptools`` as build backend. * Fix parsing of multipart bodies. Adjust index of last newline in data start. * ``_plain_int`` and ``_plain_float`` strip whitespace before type enforcement. * Fix empty file streaming when testing. * Clearer error message when URL rule does not start with slash. * ``Accept`` ``q`` value can be a float without a decimal part. - Drop captialisation again.
Ana Guerrero (anag+factory)
accepted
request 1110948
from
Factory Maintainer (factory-maintainer)
(revision 43)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1093788
from
Matej Cepl (mcepl)
(revision 42)
- Update to 2.3.6: * FileStorage.content_length does not fail if the form data did not provide a value. - Update to 2.3.5: * Python 3.12 compatibility. * Fix handling of invalid base64 values in Authorization.from_header. * The debugger escapes the exception message in the page title. * When binding routing.Map, a long IDNA server_name with a port does not fail encoding. * iri_to_uri shows a deprecation warning instead of an error when passing bytes. * When parsing numbers in HTTP request headers such as Content-Length, only ASCII digits are accepted rather than any format that Python’s int and float accept. - Update to 2.3.4: * Authorization.from_header and WWWAuthenticate.from_header detects tokens that end with base64 padding (=). * Remove usage of warnings.catch_warnings. * Remove max_form_parts restriction from standard form data parsing and only use if for multipart content. * Response will avoid converting the Location header in some cases to preserve invalid URL schemes like itms-services. - Update to 2.3.3: * Fix parsing of large multipart bodies. Remove invalid leading newline, and restore parsing speed. * The cookie Path attribute is set to / by default again, to prevent clients from falling back to RFC 6265’s default-path behavior. - Update to 2.3.2: * Parse the cookie Expires attribute correctly in the test client. * max_content_length can only be enforced on streaming requests if the server sets wsgi.input_terminated. - Update to 2.3.1: * Percent-encode plus (+) when building URLs and in test requests. * Cookie values don’t quote characters defined in RFC 6265. * Include pyi files for datastructures type annotations. * Authorization and WWWAuthenticate objects can be compared for equality. - Update to 2.3.0: * Drop support for Python 3.7. * Remove previously deprecated code. * Passing bytes where strings are expected is deprecated, as well as the charset and errors parameters in many places. Anywhere that was annotated, documented, or tested to accept bytes shows a warning. Removing this artifact of the transition from Python 2 to 3 removes a significant amount of overhead in instance checks and encoding cycles. In general, always work with UTF-8, the modern HTML, URL, and HTTP standards all strongly recommend this. * Deprecate the werkzeug.urls module, except for the uri_to_iri and iri_to_uri functions. Use the urllib.parse library instead. * Update which characters are considered safe when using percent encoding in URLs, based on the WhatWG URL Standard. * Update which characters are considered safe when using percent encoding for Unicode filenames in downloads. * Deprecate the safe_conversion parameter of iri_to_uri. The Location header is converted to IRI using the same process as everywhere else. * Deprecate werkzeug.wsgi.make_line_iter and make_chunk_iter. * Use modern packaging metadata with pyproject.toml instead of setup.cfg. * Request.get_json() will raise a 415 Unsupported Media Type error if the Content-Type header is not application/json, instead of a generic 400. * A URL converter’s part_isolating defaults to False if its regex contains a /. * A custom converter’s regex can have capturing groups without breaking the router. * The reloader can pick up arguments to python like -X dev, and does not require heuristics to determine how to reload the command. Only available on Python >= 3.10. * The Watchdog reloader ignores file opened events. Bump the minimum version of Watchdog to 2.3.0. * When using a Unix socket for the development server, the path can start with a dot. * Increase default work factor for PBKDF2 to 600,000 iterations. * parse_options_header is 2-3 times faster. It conforms to RFC 9110, some invalid parts that were previously accepted are now ignored. * The is_filename parameter to unquote_header_value is deprecated. * Deprecate the extra_chars parameter and passing bytes to quote_header_value, the allow_token parameter to dump_header, and the cls parameter and passing bytes to parse_dict_header. * Improve parse_accept_header implementation. Parse according to RFC 9110. Discard items with invalid q values. * quote_header_value quotes the empty string. * dump_options_header skips None values rather than using a bare key. * dump_header and dump_options_header will not quote a value if the key ends with an asterisk *. * parse_dict_header will decode values with charsets. * Refactor the Authorization and WWWAuthenticate header data structures. + Both classes have type, parameters, and token attributes. The token attribute supports auth schemes that use a single opaque token rather than key=value parameters, such as Bearer. + Neither class is a dict anymore, although they still implement getting, setting, and deleting auth[key] and auth.key syntax, as well as auth.get(key) and key in auth. + Both classes have a from_header class method. parse_authorization_header and parse_www_authenticate_header are deprecated. + The methods WWWAuthenticate.set_basic and set_digest are deprecated. Instead, an instance should be created and assigned to response.www_authenticate. + A list of instances can be assigned to response.www_authenticate to set multiple header values. However, accessing the property only returns the first instance. * Refactor parse_cookie and dump_cookie. + parse_cookie is up to 40% faster, dump_cookie is up to 60% faster. + Passing bytes to parse_cookie and dump_cookie is deprecated. The dump_cookie charset parameter is deprecated. + dump_cookie allows domain values that do not include a dot ., and strips off a leading dot. + dump_cookie does not set path="/" unnecessarily by default. * Refactor the test client cookie implementation. + The cookie_jar attribute is deprecated. http.cookiejar is no longer used for storage. + Domain and path matching is used when sending cookies in requests. The domain and path parameters default to localhost and /. + Added a get_cookie method to inspect cookies. + Cookies have decoded_key and decoded_value attributes to match what the app sees rather than the encoded values a client would see. + The first positional server_name parameter to set_cookie and delete_cookie is deprecated. Use the domain parameter instead. + Other parameters to delete_cookie besides domain, path, and value are deprecated. * If request.max_content_length is set, it is checked immediately when accessing the stream, and while reading from the stream in general, rather than only during form parsing. * The development server, which must not be used in production, will exhaust the request stream up to 10GB or 1000 reads. This allows clients to see a 413 error if max_content_length is exceeded, instead of a “connection reset” failure. * The development server discards header keys that contain underscores _, as they are ambiguous with dashes - in WSGI. * secure_filename looks for more Windows reserved file names. * Update type annotation for best_match to make default parameter clearer. * Multipart parser handles empty fields correctly. * The Map charset parameter and Request.url_charset property are deprecated. Percent encoding in URLs must always represent UTF-8 bytes. Invalid bytes are left percent encoded rather than replaced. * The Request.charset, Request.encoding_errors, Response.charset, and Client.charset attributes are deprecated. Request and response data must always use UTF-8. * Header values that have charset information only allow ASCII, UTF-8, and ISO-8859-1. * Update type annotation for ProfilerMiddleware stream parameter. * Use postponed evaluation of annotations. * The development server escapes ASCII control characters in decoded URLs before logging the request to the terminal. * The FormDataParser parse_functions attribute and get_parse_func method, and the invalid application/x-url-encoded content type, are deprecated. * generate_password_hash supports scrypt. Plain hash methods are deprecated, only scrypt and pbkdf2 are supported. - Remove patch which was made obsolete by upstream: * moved_root.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 1082016
from
Dirk Mueller (dirkmueller)
(revision 41)
Dominique Leuenberger (dimstar_suse)
accepted
request 1071237
from
Dirk Mueller (dirkmueller)
(revision 40)
- update to 2.2.3 (bsc#1208283, CVE-2023-25577): * Ensure that URL rules using path converters will redirect with strict slashes when the trailing slash is missing. * Type signature for ``get_json`` specifies that return type is not optional when ``silent=False``. * ``parse_content_range_header`` returns ``None`` for a value like ``bytes */-1`` where the length is invalid, instead of raising an ``AssertionError``. * Address remaining ``ResourceWarning`` related to the socket used by ``run_simple``. * Remove ``prepare_socket``, which now happens when creating the server. * Update pre-existing headers for ``multipart/form-data`` requests with the test client. * Fix handling of header extended parameters such that they are no longer quoted. * ``LimitedStream.read`` works correctly when wrapping a stream that may not return the requested size in one ``read`` call. * A cookie header that starts with ``=`` is treated as an empty key and discarded, rather than stripping the leading ``==``. * Specify a maximum number of multipart parts, default 1000, after which a ``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS attack where a larger number of form/file parts would result in disproportionate resource use.
Dominique Leuenberger (dimstar_suse)
accepted
request 976285
from
Dirk Mueller (dirkmueller)
(revision 37)
- update to 2.1.2: * The development server does not set ``Transfer-Encoding: chunked`` for 1xx, 204, 304, and HEAD responses. :issue:`2375` * Response HTML for exceptions and redirects starts with ``<!doctype html>`` and ``<html lang=en>``. :issue:`2390` * Fix ability to set some ``cache_control`` attributes to ``False``. :issue:`2379` * Disable ``keep-alive`` connections in the development server, which are not supported sufficiently by Python's ``http.server``. :issue:`2397` - drop 2402-dev_server.patch (upstream)
Dominique Leuenberger (dimstar_suse)
accepted
request 975271
from
Factory Maintainer (factory-maintainer)
(revision 36)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 970992
from
Matej Cepl (mcepl)
(revision 35)
- Update to 2.1.1: - ResponseCacheControl.s_maxage converts its value to an int, like max_age. - Drop support for Python 3.6. - Using gevent or eventlet requires greenlet>=1.0 or PyPy>=7.3.7. werkzeug.locals and contextvars will not work correctly with older versions. - Remove previously deprecated code. - Remove the non-standard shutdown function from the WSGI environ when running the development server. See the docs for alternatives. - Request and response mixins have all been merged into the Request and Response classes. - The user agent parser and the useragents module is removed. The user_agent module provides an interface that can be subclassed to add a parser, such as ua-parser. By default it only stores the whole string. - The test client returns TestResponse instances and can no longer be treated as a tuple. All data is available as properties on the response. - Remove locals.get_ident and related thread-local code from locals, it no longer makes sense when moving to a contextvars-based implementation. - Remove the python -m werkzeug.serving CLI. - The has_key method on some mapping datastructures; use key in data instead. - Request.disable_data_descriptor is removed, pass shallow=True instead. - Remove the no_etag parameter from Response.freeze(). - Remove the HTTPException.wrap class method. - Remove the cookie_date function. Use http_date instead. - Remove the pbkdf2_hex, pbkdf2_bin, and safe_str_cmp functions. Use equivalents in hashlib and hmac modules instead. - Remove the Href class. - Remove the HTMLBuilder class. - Remove the invalidate_cached_property function. Use del obj.attr instead. - Remove bind_arguments and validate_arguments. Use Signature.bind() and inspect.signature() instead. - Remove detect_utf_encoding, it’s built-in to json.loads. - Remove format_string, use string.Template instead. - Remove escape and unescape. Use MarkupSafe instead. - The multiple parameter of parse_options_header is deprecated. - Rely on PEP 538 and PEP 540 to handle decoding file names with the correct filesystem encoding. The filesystem module is removed. - Default values passed to Headers are validated the same way values added later are. - Setting CacheControl int properties, such as max_age, will convert the value to an int. - Always use socket.fromfd when restarting the dev server. - When passing a dict of URL values to Map.build, list values do not filter out None or collapse to a single value. Passing a MultiDict does collapse single items. This undoes a previous change that made it difficult to pass a list, or None values in a list, to custom URL converters. - run_simple shows instructions for dealing with “address already in use” errors, including extra instructions for macOS. - Extend list of characters considered always safe in URLs based on RFC 3986. - Optimize the stat reloader to avoid watching unnecessary files in more cases. The watchdog reloader is still recommended for performance and accuracy. - The development server uses Transfer-Encoding: chunked for streaming responses when it is configured for HTTP/1.1. - The development server uses HTTP/1.1, which enables keep-alive connections and chunked streaming responses, when threaded or processes is enabled. - cached_property works for classes with __slots__ if a corresponding _cache_{name} slot is added. - Refactor the debugger traceback formatter to use Python’s built-in traceback module as much as possible. - The TestResponse.text property is a shortcut for r.get_data(as_text=True), for convenient testing against text instead of bytes. - safe_join ensures that the path remains relative if the trusted directory is the empty string. - Percent-encoded newlines (%0a), which are decoded by WSGI servers, are considered when routing instead of terminating the match early. - The test client doesn’t set duplicate headers for CONTENT_LENGTH and CONTENT_TYPE. - append_slash_redirect handles PATH_INFO with internal slashes. - The default status code for append_slash_redirect is 308 instead of 301. This preserves the request body, and matches a previous change to strict_slashes in routing. - Fix ValueError: I/O operation on closed file. with the test client when following more than one redirect. - Response.autocorrect_location_header is disabled by default. The Location header URL will remain relative, and exclude the scheme and domain, by default. - Request.get_json() will raise a 400 BadRequest error if the Content-Type header is not application/json. This makes a very common source of confusion more visible. - Add no-network-testing.patch to mark all tests requiring network access (so they can be skipped by pytest test runner, gh#pallets/werkzeug#2393).
Dominique Leuenberger (dimstar_suse)
accepted
request 954652
from
Dirk Mueller (dirkmueller)
(revision 34)
- update to 2.0.3: * ``ProxyFix`` supports IPv6 addresses. * Type annotation for ``Response.make_conditional``, ``HTTPException.get_response``, and ``Map.bind_to_environ`` accepts ``Request`` in addition to ``WSGIEnvironment`` for the first parameter. * Fix type annotation for ``Request.user_agent_class``. * Accessing ``LocalProxy.__class__`` and ``__doc__`` on an unbound proxy returns the fallback value instead of a method object. * Redirects with the test client set ``RAW_URI`` and ``REQUEST_URI`` correctly.
Dominique Leuenberger (dimstar_suse)
accepted
request 925758
from
Dirk Mueller (dirkmueller)
(revision 33)
- update to 2.0.2: * Handle multiple tokens in ``Connection`` header when routing WebSocket requests. * Set the debugger pin cookie secure flag when on https. * Fix type annotation for ``MultiDict.update`` to accept iterable values :pr:`2142` * Prevent double encoding of redirect URL when ``merge_slash=True`` for ``Rule.match``. * ``CombinedMultiDict.to_dict`` with ``flat=False`` considers all component dicts when building value lists. :issue:`2189` * ``send_file`` only sets a detected ``Content-Encoding`` if ``as_attachment`` is disabled to avoid browsers saving decompressed ``.tar.gz`` files. * Fix type annotations for ``TypeConversionDict.get`` to not return an ``Optional`` value if both ``default`` and ``type`` are not ``None``. * Fix type annotation for routing rule factories to accept ``Iterable[RuleFactory]`` instead of ``Iterable[Rule]`` for the ``rules`` parameter. :issue:`2183` * Add missing type annotation for ``FileStorage.__getattr__`` * The debugger pin cookie is set with ``SameSite`` set to ``Strict`` instead of ``None`` to be compatible with modern browser security. * Type annotations use ``IO[bytes]`` and ``IO[str]`` instead of ``BinaryIO`` and ``TextIO`` for wider type compatibility. * Ad-hoc TLS certs are generated with SAN matching CN. :issue:`2158` * Fix memory usage for locals when using Python 3.6 or pre 0.4.17 greenlet versions. :pr:`2212` * Fix type annotation in ``CallbackDict``, because it is not utilizing a bound TypeVar. :issue:`2235` * Fix setting CSP header options on the response. :pr:`2237`
Dominique Leuenberger (dimstar_suse)
accepted
request 862678
from
Markéta Machová (mcalabkova)
(revision 31)
Dominique Leuenberger (dimstar_suse)
accepted
request 793341
from
Tomáš Chvátal (scarabeus_iv)
(revision 30)
Dominique Leuenberger (dimstar_suse)
accepted
request 779352
from
Steve Kowalik (StevenK)
(revision 29)
Dominique Leuenberger (dimstar_suse)
accepted
request 777800
from
Steve Kowalik (StevenK)
(revision 28)
- Update to 1.0.0: * Drop support for Python 3.4. (#1478) * Remove code that issued deprecation warnings in version 0.15. (#1477) * Remove most top-level attributes provided by the werkzeug module in favor of direct imports. For example, instead of import werkzeug; werkzeug.url_quote, do from werkzeug.urls import url_quote. Install version 0.16 first to see deprecation warnings while upgrading. #2, #1640 * Added utils.invalidate_cached_property() to invalidate cached properties. (#1474) * Directive keys for the Set-Cookie response header are not ignored when parsing the Cookie request header. This allows cookies with names such as “expires” and “version”. (#1495) * Request cookies are parsed into a MultiDict to capture all values for cookies with the same key. cookies[key] returns the first value rather than the last. Use cookies.getlist(key) to get all values. parse_cookie also defaults to a MultiDict. #1562, #1458 * Add charset=utf-8 to an HTTP exception response’s CONTENT_TYPE header. (#1526) * The interactive debugger handles outer variables in nested scopes such as lambdas and comprehensions. #913, #1037, #1532 * The user agent for Opera 60 on Mac is correctly reported as “opera” instead of “chrome”. #1556 * The platform for Crosswalk on Android is correctly reported as “android” instead of “chromeos”. (#1572) * Issue a warning when the current server name does not match the configured server name. #760 * A configured server name with the default port for a scheme will match the current server name without the port if the current scheme matches. #1584 * InternalServerError has a original_exception attribute that frameworks can use to track the original cause of the error. #1590 * Headers are tested for equality independent of the header key case, such that X-Foo is the same as x-foo. #1605 * http.dump_cookie() accepts 'None' as a value for samesite. #1549 * set_cookie() accepts a samesite argument. #1705 * Support the Content Security Policy header through the Response.content_security_policy data structure. #1617 * LanguageAccept will fall back to matching “en” for “en-US” or “en-US” for “en” to better support clients or translations that only match at the primary language tag. #450, #1507 * MIMEAccept uses MIME parameters for specificity when matching. #458, #1574 * If the development server is started with an SSLContext configured to verify client certificates, the certificate in PEM format will be available as environ["SSL_CLIENT_CERT"]. #1469 * is_resource_modified will run for methods other than GET and HEAD, rather than always returning False. #409 * SharedDataMiddleware returns 404 rather than 500 when trying to access a directory instead of a file with the package loader. The dependency on setuptools and pkg_resources is removed. #1599 * Add a response.cache_control.immutable flag. Keep in mind that browser support for this Cache-Control header option is still experimental and may not be implemented. #1185 * Optional request log highlighting with the development server is handled by Click instead of termcolor. #1235 * Optional ad-hoc TLS support for the development server is handled by cryptography instead of pyOpenSSL. #1555 * FileStorage.save() supports pathlib and PEP 519 PathLike objects. #1653 * The debugger security pin is unique in containers managed by Podman. #1661 * Building a URL when host_matching is enabled takes into account the current host when there are duplicate endpoints with different hosts. #488 * The 429 TooManyRequests and 503 ServiceUnavailable HTTP exceptions takes a retry_after parameter to set the Retry-After header. #1657
Dominique Leuenberger (dimstar_suse)
accepted
request 732906
from
Tomáš Chvátal (scarabeus_iv)
(revision 27)
- Update to 0.16.0: * Deprecate most top-level attributes provided by the werkzeug module in favor of direct imports. The deprecated imports will be removed in version 1.0. - Rebase patch 0001_create_a_thread_to_reap_death_process.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 730725
from
Tomáš Chvátal (scarabeus_iv)
(revision 26)
- Update to 0.15.6: * Work around a bug in pip that caused the reloader to fail on Windows when the script was an entry point. * ProxyFix trusts the X-Forwarded-Proto header by default. :issue:`1630`
Displaying revisions 1 - 20 of 45