- Update to 3.0.1:
* Fix slow multipart parsing for large parts potentially enabling DoS
attacks. (CVE-2023-46136, bsc#1216581)
* Remove previously deprecated code.
* Deprecate the ``__version__`` attribute. Use feature detection, or
``importlib.metadata.version("werkzeug")``, instead.
* ``generate_password_hash`` uses scrypt by default.
* Add the ``"werkzeug.profiler"`` item to the WSGI ``environ`` dictionary
passed to `ProfilerMiddleware`'s `filename_format` function. It contains
the ``elapsed`` and ``time`` values for the profiled request.
* Explicitly marked the PathConverter as non path isolating.
OBS-URL: https://build.opensuse.org/request/show/1120656
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=45
* Fix slow multipart parsing for large parts potentially enabling DoS
attacks. (CVE-2023-46136, bsc#1216581)
* Remove previously deprecated code.
* Deprecate the ``__version__`` attribute. Use feature detection, or
``importlib.metadata.version("werkzeug")``, instead.
* ``generate_password_hash`` uses scrypt by default.
* Add the ``"werkzeug.profiler"`` item to the WSGI ``environ`` dictionary
passed to `ProfilerMiddleware`'s `filename_format` function. It contains
the ``elapsed`` and ``time`` values for the profiled request.
* Explicitly marked the PathConverter as non path isolating.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=90
- Update to 2.3.7:
* Use ``flit_core`` instead of ``setuptools`` as build backend.
* Fix parsing of multipart bodies.
Adjust index of last newline in data start.
* ``_plain_int`` and ``_plain_float`` strip whitespace before type
enforcement.
* Fix empty file streaming when testing.
* Clearer error message when URL rule does not start with slash.
* ``Accept`` ``q`` value can be a float without a decimal part.
- Drop captialisation again.
OBS-URL: https://build.opensuse.org/request/show/1113325
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=44
* Use ``flit_core`` instead of ``setuptools`` as build backend.
* Fix parsing of multipart bodies.
Adjust index of last newline in data start.
* ``_plain_int`` and ``_plain_float`` strip whitespace before type
enforcement.
* Fix empty file streaming when testing.
* Clearer error message when URL rule does not start with slash.
* ``Accept`` ``q`` value can be a float without a decimal part.
- Drop captialisation again.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=88
- Update to 2.3.6:
* FileStorage.content_length does not fail if the form data did not provide
a value.
- Update to 2.3.5:
* Python 3.12 compatibility.
* Fix handling of invalid base64 values in Authorization.from_header.
* The debugger escapes the exception message in the page title.
* When binding routing.Map, a long IDNA server_name with a port does not
fail encoding.
* iri_to_uri shows a deprecation warning instead of an error when passing
bytes.
* When parsing numbers in HTTP request headers such as Content-Length, only
ASCII digits are accepted rather than any format that Python’s int and
float accept.
- Update to 2.3.4:
* Authorization.from_header and WWWAuthenticate.from_header detects tokens
that end with base64 padding (=).
* Remove usage of warnings.catch_warnings.
* Remove max_form_parts restriction from standard form data parsing and only
use if for multipart content.
* Response will avoid converting the Location header in some cases to
preserve invalid URL schemes like itms-services.
- Update to 2.3.3:
* Fix parsing of large multipart bodies. Remove invalid leading newline, and
restore parsing speed.
* The cookie Path attribute is set to / by default again, to prevent clients
from falling back to RFC 6265’s default-path behavior.
- Update to 2.3.2:
* Parse the cookie Expires attribute correctly in the test client.
* max_content_length can only be enforced on streaming requests if the
server sets wsgi.input_terminated.
- Update to 2.3.1:
* Percent-encode plus (+) when building URLs and in test requests.
* Cookie values don’t quote characters defined in RFC 6265.
* Include pyi files for datastructures type annotations.
* Authorization and WWWAuthenticate objects can be compared for equality.
- Update to 2.3.0:
* Drop support for Python 3.7.
* Remove previously deprecated code.
* Passing bytes where strings are expected is deprecated, as well as the
charset and errors parameters in many places. Anywhere that was annotated,
documented, or tested to accept bytes shows a warning. Removing this
artifact of the transition from Python 2 to 3 removes a significant amount
of overhead in instance checks and encoding cycles. In general, always
work with UTF-8, the modern HTML, URL, and HTTP standards all strongly
recommend this.
* Deprecate the werkzeug.urls module, except for the uri_to_iri and
iri_to_uri functions. Use the urllib.parse library instead.
* Update which characters are considered safe when using percent encoding
in URLs, based on the WhatWG URL Standard.
* Update which characters are considered safe when using percent encoding
for Unicode filenames in downloads.
* Deprecate the safe_conversion parameter of iri_to_uri. The Location header
is converted to IRI using the same process as everywhere else.
* Deprecate werkzeug.wsgi.make_line_iter and make_chunk_iter.
* Use modern packaging metadata with pyproject.toml instead of setup.cfg.
* Request.get_json() will raise a 415 Unsupported Media Type error if the
Content-Type header is not application/json, instead of a generic 400.
* A URL converter’s part_isolating defaults to False if its regex contains
a /.
* A custom converter’s regex can have capturing groups without breaking
the router.
* The reloader can pick up arguments to python like -X dev, and does not
require heuristics to determine how to reload the command. Only available
on Python >= 3.10.
* The Watchdog reloader ignores file opened events. Bump the minimum version
of Watchdog to 2.3.0.
* When using a Unix socket for the development server, the path can start
with a dot.
* Increase default work factor for PBKDF2 to 600,000 iterations.
* parse_options_header is 2-3 times faster. It conforms to RFC 9110, some
invalid parts that were previously accepted are now ignored.
* The is_filename parameter to unquote_header_value is deprecated.
* Deprecate the extra_chars parameter and passing bytes to
quote_header_value, the allow_token parameter to dump_header, and the cls
parameter and passing bytes to parse_dict_header.
* Improve parse_accept_header implementation. Parse according to RFC 9110.
Discard items with invalid q values.
* quote_header_value quotes the empty string.
* dump_options_header skips None values rather than using a bare key.
* dump_header and dump_options_header will not quote a value if the key ends
with an asterisk *.
* parse_dict_header will decode values with charsets.
* Refactor the Authorization and WWWAuthenticate header data structures.
+ Both classes have type, parameters, and token attributes. The token
attribute supports auth schemes that use a single opaque token rather
than key=value parameters, such as Bearer.
+ Neither class is a dict anymore, although they still implement getting,
setting, and deleting auth[key] and auth.key syntax, as well as
auth.get(key) and key in auth.
+ Both classes have a from_header class method. parse_authorization_header
and parse_www_authenticate_header are deprecated.
+ The methods WWWAuthenticate.set_basic and set_digest are deprecated.
Instead, an instance should be created and assigned to
response.www_authenticate.
+ A list of instances can be assigned to response.www_authenticate to set
multiple header values. However, accessing the property only returns the
first instance.
* Refactor parse_cookie and dump_cookie.
+ parse_cookie is up to 40% faster, dump_cookie is up to 60% faster.
+ Passing bytes to parse_cookie and dump_cookie is deprecated. The
dump_cookie charset parameter is deprecated.
+ dump_cookie allows domain values that do not include a dot ., and strips
off a leading dot.
+ dump_cookie does not set path="/" unnecessarily by default.
* Refactor the test client cookie implementation.
+ The cookie_jar attribute is deprecated. http.cookiejar is no longer used
for storage.
+ Domain and path matching is used when sending cookies in requests. The
domain and path parameters default to localhost and /.
+ Added a get_cookie method to inspect cookies.
+ Cookies have decoded_key and decoded_value attributes to match what the
app sees rather than the encoded values a client would see.
+ The first positional server_name parameter to set_cookie and
delete_cookie is deprecated. Use the domain parameter instead.
+ Other parameters to delete_cookie besides domain, path, and value are
deprecated.
* If request.max_content_length is set, it is checked immediately when
accessing the stream, and while reading from the stream in general, rather
than only during form parsing.
* The development server, which must not be used in production, will exhaust
the request stream up to 10GB or 1000 reads. This allows clients to see a
413 error if max_content_length is exceeded, instead of a “connection
reset” failure.
* The development server discards header keys that contain underscores _, as
they are ambiguous with dashes - in WSGI.
* secure_filename looks for more Windows reserved file names.
* Update type annotation for best_match to make default parameter clearer.
* Multipart parser handles empty fields correctly.
* The Map charset parameter and Request.url_charset property are deprecated.
Percent encoding in URLs must always represent UTF-8 bytes. Invalid bytes
are left percent encoded rather than replaced.
* The Request.charset, Request.encoding_errors, Response.charset, and
Client.charset attributes are deprecated. Request and response data must
always use UTF-8.
* Header values that have charset information only allow ASCII, UTF-8, and
ISO-8859-1.
* Update type annotation for ProfilerMiddleware stream parameter.
* Use postponed evaluation of annotations.
* The development server escapes ASCII control characters in decoded URLs
before logging the request to the terminal.
* The FormDataParser parse_functions attribute and get_parse_func method,
and the invalid application/x-url-encoded content type, are deprecated.
* generate_password_hash supports scrypt. Plain hash methods are deprecated,
only scrypt and pbkdf2 are supported.
- Remove patch which was made obsolete by upstream:
* moved_root.patch
OBS-URL: https://build.opensuse.org/request/show/1093788
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=42
- Update to 2.3.6:
* FileStorage.content_length does not fail if the form data did not provide
a value.
- Update to 2.3.5:
* Python 3.12 compatibility.
* Fix handling of invalid base64 values in Authorization.from_header.
* The debugger escapes the exception message in the page title.
* When binding routing.Map, a long IDNA server_name with a port does not
fail encoding.
* iri_to_uri shows a deprecation warning instead of an error when passing
bytes.
* When parsing numbers in HTTP request headers such as Content-Length, only
ASCII digits are accepted rather than any format that Python’s int and
float accept.
- Update to 2.3.4:
* Authorization.from_header and WWWAuthenticate.from_header detects tokens
that end with base64 padding (=).
* Remove usage of warnings.catch_warnings.
* Remove max_form_parts restriction from standard form data parsing and only
use if for multipart content.
* Response will avoid converting the Location header in some cases to
preserve invalid URL schemes like itms-services.
- Update to 2.3.3:
* Fix parsing of large multipart bodies. Remove invalid leading newline, and
restore parsing speed.
* The cookie Path attribute is set to / by default again, to prevent clients
from falling back to RFC 6265’s default-path behavior.
- Update to 2.3.2:
* Parse the cookie Expires attribute correctly in the test client.
* max_content_length can only be enforced on streaming requests if the
OBS-URL: https://build.opensuse.org/request/show/1093739
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=81
- update to 2.2.3 (bsc#1208283, CVE-2023-25577):
* Ensure that URL rules using path converters will redirect
with strict slashes when the trailing slash is missing.
* Type signature for ``get_json`` specifies that return type
is not optional when ``silent=False``.
* ``parse_content_range_header`` returns ``None`` for a value
like ``bytes */-1`` where the length is invalid, instead of
raising an ``AssertionError``.
* Address remaining ``ResourceWarning`` related to the socket
used by ``run_simple``.
* Remove ``prepare_socket``, which now happens when
creating the server.
* Update pre-existing headers for ``multipart/form-data``
requests with the test client.
* Fix handling of header extended parameters such that they
are no longer quoted.
* ``LimitedStream.read`` works correctly when wrapping a
stream that may not return the requested size in one
``read`` call.
* A cookie header that starts with ``=`` is treated as an
empty key and discarded, rather than stripping the leading ``==``.
* Specify a maximum number of multipart parts, default 1000,
after which a ``RequestEntityTooLarge`` exception is
raised on parsing. This mitigates a DoS attack where a
larger number of form/file parts would result in disproportionate
resource use.
OBS-URL: https://build.opensuse.org/request/show/1071237
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=40
* Ensure that URL rules using path converters will redirect
with strict slashes when the trailing slash is missing.
* Type signature for ``get_json`` specifies that return type
is not optional when ``silent=False``.
* ``parse_content_range_header`` returns ``None`` for a value
like ``bytes */-1`` where the length is invalid, instead of
raising an ``AssertionError``.
* Address remaining ``ResourceWarning`` related to the socket
used by ``run_simple``.
* Remove ``prepare_socket``, which now happens when
creating the server.
* Update pre-existing headers for ``multipart/form-data``
requests with the test client.
* Fix handling of header extended parameters such that they
are no longer quoted.
* ``LimitedStream.read`` works correctly when wrapping a
stream that may not return the requested size in one
``read`` call.
* A cookie header that starts with ``=`` is treated as an
empty key and discarded, rather than stripping the leading ``==``.
* Specify a maximum number of multipart parts, default 1000,
after which a ``RequestEntityTooLarge`` exception is
raised on parsing. This mitigates a DoS attack where a
larger number of form/file parts would result in disproportionate
resource use.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=76
- test failed due to markupsafe module missing
Included markupsafe module
- Update to 2.2.2:
* Fix router to restore the 2.1 strict_slashes == False behaviour whereby leaf-requests match branch rules and vice versa. #2489
* Fix router to identify invalid rules rather than hang parsing them, and to correctly parse / within converter arguments. #2489
* Update subpackage imports in werkzeug.routing to use the import as syntax for explicitly re-exporting public attributes. #2493
* Parsing of some invalid header characters is more robust. #2494
* When starting the development server, a warning not to use it in a production deployment is always shown. #2480
* LocalProxy.__wrapped__ is always set to the wrapped object when the proxy is unbound, fixing an issue in doctest that would cause it to fail. #2485
* Address one ResourceWarning related to the socket used by run_simple. #2421
- Update to Version 2.2.1:
* Fix router so that /path/ will match a rule /path if strict slashes mode is disabled for the rule. #2467
* Fix router so that partial part matches are not allowed i.e. /2df does not match /<int>. #2470
* Fix router static part weighting, so that simpler routes are matched before more complex ones. #2471
* Restore ValidationError to be importable from werkzeug.routing. #2465
- Update to Version 2.2.0
* Deprecated get_script_name, get_query_string, peek_path_info, pop_path_info, and extract_path_info. #2461
* Remove previously deprecated code. #2461
* Add MarkupSafe as a dependency and use it to escape values when rendering HTML. #2419
* Added the werkzeug.debug.preserve_context mechanism for restoring context-local data for a request when running code in the debug console. #2439
* Fix compatibility with Python 3.11 by ensuring that end_lineno and end_col_offset are present on AST nodes. #2425
* Add a new faster matching router based on a state machine. #2433
* Fix branch leaf path masking branch paths when strict-slashes is disabled. #1074
* Names within options headers are always converted to lowercase. This matches RFC 6266 that the case is not relevant. #2442
* AnyConverter validates the value passed for it when building URLs. #2388
* The debugger shows enhanced error locations in tracebacks in Python 3.11. #2407
* Added Sans-IO is_resource_modified and parse_cookie functions based on WSGI versions. #2408
* Added Sans-IO get_content_length function. #2415
* Don’t assume a mimetype for test responses. #2450
OBS-URL: https://build.opensuse.org/request/show/1003019
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=70
- update to 2.1.2:
* The development server does not set ``Transfer-Encoding: chunked``
for 1xx, 204, 304, and HEAD responses. :issue:`2375`
* Response HTML for exceptions and redirects starts with
``<!doctype html>`` and ``<html lang=en>``. :issue:`2390`
* Fix ability to set some ``cache_control`` attributes to ``False``.
:issue:`2379`
* Disable ``keep-alive`` connections in the development server, which
are not supported sufficiently by Python's ``http.server``.
:issue:`2397`
- drop 2402-dev_server.patch (upstream)
OBS-URL: https://build.opensuse.org/request/show/976285
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=37
* The development server does not set ``Transfer-Encoding: chunked``
for 1xx, 204, 304, and HEAD responses. :issue:`2375`
* Response HTML for exceptions and redirects starts with
``<!doctype html>`` and ``<html lang=en>``. :issue:`2390`
* Fix ability to set some ``cache_control`` attributes to ``False``.
:issue:`2379`
* Disable ``keep-alive`` connections in the development server, which
are not supported sufficiently by Python's ``http.server``.
:issue:`2397`
- drop 2402-dev_server.patch (upstream)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=66
- Update to 2.1.1:
- ResponseCacheControl.s_maxage converts its value to an int,
like max_age.
- Drop support for Python 3.6.
- Using gevent or eventlet requires greenlet>=1.0 or
PyPy>=7.3.7. werkzeug.locals and contextvars will not work
correctly with older versions.
- Remove previously deprecated code.
- Remove the non-standard shutdown function from the WSGI
environ when running the development server. See the docs
for alternatives.
- Request and response mixins have all been merged into the
Request and Response classes.
- The user agent parser and the useragents module is
removed. The user_agent module provides an interface that
can be subclassed to add a parser, such as ua-parser. By
default it only stores the whole string.
- The test client returns TestResponse instances and can no
longer be treated as a tuple. All data is available as
properties on the response.
- Remove locals.get_ident and related thread-local code from
locals, it no longer makes sense when moving to
a contextvars-based implementation.
- Remove the python -m werkzeug.serving CLI.
- The has_key method on some mapping datastructures; use key
in data instead.
- Request.disable_data_descriptor is removed, pass
shallow=True instead.
- Remove the no_etag parameter from Response.freeze().
- Remove the HTTPException.wrap class method.
- Remove the cookie_date function. Use http_date instead.
- Remove the pbkdf2_hex, pbkdf2_bin, and safe_str_cmp
functions. Use equivalents in hashlib and hmac modules
instead.
- Remove the Href class.
- Remove the HTMLBuilder class.
- Remove the invalidate_cached_property function. Use del
obj.attr instead.
- Remove bind_arguments and validate_arguments. Use
Signature.bind() and inspect.signature() instead.
- Remove detect_utf_encoding, it’s built-in to json.loads.
- Remove format_string, use string.Template instead.
- Remove escape and unescape. Use MarkupSafe instead.
- The multiple parameter of parse_options_header is
deprecated.
- Rely on PEP 538 and PEP 540 to handle decoding file names
with the correct filesystem encoding. The filesystem module
is removed.
- Default values passed to Headers are validated the same way
values added later are.
- Setting CacheControl int properties, such as max_age, will
convert the value to an int.
- Always use socket.fromfd when restarting the dev server.
- When passing a dict of URL values to Map.build, list values
do not filter out None or collapse to a single value.
Passing a MultiDict does collapse single items. This undoes
a previous change that made it difficult to pass a list, or
None values in a list, to custom URL converters.
- run_simple shows instructions for dealing with “address
already in use” errors, including extra instructions for
macOS.
- Extend list of characters considered always safe in URLs
based on RFC 3986.
- Optimize the stat reloader to avoid watching unnecessary
files in more cases. The watchdog reloader is still
recommended for performance and accuracy.
- The development server uses Transfer-Encoding: chunked for
streaming responses when it is configured for HTTP/1.1.
- The development server uses HTTP/1.1, which enables
keep-alive connections and chunked streaming responses,
when threaded or processes is enabled.
- cached_property works for classes with __slots__ if
a corresponding _cache_{name} slot is added.
- Refactor the debugger traceback formatter to use Python’s
built-in traceback module as much as possible.
- The TestResponse.text property is a shortcut for
r.get_data(as_text=True), for convenient testing against
text instead of bytes.
- safe_join ensures that the path remains relative if the
trusted directory is the empty string.
- Percent-encoded newlines (%0a), which are decoded by WSGI
servers, are considered when routing instead of terminating
the match early.
- The test client doesn’t set duplicate headers for
CONTENT_LENGTH and CONTENT_TYPE.
- append_slash_redirect handles PATH_INFO with internal
slashes.
- The default status code for append_slash_redirect is 308
instead of 301. This preserves the request body, and
matches a previous change to strict_slashes in routing.
- Fix ValueError: I/O operation on closed file. with the test
client when following more than one redirect.
- Response.autocorrect_location_header is disabled by
default. The Location header URL will remain relative, and
exclude the scheme and domain, by default.
- Request.get_json() will raise a 400 BadRequest error if the
Content-Type header is not application/json. This makes
a very common source of confusion more visible.
- Add no-network-testing.patch to mark all tests requiring
network access (so they can be skipped by pytest test runner,
gh#pallets/werkzeug#2393).
OBS-URL: https://build.opensuse.org/request/show/970992
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=35
- Update to 2.1.1:
- ResponseCacheControl.s_maxage converts its value to an int,
like max_age.
- Drop support for Python 3.6.
- Using gevent or eventlet requires greenlet>=1.0 or
PyPy>=7.3.7. werkzeug.locals and contextvars will not work
correctly with older versions.
- Remove previously deprecated code.
- Remove the non-standard shutdown function from the WSGI
environ when running the development server. See the docs
for alternatives.
- Request and response mixins have all been merged into the
Request and Response classes.
- The user agent parser and the useragents module is
removed. The user_agent module provides an interface that
can be subclassed to add a parser, such as ua-parser. By
default it only stores the whole string.
- The test client returns TestResponse instances and can no
longer be treated as a tuple. All data is available as
properties on the response.
- Remove locals.get_ident and related thread-local code from
locals, it no longer makes sense when moving to
a contextvars-based implementation.
- Remove the python -m werkzeug.serving CLI.
- The has_key method on some mapping datastructures; use key
in data instead.
- Request.disable_data_descriptor is removed, pass
shallow=True instead.
- Remove the no_etag parameter from Response.freeze().
- Remove the HTTPException.wrap class method.
OBS-URL: https://build.opensuse.org/request/show/970987
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=62
- update to 2.0.3:
* ``ProxyFix`` supports IPv6 addresses.
* Type annotation for ``Response.make_conditional``,
``HTTPException.get_response``, and ``Map.bind_to_environ`` accepts
``Request`` in addition to ``WSGIEnvironment`` for the first
parameter.
* Fix type annotation for ``Request.user_agent_class``.
* Accessing ``LocalProxy.__class__`` and ``__doc__`` on an unbound
proxy returns the fallback value instead of a method object.
* Redirects with the test client set ``RAW_URI`` and ``REQUEST_URI``
correctly.
OBS-URL: https://build.opensuse.org/request/show/954652
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=34
* ``ProxyFix`` supports IPv6 addresses.
* Type annotation for ``Response.make_conditional``,
``HTTPException.get_response``, and ``Map.bind_to_environ`` accepts
``Request`` in addition to ``WSGIEnvironment`` for the first
parameter.
* Fix type annotation for ``Request.user_agent_class``.
* Accessing ``LocalProxy.__class__`` and ``__doc__`` on an unbound
proxy returns the fallback value instead of a method object.
* Redirects with the test client set ``RAW_URI`` and ``REQUEST_URI``
correctly.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=61
- update to 2.0.2:
* Handle multiple tokens in ``Connection`` header when routing
WebSocket requests.
* Set the debugger pin cookie secure flag when on https.
* Fix type annotation for ``MultiDict.update`` to accept iterable
values :pr:`2142`
* Prevent double encoding of redirect URL when ``merge_slash=True``
for ``Rule.match``.
* ``CombinedMultiDict.to_dict`` with ``flat=False`` considers all
component dicts when building value lists. :issue:`2189`
* ``send_file`` only sets a detected ``Content-Encoding`` if
``as_attachment`` is disabled to avoid browsers saving
decompressed ``.tar.gz`` files.
* Fix type annotations for ``TypeConversionDict.get`` to not return an
``Optional`` value if both ``default`` and ``type`` are not
``None``.
* Fix type annotation for routing rule factories to accept
``Iterable[RuleFactory]`` instead of ``Iterable[Rule]`` for the
``rules`` parameter. :issue:`2183`
* Add missing type annotation for ``FileStorage.__getattr__``
* The debugger pin cookie is set with ``SameSite`` set to ``Strict``
instead of ``None`` to be compatible with modern browser security.
* Type annotations use ``IO[bytes]`` and ``IO[str]`` instead of
``BinaryIO`` and ``TextIO`` for wider type compatibility.
* Ad-hoc TLS certs are generated with SAN matching CN. :issue:`2158`
* Fix memory usage for locals when using Python 3.6 or pre 0.4.17
greenlet versions. :pr:`2212`
* Fix type annotation in ``CallbackDict``, because it is not
utilizing a bound TypeVar. :issue:`2235`
* Fix setting CSP header options on the response. :pr:`2237`
OBS-URL: https://build.opensuse.org/request/show/925758
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=33
* Handle multiple tokens in ``Connection`` header when routing
WebSocket requests.
* Set the debugger pin cookie secure flag when on https.
* Fix type annotation for ``MultiDict.update`` to accept iterable
values :pr:`2142`
* Prevent double encoding of redirect URL when ``merge_slash=True``
for ``Rule.match``.
* ``CombinedMultiDict.to_dict`` with ``flat=False`` considers all
component dicts when building value lists. :issue:`2189`
* ``send_file`` only sets a detected ``Content-Encoding`` if
``as_attachment`` is disabled to avoid browsers saving
decompressed ``.tar.gz`` files.
* Fix type annotations for ``TypeConversionDict.get`` to not return an
``Optional`` value if both ``default`` and ``type`` are not
``None``.
* Fix type annotation for routing rule factories to accept
``Iterable[RuleFactory]`` instead of ``Iterable[Rule]`` for the
``rules`` parameter. :issue:`2183`
* Add missing type annotation for ``FileStorage.__getattr__``
* The debugger pin cookie is set with ``SameSite`` set to ``Strict``
instead of ``None`` to be compatible with modern browser security.
* Type annotations use ``IO[bytes]`` and ``IO[str]`` instead of
``BinaryIO`` and ``TextIO`` for wider type compatibility.
* Ad-hoc TLS certs are generated with SAN matching CN. :issue:`2158`
* Fix memory usage for locals when using Python 3.6 or pre 0.4.17
greenlet versions. :pr:`2212`
* Fix type annotation in ``CallbackDict``, because it is not
utilizing a bound TypeVar. :issue:`2235`
* Fix setting CSP header options on the response. :pr:`2237`
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=60
* Drop support for Python 3.4. (#1478)
* Remove code that issued deprecation warnings in version 0.15. (#1477)
* Remove most top-level attributes provided by the werkzeug module in favor of direct imports. For example, instead of import werkzeug; werkzeug.url_quote, do from werkzeug.urls import url_quote. Install version 0.16 first to see deprecation warnings while upgrading. #2, #1640
* Added utils.invalidate_cached_property() to invalidate cached properties. (#1474)
* Directive keys for the Set-Cookie response header are not ignored when parsing the Cookie request header. This allows cookies with names such as “expires” and “version”. (#1495)
* Request cookies are parsed into a MultiDict to capture all values for cookies with the same key. cookies[key] returns the first value rather than the last. Use cookies.getlist(key) to get all values. parse_cookie also defaults to a MultiDict. #1562, #1458
* Add charset=utf-8 to an HTTP exception response’s CONTENT_TYPE header. (#1526)
* The interactive debugger handles outer variables in nested scopes such as lambdas and comprehensions. #913, #1037, #1532
* The user agent for Opera 60 on Mac is correctly reported as “opera” instead of “chrome”. #1556
* The platform for Crosswalk on Android is correctly reported as “android” instead of “chromeos”. (#1572)
* Issue a warning when the current server name does not match the configured server name. #760
* A configured server name with the default port for a scheme will match the current server name without the port if the current scheme matches. #1584
* InternalServerError has a original_exception attribute that frameworks can use to track the original cause of the error. #1590
* Headers are tested for equality independent of the header key case, such that X-Foo is the same as x-foo. #1605
* http.dump_cookie() accepts 'None' as a value for samesite. #1549
* set_cookie() accepts a samesite argument. #1705
* Support the Content Security Policy header through the Response.content_security_policy data structure. #1617
* LanguageAccept will fall back to matching “en” for “en-US” or “en-US” for “en” to better support clients or translations that only match at the primary language tag. #450, #1507
* MIMEAccept uses MIME parameters for specificity when matching. #458, #1574
* If the development server is started with an SSLContext configured to verify client certificates, the certificate in PEM format will be available as environ["SSL_CLIENT_CERT"]. #1469
* is_resource_modified will run for methods other than GET and HEAD, rather than always returning False. #409
* SharedDataMiddleware returns 404 rather than 500 when trying to access a directory instead of a file with the package loader. The dependency on setuptools and pkg_resources is removed. #1599
* Add a response.cache_control.immutable flag. Keep in mind that browser support for this Cache-Control header option is still experimental and may not be implemented. #1185
* Optional request log highlighting with the development server is handled by Click instead of termcolor. #1235
* Optional ad-hoc TLS support for the development server is handled by cryptography instead of pyOpenSSL. #1555
* FileStorage.save() supports pathlib and PEP 519 PathLike objects. #1653
* The debugger security pin is unique in containers managed by Podman. #1661
* Building a URL when host_matching is enabled takes into account the current host when there are duplicate endpoints with different hosts. #488
* The 429 TooManyRequests and 503 ServiceUnavailable HTTP exceptions takes a retry_after parameter to set the Retry-After header. #1657
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=54
- Update to 1.0.0:
* Drop support for Python 3.4. (#1478)
* Remove code that issued deprecation warnings in version 0.15. (#1477)
* Remove most top-level attributes provided by the werkzeug module in favor of direct imports. For example, instead of import werkzeug; werkzeug.url_quote, do from werkzeug.urls import url_quote. Install version 0.16 first to see deprecation warnings while upgrading. #2, #1640
* Added utils.invalidate_cached_property() to invalidate cached properties. (#1474)
* Directive keys for the Set-Cookie response header are not ignored when parsing the Cookie request header. This allows cookies with names such as “expires” and “version”. (#1495)
* Request cookies are parsed into a MultiDict to capture all values for cookies with the same key. cookies[key] returns the first value rather than the last. Use cookies.getlist(key) to get all values. parse_cookie also defaults to a MultiDict. #1562, #1458
* Add charset=utf-8 to an HTTP exception response’s CONTENT_TYPE header. (#1526)
* The interactive debugger handles outer variables in nested scopes such as lambdas and comprehensions. #913, #1037, #1532
* The user agent for Opera 60 on Mac is correctly reported as “opera” instead of “chrome”. #1556
* The platform for Crosswalk on Android is correctly reported as “android” instead of “chromeos”. (#1572)
* Issue a warning when the current server name does not match the configured server name. #760
* A configured server name with the default port for a scheme will match the current server name without the port if the current scheme matches. #1584
* InternalServerError has a original_exception attribute that frameworks can use to track the original cause of the error. #1590
* Headers are tested for equality independent of the header key case, such that X-Foo is the same as x-foo. #1605
* http.dump_cookie() accepts 'None' as a value for samesite. #1549
* set_cookie() accepts a samesite argument. #1705
* Support the Content Security Policy header through the Response.content_security_policy data structure. #1617
* LanguageAccept will fall back to matching “en” for “en-US” or “en-US” for “en” to better support clients or translations that only match at the primary language tag. #450, #1507
* MIMEAccept uses MIME parameters for specificity when matching. #458, #1574
* If the development server is started with an SSLContext configured to verify client certificates, the certificate in PEM format will be available as environ["SSL_CLIENT_CERT"]. #1469
* is_resource_modified will run for methods other than GET and HEAD, rather than always returning False. #409
* SharedDataMiddleware returns 404 rather than 500 when trying to access a directory instead of a file with the package loader. The dependency on setuptools and pkg_resources is removed. #1599
* Add a response.cache_control.immutable flag. Keep in mind that browser support for this Cache-Control header option is still experimental and may not be implemented. #1185
* Optional request log highlighting with the development server is handled by Click instead of termcolor. #1235
* Optional ad-hoc TLS support for the development server is handled by cryptography instead of pyOpenSSL. #1555
* FileStorage.save() supports pathlib and PEP 519 PathLike objects. #1653
* The debugger security pin is unique in containers managed by Podman. #1661
* Building a URL when host_matching is enabled takes into account the current host when there are duplicate endpoints with different hosts. #488
* The 429 TooManyRequests and 503 ServiceUnavailable HTTP exceptions takes a retry_after parameter to set the Retry-After header. #1657
OBS-URL: https://build.opensuse.org/request/show/777800
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=28
* Drop support for Python 3.4. (#1478)
* Remove code that issued deprecation warnings in version 0.15. (#1477)
* Remove most top-level attributes provided by the werkzeug module in favor of direct imports. For example, instead of import werkzeug; werkzeug.url_quote, do from werkzeug.urls import url_quote. Install version 0.16 first to see deprecation warnings while upgrading. #2, #1640
* Added utils.invalidate_cached_property() to invalidate cached properties. (#1474)
* Directive keys for the Set-Cookie response header are not ignored when parsing the Cookie request header. This allows cookies with names such as “expires” and “version”. (#1495)
* Request cookies are parsed into a MultiDict to capture all values for cookies with the same key. cookies[key] returns the first value rather than the last. Use cookies.getlist(key) to get all values. parse_cookie also defaults to a MultiDict. #1562, #1458
* Add charset=utf-8 to an HTTP exception response’s CONTENT_TYPE header. (#1526)
* The interactive debugger handles outer variables in nested scopes such as lambdas and comprehensions. #913, #1037, #1532
* The user agent for Opera 60 on Mac is correctly reported as “opera” instead of “chrome”. #1556
* The platform for Crosswalk on Android is correctly reported as “android” instead of “chromeos”. (#1572)
* Issue a warning when the current server name does not match the configured server name. #760
* A configured server name with the default port for a scheme will match the current server name without the port if the current scheme matches. #1584
* InternalServerError has a original_exception attribute that frameworks can use to track the original cause of the error. #1590
* Headers are tested for equality independent of the header key case, such that X-Foo is the same as x-foo. #1605
* http.dump_cookie() accepts 'None' as a value for samesite. #1549
* set_cookie() accepts a samesite argument. #1705
* Support the Content Security Policy header through the Response.content_security_policy data structure. #1617
* LanguageAccept will fall back to matching “en” for “en-US” or “en-US” for “en” to better support clients or translations that only match at the primary language tag. #450, #1507
* MIMEAccept uses MIME parameters for specificity when matching. #458, #1574
* If the development server is started with an SSLContext configured to verify client certificates, the certificate in PEM format will be available as environ["SSL_CLIENT_CERT"]. #1469
* is_resource_modified will run for methods other than GET and HEAD, rather than always returning False. #409
* SharedDataMiddleware returns 404 rather than 500 when trying to access a directory instead of a file with the package loader. The dependency on setuptools and pkg_resources is removed. #1599
* Add a response.cache_control.immutable flag. Keep in mind that browser support for this Cache-Control header option is still experimental and may not be implemented. #1185
* Optional request log highlighting with the development server is handled by Click instead of termcolor. #1235
* Optional ad-hoc TLS support for the development server is handled by cryptography instead of pyOpenSSL. #1555
* FileStorage.save() supports pathlib and PEP 519 PathLike objects. #1653
* The debugger security pin is unique in containers managed by Podman. #1661
* Building a URL when host_matching is enabled takes into account the current host when there are duplicate endpoints with different hosts. #488
* The 429 TooManyRequests and 503 ServiceUnavailable HTTP exceptions takes a retry_after parameter to set the Retry-After header. #1657
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=49
