d0ca1e8919
- update to 3.1.5: * safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7 * Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075 * drops 0001-limit-the-maximum-number-of-multipart-form-parts.patch stream that may not return the requested size in one * Type checking FileStorage accepts os.PathLike. #2418 :issue:2397 - Fix type annotation for send_file max_age callable. Don’t pass - Mark top-level names as exported so type checking understands imports - cached_property is generic over its return type, properties decorated - Fix multipart parsing bug when boundary contains special regex - Type checking understands that calling headers.get with a string - If HTTPException.description is not a string, get_description will - Deprecate the environ["werkzeug.server.shutdown"] function that is - Deprecate the useragents module and the built-in user agent parser. Use a dedicated parser library instead by subclassing user_agent.UserAgent - All datetime values are timezone-aware with tzinfo=timezone.utc. This applies to anything using http.parse_date: Request.date, .if_modified_since, .if_unmodified_since; Response.date, .expires, .last_modified, .retry_after; parse_if_range_header, and IfRange.date. When comparing values, the other values must also be aware, or these values must be made naive. When passing parameters or setting - Merge all request and response wrapper mixin code into single Request and Response classes. Using the mixin classes is no longer necessary and will show a deprecation warning. Checking isinstance or issubclass against BaseRequest and BaseResponse will show a deprecation warning - JSON support no longer uses simplejson if it’s installed. To use
Dirk Mueller2026-01-27 16:24:58 +00:00
5fd1612e07
Accepting request 1325968 from devel:languages:python
Ana Guerrero2026-01-09 16:02:46 +00:00
bbe06c646c
Accepting request 1325807 from home:glaubitz:branches:devel:languages:python
Markéta Machová2026-01-08 13:56:27 +00:00
d57c27d919
Accepting request 1223597 from devel:languages:python
Ana Guerrero2024-11-12 18:19:57 +00:00
5addf4ec6f
- Update to 3.1.3 * Initial data passed to `MultiDict and similar interfaces only accepts list, tuple, or set when passing multiple values. It had been changed to accept any Collection, but this matched types that should be treated as single values, such as bytes. :issue:2994 * When the Host header is not set and Request.host falls back to the WSGI SERVER_NAME value, if that value is an IPv6 address it is wrapped in [] to match the Host header. :issue:2993 - from version 3.1.2 * Improve type annotation for TypeConversionDict.get to allow the type parameter to be a callable. :issue:2988 * Headers does not inherit from MutableMapping, as it is does not exactly match that interface. :issue:2989`
Dirk Mueller2024-11-12 09:37:54 +00:00
e861f25332
Accepting request 1223546 from home:glaubitz:branches:devel:languages:python
Dirk Mueller2024-11-12 09:37:54 +00:00
a439a0533f
Accepting request 1221443 from devel:languages:python
Ana Guerrero2024-11-06 15:49:44 +00:00
7d1527a6dd
Accepting request 1221443 from devel:languages:python
Ana Guerrero2024-11-06 15:49:44 +00:00
747921aa90
- Update to 3.1.1 * Fix an issue that caused `str(Request.headers) to always appear empty. :issue:2985 - from version 3.1.0 * Drop support for Python 3.8. :pr:2966 * Remove previously deprecated code. :pr:2967 * Request.max_form_memory_size defaults to 500kB instead of unlimited. Non-file form fields over this size will cause a RequestEntityTooLarge error. :issue:2964 * OrderedMultiDict and ImmutableOrderedMultiDict are deprecated. Use MultiDict and ImmutableMultiDict instead. :issue:2968 * Behavior of properties on request.cache_control and response.cache_control has been significantly adjusted. * Dict values are always str | None. Setting properties will convert the value to a string. Setting a property to False is equivalent to setting it to None. Getting typed properties will return None if conversion raises ValueError, rather than the string. :issue:2980 * max_age is None if present without a value, rather than -1. :issue:2980 * no_cache is a boolean for requests, it is True instead of "*" when present. It remains a string for responses. :issue:2980 * max_stale is True if present without a value, rather than "*". :issue:2980 * no_transform is a boolean. Previously it was mistakenly always None. :issue:2881 * min_fresh is None if present without a value, rather than "*". :issue:2881 * private is True if present without a value, rather than "*". :issue:2980 * Added the must_understand property. :issue:2881`
John Paul Adrian Glaubitz2024-11-05 13:35:57 +00:00
dd7cc91f0b
Accepting request 1218824 from devel:languages:python
Ana Guerrero2024-10-29 13:32:17 +00:00
827b79af2e
Accepting request 1218824 from devel:languages:python
Ana Guerrero2024-10-29 13:32:17 +00:00
3006d0bf1a
- Update to 3.0.6 (bsc#1232449, CVE-2024-49767): * Fix how max_form_memory_size is applied when parsing large non-file fields. GHSA-q34m-jh98-gwm2 * safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j - 3.0.5: * The Watchdog reloader ignores file closed no write events. #2945 * Logging works with client addresses containing an IPv6 scope. #2952 * Ignore invalid authorization parameters. #2955 * Improve type annotation fore SharedDataMiddleware. #2958 * Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. #2957Daniel Garcia2024-10-28 13:13:37 +00:00
24ee10cb8b
- Update to 3.0.6 (bsc#1232449, CVE-2024-49767): * Fix how max_form_memory_size is applied when parsing large non-file fields. GHSA-q34m-jh98-gwm2 * safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j - 3.0.5: * The Watchdog reloader ignores file closed no write events. #2945 * Logging works with client addresses containing an IPv6 scope. #2952 * Ignore invalid authorization parameters. #2955 * Improve type annotation fore SharedDataMiddleware. #2958 * Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. #2957Daniel Garcia2024-10-28 13:13:37 +00:00
9cefb5e9be
- Update to 3.0.4 * Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. :issue:2930 * Improve `parse_options_header performance when parsing unterminated quoted string values. :issue:2904 * Debugger pin auth is synchronized across threads/processes when tracking failed entries. :issue:2916 * Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. :issue:2926 * Debugger pin auth works when the URL already contains a query string. :issue:2918`
Nico Krapp2024-08-27 09:30:24 +00:00
6550e9b497
Accepting request 1196085 from home:glaubitz:branches:devel:languages:python
Nico Krapp2024-08-27 09:30:24 +00:00
ceb3b09b1f
Accepting request 1172322 from devel:languages:python
Ana Guerrero2024-06-12 13:37:22 +00:00
ed084ba1c8
Accepting request 1172322 from devel:languages:python
Ana Guerrero2024-06-12 13:37:22 +00:00
4f7a26705c
- Update to 3.0.3: * Only allow `localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. :ghsa:2g68-c3qc-8985 (CVE-2024-34069, bsc#1223979) * Make reloader more robust when "" is in sys.path. :pr:2823 * Better TLS cert format with adhoc dev certs. :pr:2891 * Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. :issue:2828 * Type annotation for Rule.endpoint and other uses of endpoint is Any. :issue:2836 - Update to 3.0.2: * Ensure setting merge_slashes to False results in NotFound for repeated-slash requests against single slash routes. :issue:2834 * Fix handling of TypeError in TypeConversionDict.get() to match ValueError. :issue:2843 * Fix response_wrapper type check in test client. :issue:2831 * Make the return type of MultiPartParser.parse more precise. :issue:2840 * Raise an error if converter arguments cannot be parsed. :issue:2822`
Daniel Garcia2024-05-07 06:16:42 +00:00
49a67d77bc
- Update to 3.0.3: * Only allow `localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. :ghsa:2g68-c3qc-8985 (CVE-2024-34069, bsc#1223979) * Make reloader more robust when "" is in sys.path. :pr:2823 * Better TLS cert format with adhoc dev certs. :pr:2891 * Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. :issue:2828 * Type annotation for Rule.endpoint and other uses of endpoint is Any. :issue:2836 - Update to 3.0.2: * Ensure setting merge_slashes to False results in NotFound for repeated-slash requests against single slash routes. :issue:2834 * Fix handling of TypeError in TypeConversionDict.get() to match ValueError. :issue:2843 * Fix response_wrapper type check in test client. :issue:2831 * Make the return type of MultiPartParser.parse more precise. :issue:2840 * Raise an error if converter arguments cannot be parsed. :issue:2822`
Daniel Garcia2024-05-07 06:16:42 +00:00
b3cf74ebee
Accepting request 1120656 from devel:languages:python
Ana Guerrero2023-10-29 18:39:26 +00:00
3b2d51265b
Accepting request 1120656 from devel:languages:python
Ana Guerrero2023-10-29 18:39:26 +00:00
1b4d2b0ee2
- Update to 3.0.1: * Fix slow multipart parsing for large parts potentially enabling DoS attacks. (CVE-2023-46136, bsc#1216581) * Remove previously deprecated code. * Deprecate the `__version__ attribute. Use feature detection, or importlib.metadata.version("werkzeug"), instead. * generate_password_hash uses scrypt by default. * Add the "werkzeug.profiler" item to the WSGI environ dictionary passed to ProfilerMiddleware's filename_format function. It contains the elapsed and time` values for the profiled request. * Explicitly marked the PathConverter as non path isolating.
Steve Kowalik2023-10-27 03:09:03 +00:00
d1a47dc94c
- Update to 3.0.1: * Fix slow multipart parsing for large parts potentially enabling DoS attacks. (CVE-2023-46136, bsc#1216581) * Remove previously deprecated code. * Deprecate the `__version__ attribute. Use feature detection, or importlib.metadata.version("werkzeug"), instead. * generate_password_hash uses scrypt by default. * Add the "werkzeug.profiler" item to the WSGI environ dictionary passed to ProfilerMiddleware's filename_format function. It contains the elapsed and time` values for the profiled request. * Explicitly marked the PathConverter as non path isolating.
Steve Kowalik2023-10-27 03:09:03 +00:00
bf5612a4d6
Accepting request 1113325 from devel:languages:python
Ana Guerrero2023-09-26 20:00:43 +00:00
ba33e587ca
Accepting request 1113325 from devel:languages:python
Ana Guerrero2023-09-26 20:00:43 +00:00
0a891ec61f
- Update to 2.3.7: * Use `flit_core instead of setuptools as build backend. * Fix parsing of multipart bodies. Adjust index of last newline in data start. * _plain_int and _plain_float strip whitespace before type enforcement. * Fix empty file streaming when testing. * Clearer error message when URL rule does not start with slash. * Acceptq` value can be a float without a decimal part. - Drop captialisation again.
Steve Kowalik2023-09-25 02:08:05 +00:00
63eb9d134d
- Update to 2.3.7: * Use `flit_core instead of setuptools as build backend. * Fix parsing of multipart bodies. Adjust index of last newline in data start. * _plain_int and _plain_float strip whitespace before type enforcement. * Fix empty file streaming when testing. * Clearer error message when URL rule does not start with slash. * Acceptq` value can be a float without a decimal part. - Drop captialisation again.
Steve Kowalik2023-09-25 02:08:05 +00:00
aeeb06e172
Accepting request 1110948 from devel:languages:python
Ana Guerrero2023-09-14 14:24:53 +00:00
d84c966fa5
Accepting request 1110948 from devel:languages:python
Ana Guerrero2023-09-14 14:24:53 +00:00
e903201b06
- update to 2.2.3 (bsc#1208283, CVE-2023-25577): * Ensure that URL rules using path converters will redirect with strict slashes when the trailing slash is missing. * Type signature for `get_json specifies that return type is not optional when silent=False. * parse_content_range_header returns None for a value like bytes */-1 where the length is invalid, instead of raising an AssertionError. * Address remaining ResourceWarning related to the socket used by run_simple. * Remove prepare_socket, which now happens when creating the server. * Update pre-existing headers for multipart/form-data requests with the test client. * Fix handling of header extended parameters such that they are no longer quoted. * LimitedStream.read works correctly when wrapping a stream that may not return the requested size in one read call. * A cookie header that starts with = is treated as an empty key and discarded, rather than stripping the leading ==. * Specify a maximum number of multipart parts, default 1000, after which a RequestEntityTooLarge` exception is raised on parsing. This mitigates a DoS attack where a larger number of form/file parts would result in disproportionate resource use.
Dirk Mueller2023-03-13 18:51:34 +00:00
3c12c1e502
- update to 2.2.3 (bsc#1208283, CVE-2023-25577): * Ensure that URL rules using path converters will redirect with strict slashes when the trailing slash is missing. * Type signature for `get_json specifies that return type is not optional when silent=False. * parse_content_range_header returns None for a value like bytes */-1 where the length is invalid, instead of raising an AssertionError. * Address remaining ResourceWarning related to the socket used by run_simple. * Remove prepare_socket, which now happens when creating the server. * Update pre-existing headers for multipart/form-data requests with the test client. * Fix handling of header extended parameters such that they are no longer quoted. * LimitedStream.read works correctly when wrapping a stream that may not return the requested size in one read call. * A cookie header that starts with = is treated as an empty key and discarded, rather than stripping the leading ==. * Specify a maximum number of multipart parts, default 1000, after which a RequestEntityTooLarge` exception is raised on parsing. This mitigates a DoS attack where a larger number of form/file parts would result in disproportionate resource use.
Dirk Mueller2023-03-13 18:51:34 +00:00
46ff097459
- update to 2.1.2: * The development server does not set `Transfer-Encoding: chunked for 1xx, 204, 304, and HEAD responses. :issue:2375 * Response HTML for exceptions and redirects starts with <!doctype html> and <html lang=en>. :issue:2390 * Fix ability to set some cache_control attributes to False. :issue:2379 * Disable keep-alive connections in the development server, which are not supported sufficiently by Python's http.server. :issue:2397` - drop 2402-dev_server.patch (upstream)
Dirk Mueller2022-05-11 10:41:49 +00:00
fc31d8ef54
- update to 2.1.2: * The development server does not set `Transfer-Encoding: chunked for 1xx, 204, 304, and HEAD responses. :issue:2375 * Response HTML for exceptions and redirects starts with <!doctype html> and <html lang=en>. :issue:2390 * Fix ability to set some cache_control attributes to False. :issue:2379 * Disable keep-alive connections in the development server, which are not supported sufficiently by Python's http.server. :issue:2397` - drop 2402-dev_server.patch (upstream)
Dirk Mueller2022-05-11 10:41:49 +00:00
080d8db090
- Replace no-network-testing.patch with the upstream solution 2402-dev_server.patch from gh#pallets/werkzeug#2402. - Add moved_root.patch to make test test_exclude_patterns with different PYTHONPATH.
Matej Cepl2022-04-28 21:40:28 +00:00
57c33b205c
- Replace no-network-testing.patch with the upstream solution 2402-dev_server.patch from gh#pallets/werkzeug#2402. - Add moved_root.patch to make test test_exclude_patterns with different PYTHONPATH.
Matej Cepl2022-04-28 21:40:28 +00:00
79ecfff8c7
- update to 2.0.3: * `ProxyFix supports IPv6 addresses. * Type annotation for Response.make_conditional, HTTPException.get_response, and Map.bind_to_environ accepts Request in addition to WSGIEnvironment for the first parameter. * Fix type annotation for Request.user_agent_class. * Accessing LocalProxy.__class__ and __doc__ on an unbound proxy returns the fallback value instead of a method object. * Redirects with the test client set RAW_URI and REQUEST_URI` correctly.
Dirk Mueller2022-02-15 08:41:35 +00:00
e232954c95
- update to 2.0.3: * `ProxyFix supports IPv6 addresses. * Type annotation for Response.make_conditional, HTTPException.get_response, and Map.bind_to_environ accepts Request in addition to WSGIEnvironment for the first parameter. * Fix type annotation for Request.user_agent_class. * Accessing LocalProxy.__class__ and __doc__ on an unbound proxy returns the fallback value instead of a method object. * Redirects with the test client set RAW_URI and REQUEST_URI` correctly.
Dirk Mueller2022-02-15 08:41:35 +00:00
e131e2a9d4
- update to 2.0.2: * Handle multiple tokens in `Connection header when routing WebSocket requests. * Set the debugger pin cookie secure flag when on https. * Fix type annotation for MultiDict.update to accept iterable values :pr:2142 * Prevent double encoding of redirect URL when merge_slash=True for Rule.match. * CombinedMultiDict.to_dict with flat=False considers all component dicts when building value lists. :issue:2189 * send_file only sets a detected Content-Encoding if as_attachment is disabled to avoid browsers saving decompressed .tar.gz files. * Fix type annotations for TypeConversionDict.get to not return an Optional value if both default and type are not None. * Fix type annotation for routing rule factories to accept Iterable[RuleFactory] instead of Iterable[Rule] for the rules parameter. :issue:2183 * Add missing type annotation for FileStorage.__getattr__ * The debugger pin cookie is set with SameSite set to Strict instead of None to be compatible with modern browser security. * Type annotations use IO[bytes] and IO[str] instead of BinaryIO and TextIO for wider type compatibility. * Ad-hoc TLS certs are generated with SAN matching CN. :issue:2158 * Fix memory usage for locals when using Python 3.6 or pre 0.4.17 greenlet versions. :pr:2212 * Fix type annotation in CallbackDict, because it is not utilizing a bound TypeVar. :issue:2235 * Fix setting CSP header options on the response. :pr:2237`
Dirk Mueller2021-10-16 21:22:24 +00:00
06f100ab64
- update to 2.0.2: * Handle multiple tokens in `Connection header when routing WebSocket requests. * Set the debugger pin cookie secure flag when on https. * Fix type annotation for MultiDict.update to accept iterable values :pr:2142 * Prevent double encoding of redirect URL when merge_slash=True for Rule.match. * CombinedMultiDict.to_dict with flat=False considers all component dicts when building value lists. :issue:2189 * send_file only sets a detected Content-Encoding if as_attachment is disabled to avoid browsers saving decompressed .tar.gz files. * Fix type annotations for TypeConversionDict.get to not return an Optional value if both default and type are not None. * Fix type annotation for routing rule factories to accept Iterable[RuleFactory] instead of Iterable[Rule] for the rules parameter. :issue:2183 * Add missing type annotation for FileStorage.__getattr__ * The debugger pin cookie is set with SameSite set to Strict instead of None to be compatible with modern browser security. * Type annotations use IO[bytes] and IO[str] instead of BinaryIO and TextIO for wider type compatibility. * Ad-hoc TLS certs are generated with SAN matching CN. :issue:2158 * Fix memory usage for locals when using Python 3.6 or pre 0.4.17 greenlet versions. :pr:2212 * Fix type annotation in CallbackDict, because it is not utilizing a bound TypeVar. :issue:2235 * Fix setting CSP header options on the response. :pr:2237`
Dirk Mueller2021-10-16 21:22:24 +00:00
Ana Guerrero
Dirk Mueller
Markéta Machová
John Paul Adrian Glaubitz
Daniel Garcia
Dominique Leuenberger
Nico Krapp
Steve Kowalik
Matej Cepl