dd12c1edc9Accepting request 1223597 from devel:languages:python
factory
Ana Guerrero
2024-11-12 18:19:57 +0000
5addf4ec6f- Update to 3.1.3 * Initial data passed to `MultiDict and similar interfaces only accepts list, tuple, or set when passing multiple values. It had been changed to accept any Collection, but this matched types that should be treated as single values, such as bytes. :issue:2994 * When the Host header is not set and Request.host falls back to the WSGI SERVER_NAME value, if that value is an IPv6 address it is wrapped in [] to match the Host header. :issue:2993 - from version 3.1.2 * Improve type annotation for TypeConversionDict.get to allow the type parameter to be a callable. :issue:2988 * Headers does not inherit from MutableMapping, as it is does not exactly match that interface. :issue:2989`
devel
Dirk Mueller2024-11-12 09:37:54 +0000
a439a0533fAccepting request 1221443 from devel:languages:python
Ana Guerrero
2024-11-06 15:49:44 +0000
747921aa90- Update to 3.1.1 * Fix an issue that caused `str(Request.headers) to always appear empty. :issue:2985 - from version 3.1.0 * Drop support for Python 3.8. :pr:2966 * Remove previously deprecated code. :pr:2967 * Request.max_form_memory_size defaults to 500kB instead of unlimited. Non-file form fields over this size will cause a RequestEntityTooLarge error. :issue:2964 * OrderedMultiDict and ImmutableOrderedMultiDict are deprecated. Use MultiDict and ImmutableMultiDict instead. :issue:2968 * Behavior of properties on request.cache_control and response.cache_control has been significantly adjusted. * Dict values are always str | None. Setting properties will convert the value to a string. Setting a property to False is equivalent to setting it to None. Getting typed properties will return None if conversion raises ValueError, rather than the string. :issue:2980 * max_age is None if present without a value, rather than -1. :issue:2980 * no_cache is a boolean for requests, it is True instead of "*" when present. It remains a string for responses. :issue:2980 * max_stale is True if present without a value, rather than "*". :issue:2980 * no_transform is a boolean. Previously it was mistakenly always None. :issue:2881 * min_fresh is None if present without a value, rather than "*". :issue:2881 * private is True if present without a value, rather than "*". :issue:2980 * Added the must_understand property. :issue:2881`John Paul Adrian Glaubitz2024-11-05 13:35:57 +0000
dd7cc91f0bAccepting request 1218824 from devel:languages:python
Ana Guerrero
2024-10-29 13:32:17 +0000
3006d0bf1a- Update to 3.0.6 (bsc#1232449, CVE-2024-49767): * Fix how max_form_memory_size is applied when parsing large non-file fields. GHSA-q34m-jh98-gwm2 * safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j - 3.0.5: * The Watchdog reloader ignores file closed no write events. #2945 * Logging works with client addresses containing an IPv6 scope. #2952 * Ignore invalid authorization parameters. #2955 * Improve type annotation fore SharedDataMiddleware. #2958 * Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. #2957Daniel Garcia2024-10-28 13:13:37 +0000
35f003f3cdAccepting request 1196238 from devel:languages:python
Dominique Leuenberger
2024-08-29 13:42:42 +0000
9cefb5e9be- Update to 3.0.4 * Restore behavior where parsing multipart/x-www-form-urlencoded data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. :issue:2930 * Improve `parse_options_header performance when parsing unterminated quoted string values. :issue:2904 * Debugger pin auth is synchronized across threads/processes when tracking failed entries. :issue:2916 * Dev server handles unexpected SSLEOFError due to issue in Python < 3.13. :issue:2926 * Debugger pin auth works when the URL already contains a query string. :issue:2918`Nico Krapp2024-08-27 09:30:24 +0000
ceb3b09b1fAccepting request 1172322 from devel:languages:python
Ana Guerrero
2024-06-12 13:37:22 +0000
4f7a26705c- Update to 3.0.3: * Only allow `localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. :ghsa:2g68-c3qc-8985 (CVE-2024-34069, bsc#1223979) * Make reloader more robust when "" is in sys.path. :pr:2823 * Better TLS cert format with adhoc dev certs. :pr:2891 * Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. :issue:2828 * Type annotation for Rule.endpoint and other uses of endpoint is Any. :issue:2836 - Update to 3.0.2: * Ensure setting merge_slashes to False results in NotFound for repeated-slash requests against single slash routes. :issue:2834 * Fix handling of TypeError in TypeConversionDict.get() to match ValueError. :issue:2843 * Fix response_wrapper type check in test client. :issue:2831 * Make the return type of MultiPartParser.parse more precise. :issue:2840 * Raise an error if converter arguments cannot be parsed. :issue:2822`Daniel Garcia2024-05-07 06:16:42 +0000
b3cf74ebeeAccepting request 1120656 from devel:languages:python
Ana Guerrero
2023-10-29 18:39:26 +0000
1b4d2b0ee2- Update to 3.0.1: * Fix slow multipart parsing for large parts potentially enabling DoS attacks. (CVE-2023-46136, bsc#1216581) * Remove previously deprecated code. * Deprecate the `__version__ attribute. Use feature detection, or importlib.metadata.version("werkzeug"), instead. * generate_password_hash uses scrypt by default. * Add the "werkzeug.profiler" item to the WSGI environ dictionary passed to ProfilerMiddleware's filename_format function. It contains the elapsed and time` values for the profiled request. * Explicitly marked the PathConverter as non path isolating.
Steve Kowalik
2023-10-27 03:09:03 +0000
bf5612a4d6Accepting request 1113325 from devel:languages:python
Ana Guerrero
2023-09-26 20:00:43 +0000
0a891ec61f- Update to 2.3.7: * Use `flit_core instead of setuptools as build backend. * Fix parsing of multipart bodies. Adjust index of last newline in data start. * _plain_int and _plain_float strip whitespace before type enforcement. * Fix empty file streaming when testing. * Clearer error message when URL rule does not start with slash. * Acceptq` value can be a float without a decimal part. - Drop captialisation again.
Steve Kowalik
2023-09-25 02:08:05 +0000
aeeb06e172Accepting request 1110948 from devel:languages:python
Ana Guerrero
2023-09-14 14:24:53 +0000
8dcaa71674* drops 0001-limit-the-maximum-number-of-multipart-form-parts.patch in older distsDirk Mueller2023-09-06 19:41:38 +0000
c629e985d0Accepting request 1093788 from devel:languages:python
Dominique Leuenberger
2023-06-22 21:24:46 +0000
e903201b06- update to 2.2.3 (bsc#1208283, CVE-2023-25577): * Ensure that URL rules using path converters will redirect with strict slashes when the trailing slash is missing. * Type signature for `get_json specifies that return type is not optional when silent=False. * parse_content_range_header returns None for a value like bytes */-1 where the length is invalid, instead of raising an AssertionError. * Address remaining ResourceWarning related to the socket used by run_simple. * Remove prepare_socket, which now happens when creating the server. * Update pre-existing headers for multipart/form-data requests with the test client. * Fix handling of header extended parameters such that they are no longer quoted. * LimitedStream.read works correctly when wrapping a stream that may not return the requested size in one read call. * A cookie header that starts with = is treated as an empty key and discarded, rather than stripping the leading ==. * Specify a maximum number of multipart parts, default 1000, after which a RequestEntityTooLarge` exception is raised on parsing. This mitigates a DoS attack where a larger number of form/file parts would result in disproportionate resource use.Dirk Mueller2023-03-13 18:51:34 +0000
c131673f3aAccepting request 1003681 from devel:languages:python
Dominique Leuenberger
2022-09-17 18:08:21 +0000
d14dd3aac2Accepting request 1003613 from home:bnavigator:branches:devel:languages:pythonMatej Cepl2022-09-15 05:44:44 +0000
cffcaef68aAccepting request 1003019 from home:yarunachalam:branches:devel:languages:pythonMarkéta Machová2022-09-13 07:06:16 +0000
a4fc99c752Accepting request 991941 from devel:languages:python
Dominique Leuenberger
2022-08-02 20:08:37 +0000
e99e95e4a8Accepting request 991886 from home:Simmphonie:branches:devel:languages:pythonMatej Cepl2022-08-01 06:45:33 +0000
698518b8adAccepting request 976285 from devel:languages:python
Dominique Leuenberger
2022-05-12 20:58:14 +0000
46ff097459- update to 2.1.2: * The development server does not set `Transfer-Encoding: chunked for 1xx, 204, 304, and HEAD responses. :issue:2375 * Response HTML for exceptions and redirects starts with <!doctype html> and <html lang=en>. :issue:2390 * Fix ability to set some cache_control attributes to False. :issue:2379 * Disable keep-alive connections in the development server, which are not supported sufficiently by Python's http.server. :issue:2397` - drop 2402-dev_server.patch (upstream)Dirk Mueller2022-05-11 10:41:49 +0000
39911b3324Accepting request 975271 from devel:languages:python
Dominique Leuenberger
2022-05-08 19:52:23 +0000
080d8db090- Replace no-network-testing.patch with the upstream solution 2402-dev_server.patch from gh#pallets/werkzeug#2402. - Add moved_root.patch to make test test_exclude_patterns with different PYTHONPATH.Matej Cepl2022-04-28 21:40:28 +0000
7a5f3e30caAccepting request 970992 from devel:languages:python
Dominique Leuenberger
2022-04-23 17:45:21 +0000
3111f3adceAccepting request 970987 from home:mcepl:branches:devel:languages:python:flaskMatej Cepl2022-04-20 07:33:16 +0000
051c48b747Accepting request 954652 from devel:languages:python
Dominique Leuenberger
2022-02-16 23:29:56 +0000
79ecfff8c7- update to 2.0.3: * `ProxyFix supports IPv6 addresses. * Type annotation for Response.make_conditional, HTTPException.get_response, and Map.bind_to_environ accepts Request in addition to WSGIEnvironment for the first parameter. * Fix type annotation for Request.user_agent_class. * Accessing LocalProxy.__class__ and __doc__ on an unbound proxy returns the fallback value instead of a method object. * Redirects with the test client set RAW_URI and REQUEST_URI` correctly.Dirk Mueller2022-02-15 08:41:35 +0000
30a199e816Accepting request 925758 from devel:languages:python
Dominique Leuenberger
2021-10-20 18:23:33 +0000
e131e2a9d4- update to 2.0.2: * Handle multiple tokens in `Connection header when routing WebSocket requests. * Set the debugger pin cookie secure flag when on https. * Fix type annotation for MultiDict.update to accept iterable values :pr:2142 * Prevent double encoding of redirect URL when merge_slash=True for Rule.match. * CombinedMultiDict.to_dict with flat=False considers all component dicts when building value lists. :issue:2189 * send_file only sets a detected Content-Encoding if as_attachment is disabled to avoid browsers saving decompressed .tar.gz files. * Fix type annotations for TypeConversionDict.get to not return an Optional value if both default and type are not None. * Fix type annotation for routing rule factories to accept Iterable[RuleFactory] instead of Iterable[Rule] for the rules parameter. :issue:2183 * Add missing type annotation for FileStorage.__getattr__ * The debugger pin cookie is set with SameSite set to Strict instead of None to be compatible with modern browser security. * Type annotations use IO[bytes] and IO[str] instead of BinaryIO and TextIO for wider type compatibility. * Ad-hoc TLS certs are generated with SAN matching CN. :issue:2158 * Fix memory usage for locals when using Python 3.6 or pre 0.4.17 greenlet versions. :pr:2212 * Fix type annotation in CallbackDict, because it is not utilizing a bound TypeVar. :issue:2235 * Fix setting CSP header options on the response. :pr:2237`Dirk Mueller2021-10-16 21:22:24 +0000
e70eee8c58Accepting request 901104 from devel:languages:python
Dominique Leuenberger
2021-07-10 20:53:40 +0000
cf0ac16ef7Accepting request 901091 from home:stroeder:pythonMatej Cepl2021-06-21 08:03:49 +0000
a62e9cbf11Accepting request 862678 from devel:languages:python
Dominique Leuenberger
2021-01-14 14:04:50 +0000
407be53827Accepting request 862676 from home:mcalabkova:branches:devel:languages:pythonMarkéta Machová2021-01-12 16:56:38 +0000
10f82f7cddAccepting request 793341 from devel:languages:python
Dominique Leuenberger
2020-04-19 19:49:09 +0000
239a86e175Accepting request 793248 from home:apersaud:branches:devel:languages:python
Tomáš Chvátal
2020-04-12 07:33:22 +0000
a5b04f6c5c- Update to 1.0.0: * Drop support for Python 3.4. (#1478) * Remove code that issued deprecation warnings in version 0.15. (#1477) * Remove most top-level attributes provided by the werkzeug module in favor of direct imports. For example, instead of import werkzeug; werkzeug.url_quote, do from werkzeug.urls import url_quote. Install version 0.16 first to see deprecation warnings while upgrading. #2, #1640 * Added utils.invalidate_cached_property() to invalidate cached properties. (#1474) * Directive keys for the Set-Cookie response header are not ignored when parsing the Cookie request header. This allows cookies with names such as “expires” and “version”. (#1495) * Request cookies are parsed into a MultiDict to capture all values for cookies with the same key. cookies[key] returns the first value rather than the last. Use cookies.getlist(key) to get all values. parse_cookie also defaults to a MultiDict. #1562, #1458 * Add charset=utf-8 to an HTTP exception response’s CONTENT_TYPE header. (#1526) * The interactive debugger handles outer variables in nested scopes such as lambdas and comprehensions. #913, #1037, #1532 * The user agent for Opera 60 on Mac is correctly reported as “opera” instead of “chrome”. #1556 * The platform for Crosswalk on Android is correctly reported as “android” instead of “chromeos”. (#1572) * Issue a warning when the current server name does not match the configured server name. #760 * A configured server name with the default port for a scheme will match the current server name without the port if the current scheme matches. #1584 * InternalServerError has a original_exception attribute that frameworks can use to track the original cause of the error. #1590 * Headers are tested for equality independent of the header key case, such that X-Foo is the same as x-foo. #1605 * http.dump_cookie() accepts 'None' as a value for samesite. #1549 * set_cookie() accepts a samesite argument. #1705 * Support the Content Security Policy header through the Response.content_security_policy data structure. #1617 * LanguageAccept will fall back to matching “en” for “en-US” or “en-US” for “en” to better support clients or translations that only match at the primary language tag. #450, #1507 * MIMEAccept uses MIME parameters for specificity when matching. #458, #1574 * If the development server is started with an SSLContext configured to verify client certificates, the certificate in PEM format will be available as environ["SSL_CLIENT_CERT"]. #1469 * is_resource_modified will run for methods other than GET and HEAD, rather than always returning False. #409 * SharedDataMiddleware returns 404 rather than 500 when trying to access a directory instead of a file with the package loader. The dependency on setuptools and pkg_resources is removed. #1599 * Add a response.cache_control.immutable flag. Keep in mind that browser support for this Cache-Control header option is still experimental and may not be implemented. #1185 * Optional request log highlighting with the development server is handled by Click instead of termcolor. #1235 * Optional ad-hoc TLS support for the development server is handled by cryptography instead of pyOpenSSL. #1555 * FileStorage.save() supports pathlib and PEP 519 PathLike objects. #1653 * The debugger security pin is unique in containers managed by Podman. #1661 * Building a URL when host_matching is enabled takes into account the current host when there are duplicate endpoints with different hosts. #488 * The 429 TooManyRequests and 503 ServiceUnavailable HTTP exceptions takes a retry_after parameter to set the Retry-After header. #1657
Steve Kowalik
2020-03-12 06:49:48 +0000
2a4bcd3f25Accepting request 779352 from devel:languages:python
Dominique Leuenberger
2020-02-26 14:01:24 +0000
cf95e0c95aAccepting request 779351 from openSUSE:Factory
Steve Kowalik
2020-02-26 10:26:44 +0000
b376ea51b9Accepting request 777800 from devel:languages:python
Dominique Leuenberger
2020-02-25 15:02:26 +0000
9ec583347eDelete accidently missed patch
Steve Kowalik
2020-02-21 05:00:06 +0000
65deae5b3d- Update to 1.0.0: * Drop support for Python 3.4. (#1478) * Remove code that issued deprecation warnings in version 0.15. (#1477) * Remove most top-level attributes provided by the werkzeug module in favor of direct imports. For example, instead of import werkzeug; werkzeug.url_quote, do from werkzeug.urls import url_quote. Install version 0.16 first to see deprecation warnings while upgrading. #2, #1640 * Added utils.invalidate_cached_property() to invalidate cached properties. (#1474) * Directive keys for the Set-Cookie response header are not ignored when parsing the Cookie request header. This allows cookies with names such as “expires” and “version”. (#1495) * Request cookies are parsed into a MultiDict to capture all values for cookies with the same key. cookies[key] returns the first value rather than the last. Use cookies.getlist(key) to get all values. parse_cookie also defaults to a MultiDict. #1562, #1458 * Add charset=utf-8 to an HTTP exception response’s CONTENT_TYPE header. (#1526) * The interactive debugger handles outer variables in nested scopes such as lambdas and comprehensions. #913, #1037, #1532 * The user agent for Opera 60 on Mac is correctly reported as “opera” instead of “chrome”. #1556 * The platform for Crosswalk on Android is correctly reported as “android” instead of “chromeos”. (#1572) * Issue a warning when the current server name does not match the configured server name. #760 * A configured server name with the default port for a scheme will match the current server name without the port if the current scheme matches. #1584 * InternalServerError has a original_exception attribute that frameworks can use to track the original cause of the error. #1590 * Headers are tested for equality independent of the header key case, such that X-Foo is the same as x-foo. #1605 * http.dump_cookie() accepts 'None' as a value for samesite. #1549 * set_cookie() accepts a samesite argument. #1705 * Support the Content Security Policy header through the Response.content_security_policy data structure. #1617 * LanguageAccept will fall back to matching “en” for “en-US” or “en-US” for “en” to better support clients or translations that only match at the primary language tag. #450, #1507 * MIMEAccept uses MIME parameters for specificity when matching. #458, #1574 * If the development server is started with an SSLContext configured to verify client certificates, the certificate in PEM format will be available as environ["SSL_CLIENT_CERT"]. #1469 * is_resource_modified will run for methods other than GET and HEAD, rather than always returning False. #409 * SharedDataMiddleware returns 404 rather than 500 when trying to access a directory instead of a file with the package loader. The dependency on setuptools and pkg_resources is removed. #1599 * Add a response.cache_control.immutable flag. Keep in mind that browser support for this Cache-Control header option is still experimental and may not be implemented. #1185 * Optional request log highlighting with the development server is handled by Click instead of termcolor. #1235 * Optional ad-hoc TLS support for the development server is handled by cryptography instead of pyOpenSSL. #1555 * FileStorage.save() supports pathlib and PEP 519 PathLike objects. #1653 * The debugger security pin is unique in containers managed by Podman. #1661 * Building a URL when host_matching is enabled takes into account the current host when there are duplicate endpoints with different hosts. #488 * The 429 TooManyRequests and 503 ServiceUnavailable HTTP exceptions takes a retry_after parameter to set the Retry-After header. #1657
Steve Kowalik
2020-02-21 04:59:38 +0000
1b6e82af1cAccepting request 732906 from devel:languages:python
Dominique Leuenberger
2019-09-30 13:55:23 +0000
d119b4ffd5- Update to 0.16.0: * Deprecate most top-level attributes provided by the werkzeug module in favor of direct imports. The deprecated imports will be removed in version 1.0. - Rebase patch 0001_create_a_thread_to_reap_death_process.patch
Tomáš Chvátal
2019-09-24 10:19:25 +0000
df5815fce8Accepting request 730725 from devel:languages:python
Dominique Leuenberger
2019-09-23 10:16:53 +0000
dc8764cd01- Update to 0.15.6: * Work around a bug in pip that caused the reloader to fail on Windows when the script was an entry point. * ProxyFix trusts the X-Forwarded-Proto header by default. :issue:1630
Tomáš Chvátal
2019-09-13 13:08:14 +0000
a4f2f9e75aAccepting request 723279 from devel:languages:python
Dominique Leuenberger
2019-08-15 10:28:45 +0000
5f5401c047- update to 0.15.4 (bsc#1145383, CVE-2019-14806)
Thomas Bechtold
2019-08-14 11:17:03 +0000
e543272cddAccepting request 717006 from devel:languages:python
Dominique Leuenberger
2019-07-30 11:01:41 +0000
4710d8c3a0Accepting request 716928 from home:glaubitz:branches:devel:languages:python
Tomáš Chvátal
2019-07-19 10:08:00 +0000
5e46a1358d- Update to 0.15.5: * Fix a TypeError due to changes to ast.Module in Python 3.8. #1551 * Fix a C assertion failure in debug builds of some Python 2.7 releases. #1553
Tomáš Chvátal
2019-07-18 08:36:50 +0000
b037dfa7e1Accepting request 705643 from devel:languages:python
Dominique Leuenberger
2019-06-18 12:43:20 +0000
409027bc0fAccepting request 197224 from devel:languages:python
Stephan Kulow
2013-09-03 20:06:06 +0000
19fe0e4d94Accepting request 197223 from home:dirkmueller:branches:devel:languages:python
Sascha Peilicke
2013-09-03 08:17:59 +0000
ad0b4d95e5Accepting request 109044 from devel:languages:python
Stephan Kulow
2012-03-13 08:39:19 +0000
73d8a66426- Update to version 0.8.3: - Fixed another issue with :func:werkzeug.wsgi.make_line_iter where lines longer than the buffer size were not handled properly. - Restore stdout after debug console finished executing so that the debugger can be used on GAE better. - Fixed a bug with the redis cache for int subclasses (affects bool caching). - Fixed an XSS problem with redirect targets coming from untrusted sources. - Changes from version 0.8.2: - Fixed a problem with request handling of the builtin server not repsonding to socket errors properly. - The routing request redirect exception's code attribute is now used properly. - Fixed a bug with shutdowns on Windows. - Fixed a few unicode issues with non-ascii characters being hardcoded in URL rules. - Fixed two property docstrings being assigned to fdel instead of `__doc__`. - Fixed an issue where CRLF line endings could be split into two by the line iter function, causing problems with multipart file uploads.
Sascha Peilicke
2012-03-12 21:35:42 +0000
9064bdbc77Accepting request 90918 from devel:languages:python
Stephan Kulow
2011-11-14 12:38:23 +0000
Ana Guerrero
Dirk Mueller
John Paul Adrian Glaubitz
Daniel Garcia
Dominique Leuenberger
Nico Krapp
Steve Kowalik
Matej Cepl
Markéta Machová
Tomáš Chvátal
Thomas Bechtold
Ondřej Súkup
Todd R
Jan Matejek
Robert Schweikert
Stephan Kulow
Tomáš Chvátal
Sascha Peilicke