python/python-mohawk
SHA256
14
0
Fork 0
forked from pool/python-mohawk
Code Pull Requests Activity

- Update to version 1.0.0:

Browse Source 
* Security related: Bewit MACs were not compared in constant time
    and were thus possibly circumventable by an attacker.
  * Breaking change: Escape characters in header values (such as a
    back slash) are no longer allowed, potentially breaking clients
    that depended on this behavior.
  * A sender is allowed to omit the content hash as long as their
    request has no content. The `mohawk.Receiver` will skip the
    content hash check in this situation, regardless of the value
    of accept_untrusted_content.
  * Introduced max limit of 4096 characters in the Authorization
    header.
  * Changed default values of content and content_type arguments to
    `mohawk.base.EmptyValue` in order to differentiate between
    misconfiguration and cases where these arguments are explicitly
    given as None (as with some web frameworks).
  * Failing to pass content and content_type arguments to
    `mohawk.Receiver` or `mohawk.Sender.accept_response` without
    specifying accept_untrusted_content=True will now raise
    `mohawk.exc.MissingContent` instead of `ValueError`.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-mohawk?expand=0&rev=5
This commit is contained in:
Antoine Belvire
2019-01-11 06:56:08 +00:00
committed by Git OBS Bridge
parent 9bceef0851
commit be79f764f9
4 changed files with 29 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
python-mohawk.changes
View File

@@ -1,3 +1,27 @@
-------------------------------------------------------------------
Fri Jan 11 06:41:11 UTC 2019 - antoine.belvire@opensuse.org
- Update to version 1.0.0:
* Security related: Bewit MACs were not compared in constant time
and were thus possibly circumventable by an attacker.
* Breaking change: Escape characters in header values (such as a
back slash) are no longer allowed, potentially breaking clients
that depended on this behavior.
* A sender is allowed to omit the content hash as long as their
request has no content. The `mohawk.Receiver` will skip the
content hash check in this situation, regardless of the value
of accept_untrusted_content.
* Introduced max limit of 4096 characters in the Authorization
header.
* Changed default values of content and content_type arguments to
`mohawk.base.EmptyValue` in order to differentiate between
misconfiguration and cases where these arguments are explicitly
given as None (as with some web frameworks).
* Failing to pass content and content_type arguments to
`mohawk.Receiver` or `mohawk.Sender.accept_response` without
specifying accept_untrusted_content=True will now raise
`mohawk.exc.MissingContent` instead of `ValueError`.
-------------------------------------------------------------------
Tue Dec 4 12:50:27 UTC 2018 - Matej Cepl <mcepl@suse.com>