Revisions of python-Werkzeug
buildservice-autocommit
accepted
request 1218824
from
Daniel Garcia (dgarcia)
(revision 97)
baserev update by copy to link target
Daniel Garcia (dgarcia)
committed
(revision 96)
- Update to 3.0.6 (bsc#1232449, CVE-2024-49767): * Fix how max_form_memory_size is applied when parsing large non-file fields. GHSA-q34m-jh98-gwm2 * safe_join catches certain paths on Windows that were not caught by ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j - 3.0.5: * The Watchdog reloader ignores file closed no write events. #2945 * Logging works with client addresses containing an IPv6 scope. #2952 * Ignore invalid authorization parameters. #2955 * Improve type annotation fore SharedDataMiddleware. #2958 * Compatibility with Python 3.13 when generating debugger pin and the current UID does not have an associated name. #2957
buildservice-autocommit
accepted
request 1196238
from
Nico Krapp (nkrapp)
(revision 95)
baserev update by copy to link target
Nico Krapp (nkrapp)
accepted
request 1196085
from
John Paul Adrian Glaubitz (glaubitz)
(revision 94)
- Update to 3.0.4 * Restore behavior where parsing `multipart/x-www-form-urlencoded` data with invalid UTF-8 bytes in the body results in no form data parsed rather than a 413 error. :issue:`2930` * Improve ``parse_options_header`` performance when parsing unterminated quoted string values. :issue:`2904` * Debugger pin auth is synchronized across threads/processes when tracking failed entries. :issue:`2916` * Dev server handles unexpected `SSLEOFError` due to issue in Python < 3.13. :issue:`2926` * Debugger pin auth works when the URL already contains a query string. :issue:`2918`
buildservice-autocommit
accepted
request 1172322
from
Daniel Garcia (dgarcia)
(revision 93)
baserev update by copy to link target
Daniel Garcia (dgarcia)
committed
(revision 92)
- Update to 3.0.3: * Only allow ``localhost``, ``.localhost``, ``127.0.0.1``, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. :ghsa:`2g68-c3qc-8985` (CVE-2024-34069, bsc#1223979) * Make reloader more robust when ``""`` is in ``sys.path``. :pr:`2823` * Better TLS cert format with ``adhoc`` dev certs. :pr:`2891` * Inform Python < 3.12 how to handle ``itms-services`` URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. :issue:`2828` * Type annotation for ``Rule.endpoint`` and other uses of ``endpoint`` is ``Any``. :issue:`2836` - Update to 3.0.2: * Ensure setting ``merge_slashes`` to ``False`` results in ``NotFound`` for repeated-slash requests against single slash routes. :issue:`2834` * Fix handling of ``TypeError`` in ``TypeConversionDict.get()`` to match ``ValueError``. :issue:`2843` * Fix ``response_wrapper`` type check in test client. :issue:`2831` * Make the return type of ``MultiPartParser.parse`` more precise. :issue:`2840` * Raise an error if converter arguments cannot be parsed. :issue:`2822`
buildservice-autocommit
accepted
request 1120656
from
Steve Kowalik (StevenK)
(revision 91)
baserev update by copy to link target
Steve Kowalik (StevenK)
committed
(revision 90)
- Update to 3.0.1: * Fix slow multipart parsing for large parts potentially enabling DoS attacks. (CVE-2023-46136, bsc#1216581) * Remove previously deprecated code. * Deprecate the ``__version__`` attribute. Use feature detection, or ``importlib.metadata.version("werkzeug")``, instead. * ``generate_password_hash`` uses scrypt by default. * Add the ``"werkzeug.profiler"`` item to the WSGI ``environ`` dictionary passed to `ProfilerMiddleware`'s `filename_format` function. It contains the ``elapsed`` and ``time`` values for the profiled request. * Explicitly marked the PathConverter as non path isolating.
buildservice-autocommit
accepted
request 1113325
from
Steve Kowalik (StevenK)
(revision 89)
baserev update by copy to link target
Steve Kowalik (StevenK)
committed
(revision 88)
- Update to 2.3.7: * Use ``flit_core`` instead of ``setuptools`` as build backend. * Fix parsing of multipart bodies. Adjust index of last newline in data start. * ``_plain_int`` and ``_plain_float`` strip whitespace before type enforcement. * Fix empty file streaming when testing. * Clearer error message when URL rule does not start with slash. * ``Accept`` ``q`` value can be a float without a decimal part. - Drop captialisation again.
buildservice-autocommit
accepted
request 1110948
from
Factory Maintainer (factory-maintainer)
(revision 87)
baserev update by copy to link target
Dirk Mueller (dirkmueller)
committed
(revision 86)
* drops 0001-limit-the-maximum-number-of-multipart-form-parts.patch in older dists
buildservice-autocommit
accepted
request 1093788
from
Matej Cepl (mcepl)
(revision 85)
baserev update by copy to link target
Matej Cepl (mcepl)
committed
(revision 84)
Update changelog
Matej Cepl (mcepl)
committed
(revision 83)
Remove unnecessary setup.py
Matej Cepl (mcepl)
committed
(revision 82)
WIP
Matej Cepl (mcepl)
accepted
request 1093739
from
Antonio Larrosa (alarrosa)
(revision 81)
- Update to 2.3.6: * FileStorage.content_length does not fail if the form data did not provide a value. - Update to 2.3.5: * Python 3.12 compatibility. * Fix handling of invalid base64 values in Authorization.from_header. * The debugger escapes the exception message in the page title. * When binding routing.Map, a long IDNA server_name with a port does not fail encoding. * iri_to_uri shows a deprecation warning instead of an error when passing bytes. * When parsing numbers in HTTP request headers such as Content-Length, only ASCII digits are accepted rather than any format that Python’s int and float accept. - Update to 2.3.4: * Authorization.from_header and WWWAuthenticate.from_header detects tokens that end with base64 padding (=). * Remove usage of warnings.catch_warnings. * Remove max_form_parts restriction from standard form data parsing and only use if for multipart content. * Response will avoid converting the Location header in some cases to preserve invalid URL schemes like itms-services. - Update to 2.3.3: * Fix parsing of large multipart bodies. Remove invalid leading newline, and restore parsing speed. * The cookie Path attribute is set to / by default again, to prevent clients from falling back to RFC 6265’s default-path behavior. - Update to 2.3.2: * Parse the cookie Expires attribute correctly in the test client. * max_content_length can only be enforced on streaming requests if the
buildservice-autocommit
accepted
request 1082016
from
Dirk Mueller (dirkmueller)
(revision 80)
baserev update by copy to link target
Dirk Mueller (dirkmueller)
accepted
request 1081318
from
Dirk Mueller (dirkmueller)
(revision 79)
SR for python stack proposal
buildservice-autocommit
accepted
request 1071237
from
Dirk Mueller (dirkmueller)
(revision 78)
baserev update by copy to link target
Displaying revisions 1 - 20 of 97