• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to 3.0.6 (bsc#1232449, CVE-2024-49767):
  * Fix how max_form_memory_size is applied when parsing large
    non-file fields. GHSA-q34m-jh98-gwm2
  * safe_join catches certain paths on Windows that were not caught by
    ntpath.isabs on Python < 3.11. GHSA-f9vj-2wh5-fj8j
- 3.0.5:
  * The Watchdog reloader ignores file closed no write events. #2945
  * Logging works with client addresses containing an IPv6 scope.
    #2952
  * Ignore invalid authorization parameters. #2955
  * Improve type annotation fore SharedDataMiddleware. #2958
  * Compatibility with Python 3.13 when generating debugger pin and
    the current UID does not have an associated name. #2957

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to 3.0.3:
  * Only allow ``localhost``, ``.localhost``, ``127.0.0.1``, or the
    specified hostname when running the dev server, to make debugger
    requests. Additional hosts can be added by using the debugger
    middleware directly. The debugger UI makes requests using the
    full URL rather than only the path.  :ghsa:`2g68-c3qc-8985`
    (CVE-2024-34069, bsc#1223979)
  * Make reloader more robust when ``""`` is in ``sys.path``.
    :pr:`2823`
  * Better TLS cert format with ``adhoc`` dev certs. :pr:`2891`
  * Inform Python < 3.12 how to handle ``itms-services`` URIs
    correctly, rather than using an overly-broad workaround in
    Werkzeug that caused some redirect URIs to be passed on without
    encoding. :issue:`2828`
  * Type annotation for ``Rule.endpoint`` and other uses of
    ``endpoint`` is ``Any``. :issue:`2836`
- Update to 3.0.2:
  * Ensure setting ``merge_slashes`` to ``False`` results in
    ``NotFound`` for repeated-slash requests against single slash
    routes. :issue:`2834`
  * Fix handling of ``TypeError`` in ``TypeConversionDict.get()`` to
    match ``ValueError``. :issue:`2843`
  * Fix ``response_wrapper`` type check in test client. :issue:`2831`
  * Make the return type of ``MultiPartParser.parse`` more precise.
    :issue:`2840`
  * Raise an error if converter arguments cannot be parsed.
    :issue:`2822`

• Files Changed
• Browse Source

- Update to 3.0.1:
  * Fix slow multipart parsing for large parts potentially enabling DoS
    attacks. (CVE-2023-46136, bsc#1216581)
  * Remove previously deprecated code.
  * Deprecate the ``__version__`` attribute. Use feature detection, or
    ``importlib.metadata.version("werkzeug")``, instead.
  * ``generate_password_hash`` uses scrypt by default.
  * Add the ``"werkzeug.profiler"`` item to the  WSGI ``environ`` dictionary
    passed to `ProfilerMiddleware`'s `filename_format` function. It contains
    the ``elapsed`` and ``time`` values for the profiled request.
  * Explicitly marked the PathConverter as non path isolating.

• Files Changed
• Browse Source

- Update to 2.3.7:
  * Use ``flit_core`` instead of ``setuptools`` as build backend.
  * Fix parsing of multipart bodies.
    Adjust index of last newline in data start.
  * ``_plain_int`` and ``_plain_float`` strip whitespace before type
    enforcement.
  * Fix empty file streaming when testing.
  * Clearer error message when URL rule does not start with slash.
  * ``Accept`` ``q`` value can be a float without a decimal part.
- Drop captialisation again.

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to 2.3.6:
  * FileStorage.content_length does not fail if the form data did not provide
    a value.
- Update to 2.3.5:
  * Python 3.12 compatibility.
  * Fix handling of invalid base64 values in Authorization.from_header.
  * The debugger escapes the exception message in the page title.
  * When binding routing.Map, a long IDNA server_name with a port does not
    fail encoding.
  * iri_to_uri shows a deprecation warning instead of an error when passing
    bytes.
  * When parsing numbers in HTTP request headers such as Content-Length, only
    ASCII digits are accepted rather than any format that Python’s int and
    float accept.
- Update to 2.3.4:
  * Authorization.from_header and WWWAuthenticate.from_header detects tokens
    that end with base64 padding (=).
  * Remove usage of warnings.catch_warnings.
  * Remove max_form_parts restriction from standard form data parsing and only
    use if for multipart content.
  * Response will avoid converting the Location header in some cases to
    preserve invalid URL schemes like itms-services.
- Update to 2.3.3:
  * Fix parsing of large multipart bodies. Remove invalid leading newline, and
    restore parsing speed.
  * The cookie Path attribute is set to / by default again, to prevent clients
    from falling back to RFC 6265’s default-path behavior.
- Update to 2.3.2:
  * Parse the cookie Expires attribute correctly in the test client.
  * max_content_length can only be enforced on streaming requests if the
    server sets wsgi.input_terminated.
- Update to 2.3.1:
  * Percent-encode plus (+) when building URLs and in test requests.
  * Cookie values don’t quote characters defined in RFC 6265.
  * Include pyi files for datastructures type annotations.
  * Authorization and WWWAuthenticate objects can be compared for equality.
- Update to 2.3.0:
  * Drop support for Python 3.7.
  * Remove previously deprecated code.
  * Passing bytes where strings are expected is deprecated, as well as the
    charset and errors parameters in many places. Anywhere that was annotated,
    documented, or tested to accept bytes shows a warning. Removing this
    artifact of the transition from Python 2 to 3 removes a significant amount
    of overhead in instance checks and encoding cycles. In general, always
    work with UTF-8, the modern HTML, URL, and HTTP standards all strongly
    recommend this.
  * Deprecate the werkzeug.urls module, except for the uri_to_iri and
    iri_to_uri functions. Use the urllib.parse library instead.
  * Update which characters are considered safe when using percent encoding
    in URLs, based on the WhatWG URL Standard.
  * Update which characters are considered safe when using percent encoding
    for Unicode filenames in downloads.
  * Deprecate the safe_conversion parameter of iri_to_uri. The Location header
    is converted to IRI using the same process as everywhere else.
  * Deprecate werkzeug.wsgi.make_line_iter and make_chunk_iter.
  * Use modern packaging metadata with pyproject.toml instead of setup.cfg.
  * Request.get_json() will raise a 415 Unsupported Media Type error if the
    Content-Type header is not application/json, instead of a generic 400.
  * A URL converter’s part_isolating defaults to False if its regex contains
    a /.
  * A custom converter’s regex can have capturing groups without breaking
    the router.
  * The reloader can pick up arguments to python like -X dev, and does not
    require heuristics to determine how to reload the command. Only available
    on Python >= 3.10.
  * The Watchdog reloader ignores file opened events. Bump the minimum version
    of Watchdog to 2.3.0.
  * When using a Unix socket for the development server, the path can start
    with a dot.
  * Increase default work factor for PBKDF2 to 600,000 iterations.
  * parse_options_header is 2-3 times faster. It conforms to RFC 9110, some
    invalid parts that were previously accepted are now ignored.
  * The is_filename parameter to unquote_header_value is deprecated.
  * Deprecate the extra_chars parameter and passing bytes to
    quote_header_value, the allow_token parameter to dump_header, and the cls
    parameter and passing bytes to parse_dict_header.
  * Improve parse_accept_header implementation. Parse according to RFC 9110.
    Discard items with invalid q values.
  * quote_header_value quotes the empty string.
  * dump_options_header skips None values rather than using a bare key.
  * dump_header and dump_options_header will not quote a value if the key ends
    with an asterisk *.
  * parse_dict_header will decode values with charsets.
  * Refactor the Authorization and WWWAuthenticate header data structures.
    + Both classes have type, parameters, and token attributes. The token
      attribute supports auth schemes that use a single opaque token rather
      than key=value parameters, such as Bearer.
    + Neither class is a dict anymore, although they still implement getting,
      setting, and deleting auth[key] and auth.key syntax, as well as
      auth.get(key) and key in auth.
    + Both classes have a from_header class method. parse_authorization_header
      and parse_www_authenticate_header are deprecated.
    + The methods WWWAuthenticate.set_basic and set_digest are deprecated.
      Instead, an instance should be created and assigned to
      response.www_authenticate.
    + A list of instances can be assigned to response.www_authenticate to set
      multiple header values. However, accessing the property only returns the
      first instance.
  * Refactor parse_cookie and dump_cookie.
    + parse_cookie is up to 40% faster, dump_cookie is up to 60% faster.
    + Passing bytes to parse_cookie and dump_cookie is deprecated. The
      dump_cookie charset parameter is deprecated.
    + dump_cookie allows domain values that do not include a dot ., and strips
      off a leading dot.
    + dump_cookie does not set path="/" unnecessarily by default.
  * Refactor the test client cookie implementation.
    + The cookie_jar attribute is deprecated. http.cookiejar is no longer used
      for storage.
    + Domain and path matching is used when sending cookies in requests. The
      domain and path parameters default to localhost and /.
    + Added a get_cookie method to inspect cookies.
    + Cookies have decoded_key and decoded_value attributes to match what the
      app sees rather than the encoded values a client would see.
    + The first positional server_name parameter to set_cookie and
      delete_cookie is deprecated. Use the domain parameter instead.
    + Other parameters to delete_cookie besides domain, path, and value are
      deprecated.
  * If request.max_content_length is set, it is checked immediately when
    accessing the stream, and while reading from the stream in general, rather
    than only during form parsing.
  * The development server, which must not be used in production, will exhaust
    the request stream up to 10GB or 1000 reads. This allows clients to see a
    413 error if max_content_length is exceeded, instead of a “connection
    reset” failure.
  * The development server discards header keys that contain underscores _, as
    they are ambiguous with dashes - in WSGI.
  * secure_filename looks for more Windows reserved file names.
  * Update type annotation for best_match to make default parameter clearer.
  * Multipart parser handles empty fields correctly.
  * The Map charset parameter and Request.url_charset property are deprecated.
    Percent encoding in URLs must always represent UTF-8 bytes. Invalid bytes
    are left percent encoded rather than replaced.
  * The Request.charset, Request.encoding_errors, Response.charset, and
    Client.charset attributes are deprecated. Request and response data must
    always use UTF-8.
  * Header values that have charset information only allow ASCII, UTF-8, and
    ISO-8859-1.
  * Update type annotation for ProfilerMiddleware stream parameter.
  * Use postponed evaluation of annotations.
  * The development server escapes ASCII control characters in decoded URLs
    before logging the request to the terminal.
  * The FormDataParser parse_functions attribute and get_parse_func method,
    and the invalid application/x-url-encoded content type, are deprecated.
  * generate_password_hash supports scrypt. Plain hash methods are deprecated,
    only scrypt and pbkdf2 are supported.
- Remove patch which was made obsolete by upstream:
  * moved_root.patch

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 2.2.3 (bsc#1208283, CVE-2023-25577):
  * Ensure that URL rules using path converters will redirect
    with strict slashes when the trailing slash is missing.
  * Type signature for ``get_json`` specifies that return type
    is not optional when ``silent=False``.
  * ``parse_content_range_header`` returns ``None`` for a value
    like ``bytes */-1`` where the length is invalid, instead of
    raising an ``AssertionError``.
  * Address remaining ``ResourceWarning`` related to the socket
    used by ``run_simple``.
  * Remove ``prepare_socket``, which now happens when
    creating the server.
  * Update pre-existing headers for ``multipart/form-data``
    requests with the test client.
  * Fix handling of header extended parameters such that they
    are no longer quoted.
  * ``LimitedStream.read`` works correctly when wrapping a
    stream that may not return the requested size in one 
    ``read`` call.
  * A cookie header that starts with ``=`` is treated as an
    empty key and discarded, rather than stripping the leading ``==``.
  * Specify a maximum number of multipart parts, default 1000,
    after which a ``RequestEntityTooLarge`` exception is
    raised on parsing.  This mitigates a DoS attack where a
    larger number of form/file parts would result in disproportionate
    resource use.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 2.1.2:
  * The development server does not set ``Transfer-Encoding: chunked``
    for 1xx, 204, 304, and HEAD responses. :issue:`2375`
  * Response HTML for exceptions and redirects starts with
    ``<!doctype html>`` and ``<html lang=en>``. :issue:`2390`
  * Fix ability to set some ``cache_control`` attributes to ``False``.
    :issue:`2379`
  * Disable ``keep-alive`` connections in the development server, which
    are not supported sufficiently by Python's ``http.server``.
    :issue:`2397` 
- drop 2402-dev_server.patch (upstream)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to 2.1.1:
  - ResponseCacheControl.s_maxage converts its value to an int,
    like max_age.
  - Drop support for Python 3.6.
  - Using gevent or eventlet requires greenlet>=1.0 or
    PyPy>=7.3.7. werkzeug.locals and contextvars will not work
    correctly with older versions.
  - Remove previously deprecated code.
     - Remove the non-standard shutdown function from the WSGI
       environ when running the development server. See the docs
       for alternatives.
     - Request and response mixins have all been merged into the
       Request and Response classes.
     - The user agent parser and the useragents module is
       removed. The user_agent module provides an interface that
       can be subclassed to add a parser, such as ua-parser. By
       default it only stores the whole string.
     - The test client returns TestResponse instances and can no
       longer be treated as a tuple. All data is available as
       properties on the response.
     - Remove locals.get_ident and related thread-local code from
       locals, it no longer makes sense when moving to
       a contextvars-based implementation.
     - Remove the python -m werkzeug.serving CLI.
     - The has_key method on some mapping datastructures; use key
       in data instead.
     - Request.disable_data_descriptor is removed, pass
       shallow=True instead.
     - Remove the no_etag parameter from Response.freeze().
     - Remove the HTTPException.wrap class method.
     - Remove the cookie_date function. Use http_date instead.
     - Remove the pbkdf2_hex, pbkdf2_bin, and safe_str_cmp
       functions. Use equivalents in hashlib and hmac modules
       instead.
     - Remove the Href class.
     - Remove the HTMLBuilder class.
     - Remove the invalidate_cached_property function. Use del
       obj.attr instead.
     - Remove bind_arguments and validate_arguments. Use
       Signature.bind() and inspect.signature() instead.
     - Remove detect_utf_encoding, it’s built-in to json.loads.
     - Remove format_string, use string.Template instead.
     - Remove escape and unescape. Use MarkupSafe instead.
    - The multiple parameter of parse_options_header is
      deprecated.
    - Rely on PEP 538 and PEP 540 to handle decoding file names
      with the correct filesystem encoding. The filesystem module
      is removed.
    - Default values passed to Headers are validated the same way
      values added later are.
    - Setting CacheControl int properties, such as max_age, will
      convert the value to an int.
    - Always use socket.fromfd when restarting the dev server.
    - When passing a dict of URL values to Map.build, list values
      do not filter out None or collapse to a single value.
      Passing a MultiDict does collapse single items. This undoes
      a previous change that made it difficult to pass a list, or
      None values in a list, to custom URL converters.
    - run_simple shows instructions for dealing with “address
      already in use” errors, including extra instructions for
      macOS.
    - Extend list of characters considered always safe in URLs
      based on RFC 3986.
    - Optimize the stat reloader to avoid watching unnecessary
      files in more cases. The watchdog reloader is still
      recommended for performance and accuracy.
    - The development server uses Transfer-Encoding: chunked for
      streaming responses when it is configured for HTTP/1.1.
    - The development server uses HTTP/1.1, which enables
      keep-alive connections and chunked streaming responses,
      when threaded or processes is enabled.
    - cached_property works for classes with __slots__ if
      a corresponding _cache_{name} slot is added.
    - Refactor the debugger traceback formatter to use Python’s
      built-in traceback module as much as possible.
    - The TestResponse.text property is a shortcut for
      r.get_data(as_text=True), for convenient testing against
      text instead of bytes.
    - safe_join ensures that the path remains relative if the
      trusted directory is the empty string.
    - Percent-encoded newlines (%0a), which are decoded by WSGI
      servers, are considered when routing instead of terminating
      the match early.
    - The test client doesn’t set duplicate headers for
      CONTENT_LENGTH and CONTENT_TYPE.
    - append_slash_redirect handles PATH_INFO with internal
      slashes.
    - The default status code for append_slash_redirect is 308
      instead of 301. This preserves the request body, and
      matches a previous change to strict_slashes in routing.
    - Fix ValueError: I/O operation on closed file. with the test
      client when following more than one redirect.
    - Response.autocorrect_location_header is disabled by
      default. The Location header URL will remain relative, and
      exclude the scheme and domain, by default.
    - Request.get_json() will raise a 400 BadRequest error if the
      Content-Type header is not application/json. This makes
      a very common source of confusion more visible.
- Add no-network-testing.patch to mark all tests requiring
  network access (so they can be skipped by pytest test runner,
  gh#pallets/werkzeug#2393).

• Files Changed
• Browse Source

- update to 2.0.3:
  * ``ProxyFix`` supports IPv6 addresses.
  *  Type annotation for ``Response.make_conditional``,
    ``HTTPException.get_response``, and ``Map.bind_to_environ`` accepts
    ``Request`` in addition to ``WSGIEnvironment`` for the first
     parameter.
  * Fix type annotation for ``Request.user_agent_class``.
  * Accessing ``LocalProxy.__class__`` and ``__doc__`` on an unbound
    proxy returns the fallback value instead of a method object.
  * Redirects with the test client set ``RAW_URI`` and ``REQUEST_URI``
    correctly.

• Files Changed
• Browse Source

- update to 2.0.2:
  * Handle multiple tokens in ``Connection`` header when routing
    WebSocket requests.
  * Set the debugger pin cookie secure flag when on https.
  * Fix type annotation for ``MultiDict.update`` to accept iterable
    values :pr:`2142`
  * Prevent double encoding of redirect URL when ``merge_slash=True``
    for ``Rule.match``.
  * ``CombinedMultiDict.to_dict`` with ``flat=False`` considers all
    component dicts when building value lists. :issue:`2189`
  * ``send_file`` only sets a detected ``Content-Encoding`` if
    ``as_attachment`` is disabled to avoid browsers saving
    decompressed ``.tar.gz`` files.
  * Fix type annotations for ``TypeConversionDict.get`` to not return an
    ``Optional`` value if both ``default`` and ``type`` are not
    ``None``.
  * Fix type annotation for routing rule factories to accept
    ``Iterable[RuleFactory]`` instead of ``Iterable[Rule]`` for the
    ``rules`` parameter. :issue:`2183`
  * Add missing type annotation for ``FileStorage.__getattr__``
  * The debugger pin cookie is set with ``SameSite`` set to ``Strict``
    instead of ``None`` to be compatible with modern browser security.
  * Type annotations use ``IO[bytes]`` and ``IO[str]`` instead of
    ``BinaryIO`` and ``TextIO`` for wider type compatibility.
  * Ad-hoc TLS certs are generated with SAN matching CN. :issue:`2158`
  * Fix memory usage for locals when using Python 3.6 or pre 0.4.17
    greenlet versions. :pr:`2212`
  * Fix type annotation in ``CallbackDict``, because it is not
    utilizing a bound TypeVar. :issue:`2235`
  * Fix setting CSP header options on the response. :pr:`2237`

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source