Overview

Request 1093788 accepted

- Update to 2.3.6:
* FileStorage.content_length does not fail if the form data did not provide
a value.
- Update to 2.3.5:
* Python 3.12 compatibility.
* Fix handling of invalid base64 values in Authorization.from_header.
* The debugger escapes the exception message in the page title.
* When binding routing.Map, a long IDNA server_name with a port does not
fail encoding.
* iri_to_uri shows a deprecation warning instead of an error when passing
bytes.
* When parsing numbers in HTTP request headers such as Content-Length, only
ASCII digits are accepted rather than any format that Python’s int and
float accept.
- Update to 2.3.4:
* Authorization.from_header and WWWAuthenticate.from_header detects tokens
that end with base64 padding (=).
* Remove usage of warnings.catch_warnings.
* Remove max_form_parts restriction from standard form data parsing and only
use if for multipart content.
* Response will avoid converting the Location header in some cases to
preserve invalid URL schemes like itms-services.
- Update to 2.3.3:
* Fix parsing of large multipart bodies. Remove invalid leading newline, and
restore parsing speed.
* The cookie Path attribute is set to / by default again, to prevent clients
from falling back to RFC 6265’s default-path behavior.
- Update to 2.3.2:
* Parse the cookie Expires attribute correctly in the test client.
* max_content_length can only be enforced on streaming requests if the
server sets wsgi.input_terminated.
- Update to 2.3.1:
* Percent-encode plus (+) when building URLs and in test requests.
* Cookie values don’t quote characters defined in RFC 6265.
* Include pyi files for datastructures type annotations.
* Authorization and WWWAuthenticate objects can be compared for equality.
- Update to 2.3.0:
* Drop support for Python 3.7.
* Remove previously deprecated code.
* Passing bytes where strings are expected is deprecated, as well as the
charset and errors parameters in many places. Anywhere that was annotated,
documented, or tested to accept bytes shows a warning. Removing this
artifact of the transition from Python 2 to 3 removes a significant amount
of overhead in instance checks and encoding cycles. In general, always
work with UTF-8, the modern HTML, URL, and HTTP standards all strongly
recommend this.
* Deprecate the werkzeug.urls module, except for the uri_to_iri and
iri_to_uri functions. Use the urllib.parse library instead.
* Update which characters are considered safe when using percent encoding
in URLs, based on the WhatWG URL Standard.
* Update which characters are considered safe when using percent encoding
for Unicode filenames in downloads.
* Deprecate the safe_conversion parameter of iri_to_uri. The Location header
is converted to IRI using the same process as everywhere else.
* Deprecate werkzeug.wsgi.make_line_iter and make_chunk_iter.
* Use modern packaging metadata with pyproject.toml instead of setup.cfg.
* Request.get_json() will raise a 415 Unsupported Media Type error if the
Content-Type header is not application/json, instead of a generic 400.
* A URL converter’s part_isolating defaults to False if its regex contains
a /.
* A custom converter’s regex can have capturing groups without breaking
the router.
* The reloader can pick up arguments to python like -X dev, and does not
require heuristics to determine how to reload the command. Only available
on Python >= 3.10.
* The Watchdog reloader ignores file opened events. Bump the minimum version
of Watchdog to 2.3.0.
* When using a Unix socket for the development server, the path can start
with a dot.
* Increase default work factor for PBKDF2 to 600,000 iterations.
* parse_options_header is 2-3 times faster. It conforms to RFC 9110, some
invalid parts that were previously accepted are now ignored.
* The is_filename parameter to unquote_header_value is deprecated.
* Deprecate the extra_chars parameter and passing bytes to
quote_header_value, the allow_token parameter to dump_header, and the cls
parameter and passing bytes to parse_dict_header.
* Improve parse_accept_header implementation. Parse according to RFC 9110.
Discard items with invalid q values.
* quote_header_value quotes the empty string.
* dump_options_header skips None values rather than using a bare key.
* dump_header and dump_options_header will not quote a value if the key ends
with an asterisk *.
* parse_dict_header will decode values with charsets.
* Refactor the Authorization and WWWAuthenticate header data structures.
+ Both classes have type, parameters, and token attributes. The token
attribute supports auth schemes that use a single opaque token rather
than key=value parameters, such as Bearer.
+ Neither class is a dict anymore, although they still implement getting,
setting, and deleting auth[key] and auth.key syntax, as well as
auth.get(key) and key in auth.
+ Both classes have a from_header class method. parse_authorization_header
and parse_www_authenticate_header are deprecated.
+ The methods WWWAuthenticate.set_basic and set_digest are deprecated.
Instead, an instance should be created and assigned to
response.www_authenticate.
+ A list of instances can be assigned to response.www_authenticate to set
multiple header values. However, accessing the property only returns the
first instance.
* Refactor parse_cookie and dump_cookie.
+ parse_cookie is up to 40% faster, dump_cookie is up to 60% faster.
+ Passing bytes to parse_cookie and dump_cookie is deprecated. The
dump_cookie charset parameter is deprecated.
+ dump_cookie allows domain values that do not include a dot ., and strips
off a leading dot.
+ dump_cookie does not set path="/" unnecessarily by default.
* Refactor the test client cookie implementation.
+ The cookie_jar attribute is deprecated. http.cookiejar is no longer used
for storage.
+ Domain and path matching is used when sending cookies in requests. The
domain and path parameters default to localhost and /.
+ Added a get_cookie method to inspect cookies.
+ Cookies have decoded_key and decoded_value attributes to match what the
app sees rather than the encoded values a client would see.
+ The first positional server_name parameter to set_cookie and
delete_cookie is deprecated. Use the domain parameter instead.
+ Other parameters to delete_cookie besides domain, path, and value are
deprecated.
* If request.max_content_length is set, it is checked immediately when
accessing the stream, and while reading from the stream in general, rather
than only during form parsing.
* The development server, which must not be used in production, will exhaust
the request stream up to 10GB or 1000 reads. This allows clients to see a
413 error if max_content_length is exceeded, instead of a “connection
reset” failure.
* The development server discards header keys that contain underscores _, as
they are ambiguous with dashes - in WSGI.
* secure_filename looks for more Windows reserved file names.
* Update type annotation for best_match to make default parameter clearer.
* Multipart parser handles empty fields correctly.
* The Map charset parameter and Request.url_charset property are deprecated.
Percent encoding in URLs must always represent UTF-8 bytes. Invalid bytes
are left percent encoded rather than replaced.
* The Request.charset, Request.encoding_errors, Response.charset, and
Client.charset attributes are deprecated. Request and response data must
always use UTF-8.
* Header values that have charset information only allow ASCII, UTF-8, and
ISO-8859-1.
* Update type annotation for ProfilerMiddleware stream parameter.
* Use postponed evaluation of annotations.
* The development server escapes ASCII control characters in decoded URLs
before logging the request to the terminal.
* The FormDataParser parse_functions attribute and get_parse_func method,
and the invalid application/x-url-encoded content type, are deprecated.
* generate_password_hash supports scrypt. Plain hash methods are deprecated,
only scrypt and pbkdf2 are supported.
- Remove patch which was made obsolete by upstream:
* moved_root.patch


Ana Guerrero's avatar

Hi @mcepl This update of Werkzeug is breaking the tests of python-httpbin, from https://build.opensuse.org/build/openSUSE:Factory:Staging:M/standard/x86_64/python-httpbin/_log

33s] =================================== FAILURES =================================== [ 33s] _________________________ HttpbinTestCase.test_base64 __________________________ [ 33s] [ 33s] self = <test_httpbin.HttpbinTestCase testMethod=test_base64> [ 33s] [ 33s] def test_base64(self): [ 33s] greeting = u'Здравствуй, мир!' [ 33s] b64_encoded = _string_to_base64(greeting) [ 33s] > response = self.app.get(b'/base64/' + b64_encoded) [ 33s] [ 33s] test_httpbin.py:171: [ 33s] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ [ 33s] /usr/lib/python3.9/site-packages/werkzeug/test.py:1242: in get [ 33s] return self.open(*args, **kw) [ 33s] /usr/lib/python3.9/site-packages/flask/testing.py:231: in open [ 33s] request = self._request_from_builder_args(args, kwargs) [ 33s] /usr/lib/python3.9/site-packages/flask/testing.py:203: in _request_from_builder_args [ 33s] return builder.get_request() [ 33s] /usr/lib/python3.9/site-packages/werkzeug/test.py:795: in get_request [ 33s] return cls(self.get_environ()) [ 33s] /usr/lib/python3.9/site-packages/werkzeug/test.py:737: in get_environ [ 33s] raw_uri = _wsgi_encoding_dance(self.request_uri, self.charset) [ 33s] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

(and more)


Ana Guerrero's avatar

I'm removing this package from Staging:M, please find the full log here https://paste.opensuse.org/pastes/6fb92893bbb5


Ana Guerrero's avatar

Breaks python-httpbin tests


Ana Guerrero's avatar

Unignored: returned to active backlog.


Ana Guerrero's avatar

Breaks python-httpbin tests, boo#1212557


Steve Kowalik's avatar

I have seen this, I'm getting to it.


Steve Kowalik's avatar

httpbin fix https://build.opensuse.org/request/show/1094317 , please stage these two together.

Request History
Matej Cepl's avatar

mcepl created request

- Update to 2.3.6:
* FileStorage.content_length does not fail if the form data did not provide
a value.
- Update to 2.3.5:
* Python 3.12 compatibility.
* Fix handling of invalid base64 values in Authorization.from_header.
* The debugger escapes the exception message in the page title.
* When binding routing.Map, a long IDNA server_name with a port does not
fail encoding.
* iri_to_uri shows a deprecation warning instead of an error when passing
bytes.
* When parsing numbers in HTTP request headers such as Content-Length, only
ASCII digits are accepted rather than any format that Python’s int and
float accept.
- Update to 2.3.4:
* Authorization.from_header and WWWAuthenticate.from_header detects tokens
that end with base64 padding (=).
* Remove usage of warnings.catch_warnings.
* Remove max_form_parts restriction from standard form data parsing and only
use if for multipart content.
* Response will avoid converting the Location header in some cases to
preserve invalid URL schemes like itms-services.
- Update to 2.3.3:
* Fix parsing of large multipart bodies. Remove invalid leading newline, and
restore parsing speed.
* The cookie Path attribute is set to / by default again, to prevent clients
from falling back to RFC 6265’s default-path behavior.
- Update to 2.3.2:
* Parse the cookie Expires attribute correctly in the test client.
* max_content_length can only be enforced on streaming requests if the
server sets wsgi.input_terminated.
- Update to 2.3.1:
* Percent-encode plus (+) when building URLs and in test requests.
* Cookie values don’t quote characters defined in RFC 6265.
* Include pyi files for datastructures type annotations.
* Authorization and WWWAuthenticate objects can be compared for equality.
- Update to 2.3.0:
* Drop support for Python 3.7.
* Remove previously deprecated code.
* Passing bytes where strings are expected is deprecated, as well as the
charset and errors parameters in many places. Anywhere that was annotated,
documented, or tested to accept bytes shows a warning. Removing this
artifact of the transition from Python 2 to 3 removes a significant amount
of overhead in instance checks and encoding cycles. In general, always
work with UTF-8, the modern HTML, URL, and HTTP standards all strongly
recommend this.
* Deprecate the werkzeug.urls module, except for the uri_to_iri and
iri_to_uri functions. Use the urllib.parse library instead.
* Update which characters are considered safe when using percent encoding
in URLs, based on the WhatWG URL Standard.
* Update which characters are considered safe when using percent encoding
for Unicode filenames in downloads.
* Deprecate the safe_conversion parameter of iri_to_uri. The Location header
is converted to IRI using the same process as everywhere else.
* Deprecate werkzeug.wsgi.make_line_iter and make_chunk_iter.
* Use modern packaging metadata with pyproject.toml instead of setup.cfg.
* Request.get_json() will raise a 415 Unsupported Media Type error if the
Content-Type header is not application/json, instead of a generic 400.
* A URL converter’s part_isolating defaults to False if its regex contains
a /.
* A custom converter’s regex can have capturing groups without breaking
the router.
* The reloader can pick up arguments to python like -X dev, and does not
require heuristics to determine how to reload the command. Only available
on Python >= 3.10.
* The Watchdog reloader ignores file opened events. Bump the minimum version
of Watchdog to 2.3.0.
* When using a Unix socket for the development server, the path can start
with a dot.
* Increase default work factor for PBKDF2 to 600,000 iterations.
* parse_options_header is 2-3 times faster. It conforms to RFC 9110, some
invalid parts that were previously accepted are now ignored.
* The is_filename parameter to unquote_header_value is deprecated.
* Deprecate the extra_chars parameter and passing bytes to
quote_header_value, the allow_token parameter to dump_header, and the cls
parameter and passing bytes to parse_dict_header.
* Improve parse_accept_header implementation. Parse according to RFC 9110.
Discard items with invalid q values.
* quote_header_value quotes the empty string.
* dump_options_header skips None values rather than using a bare key.
* dump_header and dump_options_header will not quote a value if the key ends
with an asterisk *.
* parse_dict_header will decode values with charsets.
* Refactor the Authorization and WWWAuthenticate header data structures.
+ Both classes have type, parameters, and token attributes. The token
attribute supports auth schemes that use a single opaque token rather
than key=value parameters, such as Bearer.
+ Neither class is a dict anymore, although they still implement getting,
setting, and deleting auth[key] and auth.key syntax, as well as
auth.get(key) and key in auth.
+ Both classes have a from_header class method. parse_authorization_header
and parse_www_authenticate_header are deprecated.
+ The methods WWWAuthenticate.set_basic and set_digest are deprecated.
Instead, an instance should be created and assigned to
response.www_authenticate.
+ A list of instances can be assigned to response.www_authenticate to set
multiple header values. However, accessing the property only returns the
first instance.
* Refactor parse_cookie and dump_cookie.
+ parse_cookie is up to 40% faster, dump_cookie is up to 60% faster.
+ Passing bytes to parse_cookie and dump_cookie is deprecated. The
dump_cookie charset parameter is deprecated.
+ dump_cookie allows domain values that do not include a dot ., and strips
off a leading dot.
+ dump_cookie does not set path="/" unnecessarily by default.
* Refactor the test client cookie implementation.
+ The cookie_jar attribute is deprecated. http.cookiejar is no longer used
for storage.
+ Domain and path matching is used when sending cookies in requests. The
domain and path parameters default to localhost and /.
+ Added a get_cookie method to inspect cookies.
+ Cookies have decoded_key and decoded_value attributes to match what the
app sees rather than the encoded values a client would see.
+ The first positional server_name parameter to set_cookie and
delete_cookie is deprecated. Use the domain parameter instead.
+ Other parameters to delete_cookie besides domain, path, and value are
deprecated.
* If request.max_content_length is set, it is checked immediately when
accessing the stream, and while reading from the stream in general, rather
than only during form parsing.
* The development server, which must not be used in production, will exhaust
the request stream up to 10GB or 1000 reads. This allows clients to see a
413 error if max_content_length is exceeded, instead of a “connection
reset” failure.
* The development server discards header keys that contain underscores _, as
they are ambiguous with dashes - in WSGI.
* secure_filename looks for more Windows reserved file names.
* Update type annotation for best_match to make default parameter clearer.
* Multipart parser handles empty fields correctly.
* The Map charset parameter and Request.url_charset property are deprecated.
Percent encoding in URLs must always represent UTF-8 bytes. Invalid bytes
are left percent encoded rather than replaced.
* The Request.charset, Request.encoding_errors, Response.charset, and
Client.charset attributes are deprecated. Request and response data must
always use UTF-8.
* Header values that have charset information only allow ASCII, UTF-8, and
ISO-8859-1.
* Update type annotation for ProfilerMiddleware stream parameter.
* Use postponed evaluation of annotations.
* The development server escapes ASCII control characters in decoded URLs
before logging the request to the terminal.
* The FormDataParser parse_functions attribute and get_parse_func method,
and the invalid application/x-url-encoded content type, are deprecated.
* generate_password_hash supports scrypt. Plain hash methods are deprecated,
only scrypt and pbkdf2 are supported.
- Remove patch which was made obsolete by upstream:
* moved_root.patch


Ana Guerrero's avatar

anag+factory set openSUSE:Factory:Staging:M as a staging project

Being evaluated by staging project "openSUSE:Factory:Staging:M"


Ana Guerrero's avatar

anag+factory accepted review

Picked "openSUSE:Factory:Staging:M"


Factory Auto's avatar

factory-auto added opensuse-review-team as a reviewer

Please review sources


Factory Auto's avatar

factory-auto accepted review

Check script succeeded


Saul Goodman's avatar

licensedigger accepted review

ok


Ana Guerrero's avatar

anag+factory added factory-staging as a reviewer

Being evaluated by group "factory-staging"


Ana Guerrero's avatar

anag+factory accepted review

Unstaged from project "openSUSE:Factory:Staging:M"


Dominique Leuenberger's avatar

dimstar accepted review


Ana Guerrero's avatar

anag+factory set openSUSE:Factory:Staging:L as a staging project

Being evaluated by staging project "openSUSE:Factory:Staging:L"


Ana Guerrero's avatar

anag+factory accepted review

Picked "openSUSE:Factory:Staging:L"


Dominique Leuenberger's avatar

dimstar_suse accepted review

Staging Project openSUSE:Factory:Staging:L got accepted.


Dominique Leuenberger's avatar

dimstar_suse approved review

Staging Project openSUSE:Factory:Staging:L got accepted.


Dominique Leuenberger's avatar

dimstar_suse accepted request

Staging Project openSUSE:Factory:Staging:L got accepted.

openSUSE Build Service is sponsored by