Overview
Request 664544 accepted
- Update to version 1.0.0:
* Security related: Bewit MACs were not compared in constant time
and were thus possibly circumventable by an attacker.
* Breaking change: Escape characters in header values (such as a
back slash) are no longer allowed, potentially breaking clients
that depended on this behavior.
* A sender is allowed to omit the content hash as long as their
request has no content. The `mohawk.Receiver` will skip the
content hash check in this situation, regardless of the value
of accept_untrusted_content.
* Introduced max limit of 4096 characters in the Authorization
header.
* Changed default values of content and content_type arguments to
`mohawk.base.EmptyValue` in order to differentiate between
misconfiguration and cases where these arguments are explicitly
given as None (as with some web frameworks).
* Failing to pass content and content_type arguments to
`mohawk.Receiver` or `mohawk.Sender.accept_response` without
specifying accept_untrusted_content=True will now raise
`mohawk.exc.MissingContent` instead of `ValueError`.
Request History
1Antoine1 created request
- Update to version 1.0.0:
* Security related: Bewit MACs were not compared in constant time
and were thus possibly circumventable by an attacker.
* Breaking change: Escape characters in header values (such as a
back slash) are no longer allowed, potentially breaking clients
that depended on this behavior.
* A sender is allowed to omit the content hash as long as their
request has no content. The `mohawk.Receiver` will skip the
content hash check in this situation, regardless of the value
of accept_untrusted_content.
* Introduced max limit of 4096 characters in the Authorization
header.
* Changed default values of content and content_type arguments to
`mohawk.base.EmptyValue` in order to differentiate between
misconfiguration and cases where these arguments are explicitly
given as None (as with some web frameworks).
* Failing to pass content and content_type arguments to
`mohawk.Receiver` or `mohawk.Sender.accept_response` without
specifying accept_untrusted_content=True will now raise
`mohawk.exc.MissingContent` instead of `ValueError`.
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto added repo-checker as a reviewer
Please review build success
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
staging-bot added openSUSE:Factory:Staging:adi:50 as a reviewer
Being evaluated by staging project "openSUSE:Factory:Staging:adi:50"
staging-bot accepted review
Picked openSUSE:Factory:Staging:adi:50
repo-checker accepted review
cycle and install check passed
dimstar accepted review
staging-bot accepted review
ready to accept
staging-bot approved review
ready to accept
dimstar_suse accepted request
Accept to openSUSE:Factory