* Mon Aug 19 2024 steven.kowalik@suse.com
- Add patch CVE-2024-42353-url-redirection.patch:
* The use of WebOb's Response object to redirect a request to a new location
can lead to an open redirect if the Location header is not a full URI.
(bsc#1229221, CVE-2024-42353)
* Fri Feb 23 2018 tbechtold@suse.com
- Drop not needed python-pytest-cov BuildRequires
* Fri Feb 23 2018 tbechtold@suse.com
- update to 1.7.4:
- Add support for `wsgi.input_terminated` in the wsgi environ to allow for
Chunked Encoding to be used with WebOb
* Thu Jul 06 2017 tbechtold@suse.com
- update to 1.7.3:
- Request.host_url, Request.host_port and Request.domain now all understand and
know how to parse IPv6 Host headers sent by browsers. See
https://github.com/Pylons/webob/pull/332
* Fri May 05 2017 toddrme2178@gmail.com
- Fix Provides/Obsoletes.
* Tue Apr 04 2017 tbechtold@suse.com
- update to 1.7.2:
- Allow unnamed fields in form data to be properly transcoded when calling
request.decode with an alternate encoding. See
https://github.com/Pylons/webob/pull/309
- Switch to singlespec approach
* Fri Feb 10 2017 tbechtold@suse.com
- update to 1.7.1:
- ``Response.__init__`` would discard ``app_iter`` when a ``Response`` had no
body, this would cause issues when ``app_iter`` was an object that was tied
to the life-cycle of a web application and had to be properly closed.
``app_iter`` is more advanced API for ``Response`` and thus even if it
contains a body and is thus against the HTTP RFC's, we should let the users
shoot themselves by returning a body. See
https://github.com/Pylons/webob/issues/305
- WebOb is no longer supported on Python 2.6 and PyPy3 (due to pip no longer
supporting Python 3.2 even on PyPy)
- ``Response.content_type`` removes all existing Content-Type parameters, and
if the new Content-Type is "texty" it adds a new charset (unless already
provided) using the ``default_charset``. See
https://github.com/Pylons/webob/pull/301
- ``Response.set_cookie`` no longer accepts a key argument. This was deprecated
in WebOb 1.5 and as mentioned in the deprecation, is being removed in 1.7
- ``Response.__init__`` will no longer set the default Content-Type, nor
Content-Length on Responses that don't have a body. This allows WebOb to
return proper responses for things like `Response(status='204 No Content')`.
- ``Response.text`` will no longer raise if the Content-Type does not have a
charset, it will fall back to using the new ``default_body_encoding`. To get
the old behaviour back please sub-class ``Response`` and set
``default_body_encoding`` to ``None``. See
https://github.com/Pylons/webob/pull/287
- WebOb no longer supports Chunked Encoding, this means that if you are using
WebOb and need Chunked Encoding you will be required to have a proxy that
unchunks the request for you. Please read
https://github.com/Pylons/webob/issues/279 for more background.
- ``Response`` has a new ``default_body_encoding`` which may be used to allow
getting/setting ``Response.text`` when a Content-Type has no charset. See
https://github.com/Pylons/webob/pull/287
- ``webob.Request`` with any HTTP method is now allowed to have a body. This
allows DELETE to have a request body for passing extra information. See
https://github.com/Pylons/webob/pull/283 and
https://github.com/Pylons/webob/pull/274
- Add ``tell()`` to ``ResponseBodyFile`` so that it may be used for example for
zipfile support. See https://github.com/Pylons/webob/pull/117
- Allow the return from ``wsgify.middleware`` to be used as a decorator. See
https://github.com/Pylons/webob/pull/228
- Fixup ``cgi.FieldStorage`` on Python 3.x to work-around issue reported in
Python bug report 27777 and 24764. This is currently applied for Python
versions less than 3.7. See https://github.com/Pylons/webob/pull/294 and
https://github.com/Pylons/webob/pull/300
- ``Response.set_cookie`` now accepts ``datetime`` objects for the ``expires``
kwarg and will correctly convert them to UTC with no tzinfo for use in
calculating the ``max_age``. See https://github.com/Pylons/webob/issues/254
and https://github.com/Pylons/webob/pull/292
- Fixes ``request.PATH_SAFE`` to contain all of the path safe characters
according to RFC3986. See https://github.com/Pylons/webob/pull/291
- WebOb's exceptions will lazily read underlying variables when inserted into
templates to avoid expensive computations/crashes when inserting into the
template. This had a bad performance regression on Py27 because of the way
the lazified class was created and returned. See
https://github.com/Pylons/webob/pull/284
- ``wsgify.__call__`` raised a ``TypeError`` with an unhelpful message, it will
now return the ``repr`` for the wrapped function:
https://github.com/Pylons/webob/issues/119
- ``Response.json``'s ``json.dumps``/``json.loads`` are now always UTF-8. It no
longer tries to use the charset.
- The ``Response.__init__`` will by default no longer set the Content-Type to
the default if a ``headerlist`` is provided. This fixes issues whereby
``Request.get_response()`` would return a Response that didn't match the
actual response. See https://github.com/Pylons/webob/pull/261 and
https://github.com/Pylons/webob/issues/205
- Cleans up the remainder of the issues with the updated WebOb exceptions that
were taught to return JSON in version 1.6. See
https://github.com/Pylons/webob/issues/237 and
https://github.com/Pylons/webob/issues/236
- ``Response.from_file`` now parses the status line correctly when the status
line contains an HTTP with version, as well as a status text that contains
multiple white spaces (e.g HTTP/1.1 404 Not Found). See
https://github.com/Pylons/webob/issues/250
- ``Response`` now has a new property named ``has_body`` that may be used to
interrogate the ``Response`` to find out if ``Response.body`` is or isn't
set.
This is used in the exception handling code so that if you use a WebOb HTTP
Exception and pass a generator to ``app_iter`` WebOb won't attempt to read
the whole thing and instead allows it to be returned to the WSGI server. See
https://github.com/Pylons/webob/pull/259
* Sat Oct 15 2016 dmueller@suse.com
- update to 1.6.2:
* WebOb's exceptions will lazily read underlying variables when inserted into
templates to avoid expensive computations/crashes when inserting into the
template. This had a bad performance regression on Py27 because of the way
the lazified class was created and returned. See
https://github.com/Pylons/webob/pull/284
* Mon Jun 06 2016 dmueller@suse.com
- fix download url
* Fri Jun 03 2016 tbechtold@suse.com
- update to 1.6.1:
- Response.from_file now parses the status line correctly when the status line
contains an HTTP with version, as well as a status text that contains
multiple white spaces (e.g 404 Not Found). See
https://github.com/Pylons/webob/issues/250
- Python 3.2 is no longer supported by WebOb
- Request.decode attempted to read from the an already consumed stream, it has
now been redirected to another stream to read from. See
https://github.com/Pylons/webob/pull/183
- The application/json media type does not allow for a charset as discovery of
the encoding is done at the JSON layer. Upon initialization of a Response
WebOb will no longer add a charset if the content-type is set to JSON. See
https://github.com/Pylons/webob/pull/197 and
https://github.com/Pylons/pyramid/issues/1611
- Lazily HTML escapes environment keys in HTTP Exceptions so that those keys in
the environ that are not used in the output of the page don't raise an
exception due to inability to be properly escaped. See
https://github.com/Pylons/webob/pull/139
- MIMEAccept now accepts comparisons against wildcards, this allows one to
match on just the media type or sub-type, without having to explicitly match
on both the media type and sub-type at the same time. See
https://github.com/Pylons/webob/pull/185
- Add the ability to return a JSON body from an exception. Using the Accept
information in the request, the exceptions will now automatically return a
JSON version of the exception instead of just HTML or text. See
https://github.com/Pylons/webob/pull/230 and
https://github.com/Pylons/webob/issues/209
- exc._HTTPMove and any subclasses will now raise a ValueError if the location
field contains a line feed or carriage return. These values may lead to
possible HTTP Response Splitting. The header_getter descriptor has also been
modified to no longer accept headers with a line feed or carriage return.
See: https://github.com/Pylons/webob/pull/229 and
https://github.com/Pylons/webob/issues/217
* Mon Dec 14 2015 aplanas@suse.com
- updateto version 1.5.1:
* (Bug Fixes) The exceptions HTTPNotAcceptable,
HTTPUnsupportedMediaType and HTTPNotImplemented will now correctly
use the sub-classed template rather than the default error
template. See https://github.com/Pylons/webob/issues/221
* (Bug Fixes) Response’s from_file now correctly deals with a status
line that contains an HTTP version identifier. HTTP/1.1 200 OK is
now correctly parsed, whereas before this would raise an error
upon setting the Response.status in from_file. See
https://github.com/Pylons/webob/issues/121
- 1.5.0
* (Bug Fixes) The cookie API functions will now make sure that
max_age is an integer or an string that can convert to an
integer. Previously passing in max_age=’test’ would have silently
done the wrong thing.
- 1.5.0b0
* (Bug Fixes) Unbreak req.POST when the request method is
PATCH. Instead of returning something cmpletely unrelated we
return NoVar. See: https://github.com/Pylons/webob/pull/215
* (Features) HTTP Status Code 308 is now supported as a Permanent
Redirect. See https://github.com/Pylons/webob/pull/207
- 1.5.0a1
* (Backwards Incompatibilities) Response.set_cookie renamed the only
required parameter from “key” to “name”. The code will now still
accept “key” as a keyword argument, and will issue a
DeprecationWarning until WebOb 1.7.
* (Backwards Incompatibilities) The status attribute of a Response
object no longer takes a string like None None and allows that to
be set as the status. It now has to at least match the pattern of
<integer status code> <explenation of status code>. Invalid status
strings will now raise a ValueError.
- 1.5.0a0
* (Backwards Incompatibilities) Morsel will no longer accept a
cookie value that does not meet RFC6265’s cookie-octet
specification. Upon calling Morsel.serialize a warning will be
issued, in the future this will raise a ValueError, please update
your cookie handling code. See
https://github.com/Pylons/webob/pull/172
* (Backwards Incompatibilities) Response.set_cookie now uses the
internal make_cookie API, which will issue warnings if cookies are
set with invalid bytes. See
https://github.com/Pylons/webob/pull/172
* (Features) Add support for some new caching headers,
stale-while-revalidate and stale-if-error that can be used by
reverse proxies to cache stale responses temporarily if the
backend disappears. From RFC5861. See
https://github.com/Pylons/webob/pull/189
* (Bug Fixes) Response.status now uses duck-typing for integers, and
has also learned to raise a ValueError if the status isn’t an
integer followed by a space, and then the reason. See
https://github.com/Pylons/webob/pull/191
* (Bug Fixes) Fixed a bug in webob.multidict.GetDict which resulted
in the QUERY_STRING not being updated when changes were made to
query params using Request.GET.extend().
* (Bug Fixes) Read the body of a request if we think it might have a
body. This fixes PATCH to support bodies. See
https://github.com/Pylons/webob/pull/184
* (Bug Fixes) Response.from_file returns HTTP headers as latin1
rather than UTF-8, this fixes the usage on Google AppEngine. See
https://github.com/Pylons/webob/issues/99 and
https://github.com/Pylons/webob/pull/150
* (Bug Fixes) Fix a bug in parsing the auth parameters that
contained bad white space. This makes the parsing fall in line
with what’s required in RFC7235. See
https://github.com/Pylons/webob/issues/158
* (Bug Fixes) Use ‘rn’ line endings in Response.__str__. See:
https://github.com/Pylons/webob/pull/146
* (Documentation Changes) response.set_cookie now has proper
documentation for max_age and expires. The code has also been
refactored to use cookies.make_cookie instead of duplicating the
code. This fixes https://github.com/Pylons/webob/issues/166 and
https://github.com/Pylons/webob/issues/171
* (Documentation Changes) Documentation didn’t match the actual code
for the wsgify function signature. See
https://github.com/Pylons/webob/pull/167
* (Documentation Changes) Remove the WebDAV only from certain HTTP
Exceptions, these exceptions may also be used by REST services for
example.
* Mon Sep 15 2014 tbechtold@suse.com
- update to version 1.4:
* Remove ``webob.__version__``, the version number had not been kept in sync
with the official pkg version. To obtain the WebOb version number, use
``pkg_resources.get_distribution('webob').version`` instead.
* Fix a bug in ``EmptyResponse`` that prevents it from setting self.close as
appropriate due to testing truthiness of object rather than if it is
something other than ``None``.
* Fix a bug in ``SignedSerializer`` preventing secrets from containing
higher-order characters. See https://github.com/Pylons/webob/issues/136
* Use the ``hmac.compare_digest`` method when available for constant-time
comparisons.
* Fix a bug in ``SignedCookieProfile`` whereby we didn't keep the original
serializer around, this would cause us to have ``SignedSerializer`` be added
on top of a ``SignedSerializer`` which would cause it to be run twice when
attempting to verify a cookie. See https://github.com/Pylons/webob/pull/127
* Backwards Incompatible change: When ``CookieProfile.get_value`` and
``SignedCookieProfile.get_value`` fails to deserialize a badly encoded
value, we now return ``None`` as if the cookie was never set in the first
place instead of allowing a ``ValueError`` to be raised to the calling code.
See https://github.com/Pylons/webob/pull/126
* Added a read-only ``domain`` property to ``BaseRequest``. This property
returns the domain portion of the host value. For example, if the
environment contains an ``HTTP_HOST`` value of ``foo.example.com:8000``,
``request.domain`` will return ``foo.example.com``.
* Added five new APIs: ``webob.cookies.CookieProfile``,
``webob.cookies.SignedCookieProfile``, ``webob.cookies.JSONSerializer`` and
``webob.cookies.SignedSerializer``, and ``webob.cookies.make_cookie``. These
APIs are convenience APIs for generating and parsing cookie headers as well
as dealing with signing cookies.
* Cookies generated via webob.cookies quoted characters in cookie values that
did not need to be quoted per RFC 6265. The following characters are no
longer quoted in cookie values: ``~/=<>()[]{}?@`` . The full set of
non-letter-or-digit unquoted cookie value characters is now
``!#$%&'*+-.^_`|~/: =<>()[]{}?@``. See
http://tools.ietf.org/html/rfc6265#section-4.1.1 for more information.
* Cookie names are now restricted to the set of characters expected by RFC
6265. Previously they could contain unsupported characters such as ``/``.
* Older versions of Webob escaped the doublequote to ``\"`` and the backslash
to ``\\`` when quoting cookie values. Now, instead, cookie serialization
generates ``\042`` for the doublequote and ``\134`` for the backslash. This
is what is expected as per RFC 6265. Note that old cookie values that do
have the older style quoting in them will still be unquoted correctly,
however.
* Added support for draft status code 451 ("Unavailable for Legal Reasons").
See http://tools.ietf.org/html/draft-tbray-http-legally-restricted-status-00
* Added status codes 428, 429, 431 and 511 to ``util.status_reasons`` (they
were already present in a previous release as ``webob.exc`` exceptions).
* MIMEAccept happily parsed malformed wildcard strings like "image/pn*" at
parse time, but then threw an AssertionError during matching. See
https://github.com/Pylons/webob/pull/83 .
* Preserve document ordering of GET and POST request data when POST data
passed to Request.blank is a MultiDict.
See https://github.com/Pylons/webob/pull/96
* Allow query strings attached to PATCH requests to populate request.params.
See https://github.com/Pylons/webob/pull/106
* Added Python 3.3 trove classifier.
* Tue Feb 18 2014 ro@suse.de
- added license.txt as doc file
* Thu Oct 24 2013 speilicke@suse.com
- Require python-setuptools instead of distribute (upstreams merged)
* Wed Mar 27 2013 speilicke@suse.com
- BuildRequire python (for ssl module) and drop pyOpenSSL
* Mon Jan 14 2013 saschpe@suse.de
- (Build)Require python-pyOpenSSL instead of M2Crypto (to get the
ssl Python base module)
* Fri Nov 23 2012 saschpe@suse.de
- Add dependency on python-M2Crypto, otherwise you won't get HTTPS
* Thu Nov 22 2012 saschpe@suse.de
- Update to version 1.2.3:
+ Fix parsing of form submissions where fields have transfer-content-encoding headers.
- Build HTML documentation
- Run testsuite
- Split of doc package
* Sat Sep 22 2012 os-dev@jacraig.com
- Update to 1.2.2:
* Fix multiple calls to ``cache_expires()`` not fully overriding the
previously set headers.
* Fix parsing of form submissions where fields have different encodings.
- Many changes between versions 1.1.1 and 1.2.1. Please see docs/news.txt
for full details. Major changes include support for only Python 3.2, 2.7,
2.6.
- Removed dependency on python-Tempita and python-wsgiproxy: these are only
used in example code in the documentation and not actual runtime reqs.
- Removed dependency on python-nose: it is only needed to run tests.
- Removed dependency on python-WebTest: it was removed as a testing
requirement in 1.2a1.
* Mon Nov 28 2011 prusnak@opensuse.org
- spec cleanup