|
| 1 | +Unreleased |
| 2 | +---------- |
| 3 | + |
| 4 | +Security Fix |
| 5 | +~~~~~~~~~~~~ |
| 6 | + |
| 7 | +- The use of WebOb's Response object to redirect a request to a new location |
| 8 | + can lead to an open redirect if the Location header is not a full URI. |
| 9 | + |
| 10 | + See https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3 |
| 11 | + and CVE-2024-42353 |
| 12 | + |
| 13 | + Thanks to Sara Gao for the report |
| 14 | + |
| 15 | + (This fix was released in WebOb 1.8.8) |
| 16 | + |
| 17 | +Feature |
| 18 | +~~~~~~~ |
| 19 | + |
| 20 | +- Rename "master" git branch to "main" |
| 21 | + |
| 22 | +- Add support for Python 3.12. |
| 23 | + |
| 24 | +- Add support for Python 3.13. |
| 25 | + |
| 26 | +- Add support for Python 3.14. |
| 27 | + |
| 28 | +- Add Request.remote_host, exposing REMOTE_HOST environment variable. |
| 29 | + |
| 30 | +- Added ``acceptparse.Accept.parse_offer`` to codify what types of offers |
| 31 | + are compatible with ``acceptparse.AcceptValidHeader.acceptable_offers``, |
| 32 | + ``acceptparse.AcceptMissingHeader.acceptable_offers``, and |
| 33 | + ``acceptparse.AcceptInvalidHeader.acceptable_offers``. This API also |
| 34 | + normalizes the offer with lowercased type/subtype and parameter names. |
| 35 | + See https://github.com/Pylons/webob/pull/376 and |
| 36 | + https://github.com/Pylons/webob/pull/379 |
| 37 | + |
| 38 | +Compatibility |
| 39 | +~~~~~~~~~~~~~ |
| 40 | + |
| 41 | + |
| 42 | +Backwards Incompatibilities |
| 43 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 44 | + |
| 45 | +- Drop support for Python 2.7, 3.4, 3.5, 3.6, 3.7, 3.8 and 3.9 |
| 46 | + |
| 47 | +Experimental Features |
| 48 | +~~~~~~~~~~~~~~~~~~~~~ |
| 49 | + |
| 50 | +- The SameSite value now includes a new option named "None", this is a new |
| 51 | + change that was introduced in |
| 52 | + https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 |
| 53 | + |
| 54 | + Please be aware that older clients are incompatible with this change: |
| 55 | + https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does |
| 56 | + not enable SameSite on cookies by default, so there is no backwards |
| 57 | + incompatible change here. |
| 58 | + |
| 59 | + See https://github.com/Pylons/webob/issues/406 |
| 60 | + |
| 61 | +- Validation of SameSite values can be disabled by toggling a module flag. This |
| 62 | + is in anticipation of future changes in evolving cookie standards. |
| 63 | + The discussion in https://github.com/Pylons/webob/pull/407 (which initially |
| 64 | + expanded the allowed options) notes the sudden change to browser cookie |
| 65 | + implementation details may happen again. |
| 66 | + |
| 67 | + In May 2019, Google announced a new model for privacy controls in their |
| 68 | + browsers, which affected the list of valid options for the SameSite attribute |
| 69 | + of cookies. In late 2019, the company began to roll out these changes to their |
| 70 | + browsers to force developer adoption of the new specification. |
| 71 | + See https://www.chromium.org/updates/same-site and |
| 72 | + https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more |
| 73 | + details on this change. |
| 74 | + |
| 75 | + See https://github.com/Pylons/webob/pull/409 |
| 76 | + |
| 77 | + |
| 78 | +Bugfix |
| 79 | +~~~~~~ |
| 80 | + |
| 81 | +- Response.content_type now accepts unicode strings on Python 2 and encodes |
| 82 | + them to latin-1. See https://github.com/Pylons/webob/pull/389 and |
| 83 | + https://github.com/Pylons/webob/issues/388 |
| 84 | + |
| 85 | +- Accept header classes now support a .copy() function that may be used to |
| 86 | + create a copy. This allows ``create_accept_header`` and other like functions |
| 87 | + to accept an pre-existing Accept header. See |
| 88 | + https://github.com/Pylons/webob/pull/386 and |
| 89 | + https://github.com/Pylons/webob/issues/385 |
| 90 | + |
| 91 | +- SameSite may now be passed as str or bytes to `Response.set_cookie` and |
| 92 | + `cookies.make_cookie`. This was an oversight as all other arguments would be |
| 93 | + correctly coerced before being serialized. See |
| 94 | + https://github.com/Pylons/webob/issues/361 and |
| 95 | + https://github.com/Pylons/webob/pull/362 |
| 96 | + |
| 97 | +- acceptparse.MIMEAccept which is deprecated in WebOb 1.8.0 made a backwards |
| 98 | + incompatible change that led to it raising on an invalid Accept header. This |
| 99 | + behaviour has now been reversed, as well as some other fixes to allow |
| 100 | + MIMEAccept to behave more like the old version. See |
| 101 | + https://github.com/Pylons/webob/pull/356 |
| 102 | + |
| 103 | +- ``acceptparse.AcceptValidHeader``, ``acceptparse.AcceptInvalidHeader``, and |
| 104 | + ``acceptparse.AcceptNoHeader`` will now always ignore offers that do not |
| 105 | + match the required media type grammar when calling ``.acceptable_offers()``. |
| 106 | + Previous versions raised a ``ValueError`` for invalid offers in |
| 107 | + ``AcceptValidHeader`` and returned them as acceptable in the others. |
| 108 | + See https://github.com/Pylons/webob/pull/372 |
| 109 | + |
| 110 | +- ``Response.body_file.write`` and ``Response.write`` now returns the written |
| 111 | + length. See https://github.com/Pylons/webob/pull/422 |
| 112 | + |
| 113 | +Warnings |
| 114 | +~~~~~~~~ |
| 115 | + |
| 116 | +- Some backslashes introduced with the new accept handling code were causing |
| 117 | + DeprecationWarnings upon compiling the source to pyc files, all of the |
| 118 | + backslashes have been reigned in as appropriate, and users should no longer |
| 119 | + see DeprecationWarnings for invalid escape sequence. See |
| 120 | + https://github.com/Pylons/webob/issues/384 |
0 commit comments