Packaging changes: add patch to work around calling mkostemp with
invalid flags.
Upstream changes:
Bug fixes
Fix for CVE-2016-8606. REPL server now protects against HTTP
inter-protocol attacks
Fix for CVE-2016-8605. 'mkdir' procedure no longer calls umask(2)
(<http://bugs.gnu.org/24659>)
New interface mkstemp! which takes optional "mode" argument
New 'scm_to_uintptr_t' and 'scm_from_uintptr_t' C functions
Version 0.14.2
--------------
Released 2017-01-10
- Fix bug where ``FlaskForm`` assumed ``meta`` argument was not ``None`` if it
was passed. (`#278`_)
.. _#278: https://github.com/lepture/flask-wtf/issues/278
Version 0.14.1
--------------
Released 2017-01-10
- Fix bug where the file validators would incorrectly identify an empty file as
valid data. (`#276`_, `#277`_)
- ``FileField`` is no longer deprecated. The data is checked during
processing and only set if it's a valid file.
- ``has_file`` *is* deprecated; it's now equivalent to ``bool(field.data)``.
- ``FileRequired`` and ``FileAllowed`` work with both the Flask-WTF and
WTForms ``FileField`` classes.
- The ``Optional`` validator now works with ``FileField``.
.. _#276: https://github.com/lepture/flask-wtf/issues/276
.. _#277: https://github.com/lepture/flask-wtf/pull/277
Version 0.14
------------
Released 2017-01-06
- Use itsdangerous to sign CSRF tokens and check expiration instead of doing it
ourselves. (`#264`_)
- All tokens are URL safe, removing the ``url_safe`` parameter from
``generate_csrf``. (`#206`_)
- All tokens store a timestamp, which is checked in ``validate_csrf``. The
``time_limit`` parameter of ``generate_csrf`` is removed.
- Remove the ``app`` attribute from ``CsrfProtect``, use ``current_app``.
(`#264`_)
- ``CsrfProtect`` protects the ``DELETE`` method by default. (`#264`_)
- The same CSRF token is generated for the lifetime of a request. It is exposed
as ``g.csrf_token`` for use during testing. (`#227`_, `#264`_)
- ``CsrfProtect.error_handler`` is deprecated. (`#264`_)
- Handlers that return a response work in addition to those that raise an
error. The behavior was not clear in previous docs.
- (`#200`_, `#209`_, `#243`_, `#252`_)
- Use ``Form.Meta`` instead of deprecated ``SecureForm`` for CSRF (and
everything else). (`#216`_, `#271`_)
- ``csrf_enabled`` parameter is still recognized but deprecated. All other
attributes and methods from ``SecureForm`` are removed. (`#271`_)
- Provide ``WTF_CSRF_FIELD_NAME`` to configure the name of the CSRF token.
(`#271`_)
- ``validate_csrf`` raises ``wtforms.ValidationError`` with specific messages
instead of returning ``True`` or ``False``. This breaks anything that was
calling the method directly. (`#239`_, `#271`_)
- CSRF errors are logged as well as raised. (`#239`_)
- ``CsrfProtect`` is renamed to ``CSRFProtect``. A deprecation warning is issued
when using the old name. ``CsrfError`` is renamed to ``CSRFError`` without
deprecation. (`#271`_)
- ``FileField`` is deprecated because it no longer provides functionality over
the provided validators. Use ``wtforms.FileField`` directly. (`#272`_)
.. _`#200`: https://github.com/lepture/flask-wtf/issues/200
.. _`#209`: https://github.com/lepture/flask-wtf/pull/209
.. _`#216`: https://github.com/lepture/flask-wtf/issues/216
.. _`#227`: https://github.com/lepture/flask-wtf/issues/227
.. _`#239`: https://github.com/lepture/flask-wtf/issues/239
.. _`#243`: https://github.com/lepture/flask-wtf/pull/243
.. _`#252`: https://github.com/lepture/flask-wtf/pull/252
.. _`#264`: https://github.com/lepture/flask-wtf/pull/264
.. _`#271`: https://github.com/lepture/flask-wtf/pull/271
.. _`#272`: https://github.com/lepture/flask-wtf/pull/272
Version 0.13.1
--------------
Released 2016/10/6
- Deprecation warning for ``Form`` is shown during ``__init__`` instead of immediately when subclassing. (`#262`_)
- Don't use ``pkg_resources`` to get version, for compatibility with GAE. (`#261`_)
.. _`#261`: https://github.com/lepture/flask-wtf/issues/261
.. _`#262`: https://github.com/lepture/flask-wtf/issues/262
Version 0.13
------------
Released 2016/09/29
- ``Form`` is renamed to ``FlaskForm`` in order to avoid name collision with WTForms's base class. Using ``Form`` will show a deprecation warning. (`#250`_)
- ``hidden_tag`` no longer wraps the hidden inputs in a hidden div. This is valid HTML5 and any modern HTML parser will behave correctly. (`#217`_, `#193`_)
- ``flask_wtf.html5`` is deprecated. Import directly from ``wtforms.fields.html5``. (`#251`_)
- ``is_submitted`` is true for ``PATCH`` and ``DELETE`` in addition to ``POST`` and ``PUT``. (`#187`_)
- ``generate_csrf`` takes a ``token_key`` parameter to specify the key stored in the session. (`#206`_)
- ``generate_csrf`` takes a ``url_safe`` parameter to allow the token to be used in URLs. (`#206`_)
- ``form.data`` can be accessed multiple times without raising an exception. (`#248`_)
- File extension with multiple parts (``.tar.gz``) can be used in the ``FileAllowed`` validator. (`#201`_)
.. _`#187`: https://github.com/lepture/flask-wtf/pull/187
.. _`#193`: https://github.com/lepture/flask-wtf/issues/193
.. _`#201`: https://github.com/lepture/flask-wtf/issues/201
.. _`#206`: https://github.com/lepture/flask-wtf/pull/206
.. _`#217`: https://github.com/lepture/flask-wtf/issues/217
.. _`#248`: https://github.com/lepture/flask-wtf/pull/248
.. _`#250`: https://github.com/lepture/flask-wtf/pull/250
.. _`#251`: https://github.com/lepture/flask-wtf/pull/251
While here, drop maintainership - I haven't used the thing in years,
and definitely not since its conversion to a CMake build (of which I
know nothing).
Changelog:
* Changes in Wget 1.19.1
* Fix bugs, a regression, portability/build issues
* Add new option --retry-on-http-error
* Changes in Wget 1.19
* New option --use-askpass=COMMAND. Fetch user/password by calling
an external program.
* Use IDNA2008 (+ TR46 if available) through libidn2
* When processing a Metalink header, --metalink-index=<number> allows
to process the header's application/metalink4+xml files.
* When processing a Metalink file, --trust-server-names enables the
use of the destination file names specified in the Metalink file,
otherwise a safe destination file name is computed.
* When processing a Metalink file, enforce a safe destination path.
Remove any drive letter prefix under w32, i.e. 'C:D:file'. Call
libmetalink's metalink_check_safe_path() to prevent absolute,
relative, or home paths:
https://tools.ietf.org/html/rfc5854#section-4.1.2.1https://tools.ietf.org/html/rfc5854#section-4.2.8.3
* When processing a Metalink file, --directory-prefix=<prefix> sets
the top of the retrieval tree to prefix for Metalink downloads.
* When processing a Metalink file, reject downloaded files which don't
agree with their own metalink:size value:
https://tools.ietf.org/html/rfc5854#section-4.2.16
* When processing a Metalink file, with --continue resume partially
downloaded files and keep fully downloaded files even if they fail
the verification.
* When processing a Metalink file, create the parent directories of a
"path/file" destination file name:
https://tools.ietf.org/html/rfc5854#section-4.1.2.1https://tools.ietf.org/html/rfc5854#section-4.2.8.3
* On a recursive download, append a .tmp suffix to temporary files
that will be deleted after being parsed, and create them
readable/writable only by the owner.
* New make target 'check-valgrind'
* Fix several bugs
* Fix compatibility issues
2016-12-18 meld 3.17.0
======================
Python 3 porting:
* Python 3 support; we now require Python 3.3 as a minimum
* Python 3 compatibility fixes; too many cases of bytes/string confusion,
syntax changes and other miscellany to mention individually (Vasily
Galkin, Kai Willadsen)
* Handle new unicode-escape behaviour and unicode/bytes confusion for
process interaction and version control plugins (Vasily Galkin, Kai
Willadsen)
* Add support for byte-based filters, to support directory vs. file
comparison filters (Kai Willadsen)
UI changes:
* The "Tabs" menu item has been removed, to better match up with more
modern GTK+ design. All of the actions are still available in the
expected key bindings, and there is a new per-tab context menu.
* The change action buttons in the central pane divider now correctly
render as flat buttons (Kai Willadsen)
* The curves in the central pane divider are now... smoother!
Internal changes:
* Handle reload notifications better in asynchronous saving (Vasily Galkin)
* Remove multi-process diff in favour of asynchronous (threaded, but
GIL-throttled) matching (Kai Willadsen)
* Performance improvements in rendering of multiple widgets, as well as for
initial text comparison (Kai Willadsen)
* Many updates for GTK+ 3.20 and 3.22 ABI changes (Kai Willadsen)
* NOTE: Windows support is currently untested
Fixes:
* Update supported version control list (Kai Willadsen)
* Update requirements and build requirements lists (Kai Willadsen)
* Don't create empty help/figures directories (Kai Willadsen)
* Translation maintenance (Piotr Drąg)
v34.2.0
-------
* #966: Add support for reading dist-info metadata and
thus locating Distributions from zip files.
* #968: Allow '+' and '!' in egg fragments
so that it can take package names that contain
PEP 440 conforming version specifiers.
0.7.1 -- 2017-02-13
-------------------
Fixed Bugs
~~~~~~~~~~
- Fixed monkey-patching for the AppEngineAdapter.
- Make it easier to disable certificate verification when monkey-patching
AppEngine.
- Handle ``multipart/form-data`` bodies without a trailing ``CRLF``.
v1.6.2
Version 1.6.2
Bugfix release
- Fixed a bug where application default credentials would still be used even
when a developerKey was specified. (#347)
- Official support for Python 3.5 and 3.6. (#341)
v0.8.0 (14 February 2017)
+++++++++++++++++++++++++
- Added Fitbit compliance fix.
- Fixed an issue where newlines in the response body for the access token
request would cause errors when trying to extract the token.
- Fixed an issue introduced in v0.7.0 where users passing ``auth`` to several
methods would encounter conflicts with the ``client_id`` and
``client_secret``-derived auth. The user-supplied ``auth`` argument is now
used in preference to those options.
libopenmpt 0.2-beta20.5 (2017-02-05)
[Bug] libmodplug: C++ API did not build with MSVC2008 in 0.2-beta20.4.
libopenmpt 0.2-beta20.4 (2017-02-05, not released)
[Bug] Possible hangs with malformed files containing cyclic plugin routings.
libmodplug: Added all missing C++ API symbols that are accessable via the public libmodplug header file.
Channel frequency could wrap around after some excessive portamento / down in some formats since libopenmpt 0.2-beta17.
Playback improvements for S3M files made with Impulse Tracker and Schism Tracker.
v0.11.4: 2017.02.16
- Unpinned vobject library version (base64 decoding/encoding bug was fixed upstream)
- New option: -c / --config /path/to/config.file
- Changed short option of --search-in-source-files from -c to -f to avoid confusion with the new -c / --config option
- Minor bug fixes
