Changes since 0.12.0 include a fix for CVE-2017-6807
Version 0.14.0
==============
* Backwards incompatible changes
This version switches the default signature algorithm used when
signing messages from rsa-sha1 to rsa-sha256. If your IdP does not
allow messages to be signed with that algorithm, you need to add a
setting switching back to the old algorithm:
MellonSignatureMethod rsa-sha1
Note that this only affects messages sent from mod_auth_mellon to your
IdP. It does not affect authentication responses or other messages
sent from your IdP to mod_auth_mellon.
* New features
Many improvements in what is logged during various errors.
Diagnostics logging, which creates a detailed log during request
processing.
Add support for selecting which signature algorithm is used when
signing messages, and switch to rsa-sha256 by default.
* Bug fixes
Fix segmentation fault in POST replay functionality on empty value.
Fix incorrect error check for many lasso_*-functions.
Fix case sensitive match on MellonUser attribute name.
Version 0.13.1
==============
* Security fix
Fix a cross-site session transfer vulnerability. mod_auth_mellon
version 0.13.0 and older failed to validate that the session
specified in the user's session cookie was created for the web site
the user actually accesses.
If two different web sites are hosted on the same web server, and
both web sites use mod_auth_mellon for authentication, this
vulnerability makes it possible for an attacker with access to one
of the web sites to copy their session cookie to the other web
site, and then use the same session to get access to the other web
site.
Thanks to François Kooman for reporting this vulnerability.
This vulnerability has been assigned CVE-2017-6807.
Note: The fix for this vunlerability makes mod_auth_mellon validate
that the cookie parameters used when creating the session match
the cookie parameters that should be used when accessing the current
page. If you currently use mod_auth_mellon across multiple subdomains,
you must make sure that you set the MellonCookie-option to the same
value on all domains. Bug fixes
Fix segmentation fault if a (trusted) identity provider returns
a SAML 2.0 attribute without a Name.
Fix segmentation fault if MellonPostReplay is enabled but
MellonPostDirectory is not set.
Version 0.13.0
==============
* Security fix
Fix a denial of service attack in the logout handler, which allows
a remote attacker to crash the Apache worker process with a
segmentation fault. This is caused by a null-pointer dereference
when processing a malformed logout message. New features
Allow MellonSecureCookie to be configured to enable just one
of the "httponly" of "secure" flags, instead of always enabling
both flags.
Support per-module log level with Apache 2.4.
Allow disabling the Cache-Control HTTP response header.
Add support for SameSite cookie parameter.
* Bug fixes
Fix MellonProbeDiscoveryIdP redirecting to the wrong IdP if no IdPs
respond to the probe request.
Fix mod_auth_mellon interfering with other Apache authentication
modules even when it is disabled for a path.
Fix wrong HTTP status code being returned in some cases during
user permission checks.
Fix default POST size limit to actually be 1 MB.
Fix error if authentication response is missing the optional
Conditions-element.
Fix AJAX requests being redirected to the IdP.
Fix wrong content type for ECP authentication request responses.
In addition there are various fixes for errors in the documentation,
as well as internal code changes that do not have any user visible
effects.
Upstream changes (from NEWS):
== Ruby-GNOME2 3.2.5: 2018-05-02
This is a bug fix release of 3.2.4.
=== Changes
==== Document
* Fixes
* Fixed typos.
[GitHub#1158][Patch by kojix2]
[GitHub#1160][Patch by kojix2]
==== Ruby/GLib2
* Fixes
* Fixed a GC related crash bug.
[GitHub#1162][Reported by Izumi Tsutsui]
==== Ruby/GObjectIntrospection
* Improvements
* Disabled NULL check for GObject Introspection < 1.42. Because
GObject Introspection < 1.42 doesn't support "(nullable)"
annotation yet.
==== Ruby/GdkPixbuf2
* Improvements
* (({GdkPixbuf::Pixbuf#composite})): Suppressed wrong warning.
[GitHub#1156][Reported by Chaistrin]
[GitHub#1157][Patch by cedlemo]
* Fixes
* Added a missing white space into message.
[GitHub#1155][Reported by Robert A. Heiler]
* (({GdkPixbuf::Pixbuf#composite})): Fixed a bug that width and
height are ignored.
[Patch by cedlemo]
==== Ruby/GTK3
* Improvements
* (({Gtk::TextBuffer#initialize})): Accepted "property-name" form.
[GitHub#1161][Reported by kojix2]
==== Ruby/Poppler
* Improvements
* Added a workaround for poppler-glib 0.63 bug.
[GitHub#1159][Reported by HIGUCHI Daisuke]
=== Thanks
* Robert A. Heiler
* Chaistrin
* cedlemo
* kojix2
* Izumi Tsutsui
* HIGUCHI Daisuke
1.50 Mon Apr 16 15:16:59 CDT 2018
------------------------------------
[FIXES]
Added html_tidy_ok() methods, analogous to html_lint_ok().
Remove unnecessary dependency on HTML::TreeBuilder. Thanks, Kent Fredric.
1.49_01 Mon Mar 26 10:58:51 CDT 2018
------------------------------------
[ENHANCEMENTS]
Adding autotidy functionality. autotidy lets you validate every page that
Mech gets using the HTML::Tidy5 module, just like the autolint feature
does with the HTML::Lint module. HTML::Tidy5 is a much more complete
HTML checking tool, and validates HTML5 which HTML::Lint does not. You
must have HTML::Tidy5 1.00 installed to use autotidy.
7.77 2018-04-28
- Added support for namespace selectors like "ns|*" to Mojo::DOM::CSS.
(jberger)
- Added support for :link and :visited pseudo-classes to Mojo::DOM::CSS.
- Added support for hyphen-separated list attribute selectors like
"[heflang|=en]" to Mojo::DOM::CSS.
7.76 2018-04-23
- Due to lack of domain experts on the team, Windows is no longer officially
supported. Moving forward, we will try to keep Mojolicious installable on
Windows, but cannot make any promises regarding security and/or reliability.
- Fixed a bug in Mojolicious::Plugin::Config where the config stash value was
not available when the config_override feature was used. (tim)
7.75 2018-04-09
- Deprecated placeholder quoting with "(placeholder)" in favor of
"<placeholder>".
- Fixed warnings in Mojo::Collection.
7.74 2018-04-06
- Improved unknown placeholder types to match nothing in
Mojolicious::Routes::Pattern.
7.73 2018-04-05
- Added support for routes with placeholder types.
- Added types attribute to Mojolicious::Routes and
Mojolicious::Routes::Pattern.
- Added add_type method to Mojolicious::Routes.
- Added to_file method to Mojo::Asset, Mojo::Asset::File and
Mojo::Asset::Memory.
- Added num placeholder type to Mojolicious::Routes.
- Removed deprecated use of Mojo::Promise::all and Mojo::Promise::race as
instance methods.
7.72 2018-04-02
- Improved Mojo::Content::MultiPart performance for large numbers of parts.
(philipspencer)
- Fixed another problem with ordering of sources for content negotiation in
Mojolicious::Renderer.
5.90118 - 2018-05-01
- fix handling of fragments in uri_for when path is an unblessed string (GH#160)
- ensure catalyst.pl is included with dist
- drop IO::Scalar prereq
- include optional test prereqs as develop prereqs
- remove unused developer prereq on Catalyst::Engine::PSGI
- use namespace::clean consistently rather than namespace::autoclean
- use JSON for test metadata to avoid needing YAML
- use JSON::MaybeXS consistently in code
- drop unused prereq of HTTP::Request::AsCGI
- drop unneeded prereq of Class::Data::Inheritable
- fix tests to cope with changes in new versions of Time::HiRes
- POD typo and syntax fixes
There still might be missing dependencies, but the self tests pass.
2.04 2018-04-20 12:25:55+01:00 Europe/London
- No code changes from Trial release
- Updated list of contributors.
2.03 2018-04-17 17:19:27+01:00 Europe/London (TRIAL RELEASE)
- Tweaks for travis CI and release tooling
- Revert to using MooseX::Attribute::Chained as per HTML::FormFu v2.06
Requires HTML::FormFu v2.06
fixes CPAN RT#125102
Thanks to Petr Písař <ppisar@redhat.com>
0.9.8:
* Extended auth plugin API.
* Added exit status code 7 for plugin errors.
* Added support for curses-less Python installations.
* Fixed REQUEST_ITEM arg incorrectly being reported as required.
* Improved CTRL-C interrupt handling.
* Added the standard exit status code 130 for keyboard interrupts.
0.9.6:
* Added Python 3 as a dependency for Homebrew installations
to ensure some of the newer HTTP features work out of the box
for macOS users (starting with HTTPie 0.9.4.).
* Added the ability to unset a request header with Header:, and send an
empty value with Header;.
* Added --default-scheme <URL_SCHEME> to enable things like
$ alias https='http --default-scheme=https.
* Added -I as a shortcut for --ignore-stdin.
* Added fish shell completion (located in extras/httpie-completion.fish
in the Github repo).
* Updated requests to 2.10.0 so that SOCKS support can be added via
pip install requests[socks].
* Changed the default JSON Accept header from application/json
to application/json, */*.
* Changed the pre-processing of request HTTP headers so that any leading
and trailing whitespace is removed.
0.9.4:
* Added Content-Type of files uploaded in multipart/form-data requests
* Added --ssl=<PROTOCOL> to specify the desired SSL/TLS protocol version
to use for HTTPS requests.
* Added JSON detection with --json, -j to work around incorrect
Content-Type
* Added --all to show intermediate responses such as redirects (with --follow)
* Added --history-print, -P WHAT to specify formatting of intermediate responses
* Added --max-redirects=N (default 30)
* Added -A as short name for --auth-type
* Added -F as short name for --follow
* Removed the implicit_content_type config option
(use "default_options": ["--form"] instead)
* Redirected stdout doesn't trigger an error anymore when --output FILE
is set
* Changed the default --style back to solarized for better support
of light and dark terminals
* Improved --debug output
* Fixed --session when used with --download
* Fixed --download to trim too long filenames before saving the file
* Fixed the handling of Content-Type with multiple +subtype parts
* Removed the XML formatter as the implementation suffered from multiple issues
2.0.5:
Bugfixes
* Corrected the import paths that inspectdb generates for django.contrib.postgres fields.
* Fixed a regression in Django 1.11.8 where altering a field with a unique constraint may drop and rebuild more foreign keys than necessary.
* Fixed crashes in django.contrib.admindocs when a view is a callable object, such as django.contrib.syndication.views.Feed.
* Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list() after combining an annotated and unannotated queryset with union(), difference(), or intersection() crashed due to mismatching columns
1.11.13:
Bugfixes
* Fixed a regression in Django 1.11.8 where altering a field with a unique constraint may drop and rebuild more foreign keys than necessary.
* Fixed crashes in django.contrib.admindocs when a view is a callable object, such as django.contrib.syndication.views.Feed.
* Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list() after combining an annotated and unannotated queryset with union(), difference(), or intersection() crashed due to mismatching columns
1.1:
Added support for skipping static(), mostly useful when adding external scripts via JS() (e.g for adding defer="defer").
Made the attributes dictionary optional.
Add security patch for SQUID-2018_3.
Bump PKGREVISION.
http://www.squid-cache.org/Advisories/SQUID-2018_3.txt
__________________________________________________________________
Problem Description:
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
__________________________________________________________________
Severity:
This problem allows a remote server delivering ESI responses
to trigger a denial of service for all clients accessing the
Squid service.
This problem is limited to Squid operating as reverse proxy.
19.8.0:
Eventlet 0.21.0 support
Tornado 5 support
support watching additional files with --reload-extra-file
support configuring logging with a dictionary with --logging-config-dict
add support for the --config flag in the GUNICORN_CMD_ARGS environment variable
disable SO_REUSEPORT by default and add the --reuse-port setting
fix: installing inotify on MacOS no longer breaks the reloader
fix: do not throw TypeError when SO_REUSEPORT is not available
fix: properly decode HTTP paths containing certain non-ASCII characters
fix: remove whitespace when logging header values under gevent
fix: close unlinked temporary files
fix: parse --umask=0 correctly
fix: allow loading applications using relative file paths
fix: force blocking mode on the gevent sockets
fix: preserve leading / in request path
fix: forbid contradictory secure scheme headers
fix: handle malformed basic authentication headers in access log
fix: defer handling of USR1 signal to a new greenlet under gevent
fix: the threaded worker would sometimes close the wrong keep-alive connection under Python 2
fix: re-open log files on USR1 signal using handler._open to support subclasses of FileHandler
deprecation: the gaiohttp worker is deprecated, see the worker_class documentation for more information
=== RELEASE 2.15 ===
Thu Jan 18 19:12:02 CET 2018 mikulas:
Rewrite google docs URLs to the download link, so that the file can be
viewed in external viewer
Mon Nov 20 01:09:20 CET 2017 mikulas:
Add the list of domains for which proxy is not used
Sun Nov 19 00:57:26 CET 2017 mikulas:
Temporarily replace the stderr handle with /dev/null when decoding
png or svg images because the libraries may write to stderr
Sat Nov 11 21:31:45 CET 2017 mikulas:
Fix improper restarts of connection when http compression is used
Thu Oct 12 21:07:06 CEST 2017 mikulas:
Free cache when using the -source flag, so that memory consumption is
not dependent on downloaded file size
Thu Oct 12 20:39:00 CEST 2017 mikulas:
Do not download compressed files. When the server returns compressed
file and we are downloading, restart the connection without compression.
Tue Oct 10 19:38:04 CEST 2017 mikulas:
Allow browsing files containing characters < 32 in the filename
Sun Oct 8 22:28:56 CEST 2017 mikulas:
Limit the number of OpenMP threads to 8
Sun Oct 8 21:47:12 CEST 2017 mikulas:
Fix premature call to OPENSSL_cleanup while some SSL objects could
still exist
Sat Sep 30 12:44:39 CEST 2017 mikulas:
Enable -ftree-vectorize and -ffast-math for GCC, so that it uses
vector instructions. It improves performance of image scaler.
Mon Sep 4 04:46:20 CEST 2017 mikulas:
Support international domain names
Mon Aug 28 04:24:09 CEST 2017 mikulas:
Fix reordering of blocked URLs each time options were saved and loaded
Wed Aug 2 19:35:00 CEST 2017 mikulas:
Fix reading one byte beyond allocated space in case of corrupted
UTF-8 data - CVE-2017-11114
Tue Jul 18 22:10:00 CEST 2017 mikulas:
Support the brotli compression algorithm using libbrotli:
https://github.com/bagder/libbrotli
Sun Jul 16 15:19:17 CEST 2017 mikulas:
Support lzip compression
Sun Jul 2 21:31:32 CEST 2017 mikulas:
Add a new main menu item 'Windows' for switching windows on framebuffer
Thu Jun 22 19:50:01 CEST 2017 mikulas:
Fix an internal error if the gpm server is terminated while links is
running on a framebuffer
Wed Jun 21 01:22:27 CEST 2017 mikulas:
Use fsync() when writing the bookmarks or settings
Sat Jun 3 01:25:07 CEST 2017 mikulas:
Clear host entry in DNS cache when connection failed
Mon May 29 02:20:08 CEST 2017 mikulas:
Use built-in SSL certificates
This improves tor hardening (the tor exit node could not differentiate
links users from each other based on installed certificates)
It also makes it possible to use certificate verification on systems
with no default certificate store
Sat May 27 21:17:28 CEST 2017 mikulas:
Encode strings to UTF-8 when storing them in a history, it fixes a bug
when browsing the history if Links is run on multiple terminals with
different character sets
Wed Mar 29 20:48:43 CEST 2017 mikulas:
Use absolute time when calculating the time to flush DNS cache, HTTPS
session cache and keepalive connection cache, so that the cache gets
flushed when the machine is kept suspended for a long time.
Sat Mar 18 22:17:36 CET 2017 mikulas:
Report IP addresses in the "Document info" box.
Fri Mar 10 21:05:08 CET 2017 mikulas:
Implement a small connection timeout when connecting to a host with
multiple addresses, so that there is faster fallback from IPv6 to IPv4.
Tue Mar 7 20:30:01 CET 2017 mikulas:
Replace OpenSSL malloc functions with CRYPTO_set_mem_functions, so that
when malloc returns NULL, we can free some cached data and retry
Sat Feb 25 15:59:57 CET 2017 mikulas:
Avoid reallocating the line array over and over with the same size.
Most realloc implementations fall back to no operation if a memory chunk
is reallocated to the same size, however, the address sanitizer always
copies the array - this resulted in quadratic complexity and performance
degradation on big files.
Fri Feb 24 20:42:48 CET 2017 mikulas:
Refactor list processing code so that it conforms to C89 aliasing rules
Also, avoid warning when using ubsan on x32 architecture
Sun Feb 19 23:21:29 CET 2017 mikulas:
Terminate keepalive connection when changing the IPv6 address preference
Sun Feb 19 22:41:08 CET 2017 mikulas:
Links contained a code that tests for ".onion" address suffix and
rejects DNS lookups for it. The code was buggy, it was never activated
and it accessed invalid memory.
Sat Jan 28 20:45:34 CET 2017 mikulas:
Avoid memcpy with NULL source argument and zero length (it doesn't
crash, but it's formally incorrect and the sanitizer warns about it)
Wed Jan 18 22:52:09 CET 2017 mikulas:
Make the "dns-prefetch" link prefetch just dns, not the whole document
Wed Jan 18 21:16:27 CET 2017 mikulas:
Fix compilation failure on OpenBSD because OpenBSD removed
the timeout_* macros from libevent
Tue Jan 17 21:31:38 CET 2017 mikulas:
Use OpenSSL functions X509_check_host and X509_check_ip if available
Mon Dec 26 16:49:38 CET 2016 mikulas:
Report status when formatting document or searching
Wed Dec 14 04:55:32 CET 2016 mikulas:
Use session cache on https
pkgsrc changes:
- update HOMEPAGE (follow renamed github)
Upstream changes (from CHANGES.md):
## 3.3.0 (2018-04-25)
This version backports some of the fixes and improvements made to development
version of the HTTP gem:
* [#458](https://github.com/httprb/http/pull/458)
Extract HTTP::Client#build_request method.
([@tycoon])
## 3.2.1 (2018-04-24)
* [#468](https://github.com/httprb/http/pull/468)
Rewind `HTTP::Request::Body#source` once `#each` is complete.
([@ixti])
## 3.2.0 (2018-04-22)
This version backports one change we missed to backport in previous release:
* Reduce memory usage when reading response body
([@janko-m])
## 3.1.0 (2018-04-22)
This version backports some of the fixes and improvements made to development
version of the HTTP gem:
* Fix for `#readpartial` to respect max length argument.
([@janko-m], [@marshall-lee])
* Fix for `HTTP::Request#headline` to allow two leading slashes in path.
([@scarfacedeb])
* Fix query string building for string with newlines.
([@mikegee])
* Deallocate temporary strings in `Response::Body#to_s`.
([@janko-m])
* Add `Request::Body#source`.
([@janko-m])
v1.6.7
Version 1.6.7
Bugfix release
**Note**: The next release of this library will no longer directly depend on
oauth2client. If you need to use oauth2client, you'll need to explicitly
install it.
- Make body optional for requests with no parameters. (#446)
- Fix retying on socket.timeout. (#495)
- Match travis matrix with tox testenv. (#498)
- Remove oauth2client._helpers dependency. (#493)
- Remove unused keyring test dependency. (#496)
- discovery.py: remove unused oauth2client import. (#492)
- Update README to reference GCP API client libraries. (#490)
WebKitGTK+ 2.20.1 released!
Improve error message when Gigacage cannot allocate virtual memory.
Add missing WebKitWebProcessEnumTypes.h to webkit-web-extension.h.
Improve web process memory monitor thresholds.
Fix a web process crash when the web view is created and destroyed quickly.
Fix a network process crash when load is cancelled while searching for stored HTTP auth credentials.
Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and ENABLE_XSLT are disabled.
Fix several crashes and rendering issues.
Translation updates: Brazilian Portuguese, Czech.
WebKitGTK+ 2.20.0 released!
New API to retrieve and delete cookies with WebKitCookieManager.
New web process API to detect when form is submitted via JavaScript.
Several improvements and fixes in the touch/gestures support.
Support for the “system” CSS font family.
Complex text rendering improvements and fixes.
Added a low power mode.
More complete and spec compliant WebDriver implementation.
From the release announcement:
* Hide closed tasks on central,
* Quick search in saved searches panel,
* Fix image in FAQ for anonymous users,
* Possibility to add an analytics javascript,
* Various fixes on components,
* And many more!
The full changelog is available here for more details:
https://github.com/glpi-project/glpi/milestone/24?closed=1
6.7.0:
[Sanic] Added support for sanic.
[Core] Disabled dill logger by default
[Core] Added SENTRY_NAME, SENTRY_ENVIRONMENT and SENTRY_RELEASE environment variables
[Core] DSN secret is now optional
[Core] Added fix for cases with exceptions in repr
[core] Fixed bug with mutating record.data
v14.2.0
* :issue:1680 via :pr:1683: HTTP Basic Auth supports :rfc:7617 UTF-8
charset decoding where possible. Uses latin1 as a fallback.
v14.1.0
* :cr-pr:37: Add support for peercreds lookup over UNIX domain socket.
This enables app to automatically identify "who's on the other
end of the wire".
This is how you enable it::
server.peercreds: True
server.peercreds_resolve: True
The first option will put remote numeric data to WSGI env vars:
app's PID, user's id and group.
Second option will resolve that into user and group names.
To prevent expensive syscalls, data is cached on per connection
basis.
v6.2.4
- Fix missing resolve_peer_creds argument in
:py:class:cheroot.wsgi.Server being bypassed into
:py:class:cheroot.server.HTTPServer.
- :pr:85: Revert conditional dependencies. System packagers should
honor the dependencies as declared by cheroot, which are defined
intentionally.
5.3:
Iterating a Countries object now returns named tuples. This makes things nicer when using {% get_countries %} or using the country list elsewhere in your code.
Contao 4.5.7 (2018-04-04)
Contao version 4.5.7 is available. The bugfix release fixes a few minor
issues including a problem with validating the request token and a problem
with rendering custom layout sections.
Contao 4.5.8 (2018-04-18)
Contao version 4.5.8 is available. The bugfix release fixes an XSS
vulnerability in the system log of the back end (CVE-2018-10125).
CVE-2018-10125
With a manipulated request, an attacker can implant a script which is executed
when a logged in back end user opens the system log. The attacker themselves
does not have to be logged in.
The problem affects Contao 3.0.0 to 3.5.34, 4.0.0 to 4.4.17 and 4.5.0 to
4.5.7. We highly recommend you to update.
Contao 4.4.17 (2018-04-04)
Contao version 4.4.17 is available. The bugfix release fixes a few minor
issues including a problem with rendering custom layout sections.
Contao 4.4.18 (2018-04-18)
Contao version 4.4.18 is available. The bugfix release fixes an XSS
vulnerability in the system log of the back end (CVE-2018-10125).
CVE-2018-10125
With a manipulated request, an attacker can implant a script which is executed
when a logged in back end user opens the system log. The attacker themselves
does not have to be logged in.
The problem affects Contao 3.0.0 to 3.5.34, 4.0.0 to 4.4.17 and 4.5.0 to
4.5.7. We highly recommend you to update.
Version 3.5.35 (2018-04-18)
---------------------------
### Fixed
Fix an XSS vulnerability in the system log (see CVE-2018-10125).
CVE-2018-10125
With a manipulated request, an attacker can implant a script which is executed
when a logged in back end user opens the system log. The attacker themselves
does not have to be logged in.
The problem affects Contao 3.0.0 to 3.5.34, 4.0.0 to 4.4.17 and 4.5.0 to
4.5.7. We highly recommend you to update.
Upstream changes:
0.206000 2018-04-19 22:09:46-04:00 America/New_York
[ BUG FIXES ]
* GH #1090, #1406: Replace HTTP::Body with HTTP::Entity::Parser in
Dancer2::Core::Request. (Russell @veryrusty Jenkins)
* GH #1292: Fix multiple attribute definitions within Plugins
(Nigel Gregoire)
* GH #1304: Fix the order by which config files are loaded, independently
of their filename extension (Alberto Simões, Russell @veryrusty Jenkins)
* GH #1400: Fix infinite recursion with exceptions that use circular
references. (Andre Walker)
* GH #1430: Fix `dancer2 gen` from source directory when Dancer2 not
installed. (Tina @perlpunk Müller - Tina)
* GH #1434: Add `validate_id` method to verify a session id before
requesting the session engine fetch it from its data store.
(Russell @veryrusty Jenkins)
* GH #1435, #1438: Allow XS crush_cookie methods to return an arrayref
of values. (Russell @veryrusty Jenkins)
* GH #1443: Update copyright year (Joseph Frazer)
* GH #1445: Use latest HTTP::Headers::Fast (Russell @veryrusty Jenkins)
* PR #1447: Fix missing build requires (Mohammad S Anwar)
[ ENHANCEMENTS ]
* PR #1354: TemplateToolkit template engine will log (at debug level)
if a template is not found. (Kiel R Stirling, Russell @veryrusty Jenkins)
* GH #1432: Support Content-Disposition of inline in
send_file() (Dave Webb)
* PR #1433: Verbose testing in AppVeyor (Graham Knop)
[ DOCUMENTATION ]
* GH #1314: Documentation tweaks (David Precious)
* GH #1317: Document serializer configuration (sdeseille)
* GH #1386: Add Hello World example (Gabor Szabo)
* PR #1408: List project development resources (Steve Dondley)
* PR #1426: Move performance improvement information from Migration guide
to Deployment (Pedro Melo)
0.206000_02 2018-04-09 21:48:24-04:00 America/New_York (TRIAL RELEASE)
[ BUG FIXES ]
* GH #1090, #1406: Replace HTTP::Body with HTTP::Entity::Parser in
Dancer2::Core::Request. (Russell @veryrusty Jenkins)
* GH #1304: Fix the order by which config files are loaded, independently
of their filename extension (Alberto Simões, Russell @veryrusty Jenkins)
* GH #1400: Fix infinite recursion with exceptions that use circular
references. (Andre Walker)
* GH #1430: Fix `dancer2 gen` from source directory when Dancer2 not
installed. (Tina @perlpunk Müller - Tina)
* GH #1434: Add `validate_id` method to verify a session id before
requesting the session engine fetch it from its data store.
(Russell @veryrusty Jenkins)
* GH #1435, #1438: Allow XS crush_cookie methods to return an arrayref
of values. (Russell @veryrusty Jenkins)
* GH #1443: Update copyright year (Joseph Frazer)
* GH #1445: Use latest HTTP::Headers::Fast (Russell @veryrusty Jenkins)
[ ENHANCEMENTS ]
* PR #1354: TemplateToolkit template engine will log (at debug level)
if a template is not found. (Kiel R Stirling, Russell @veryrusty Jenkins)
* GH #1432: Support Content-Disposition of inline in
send_file() (Dave Webb)
* PR #1433: Verbose testing in AppVeyor (Graham Knop)
[ DOCUMENTATION ]
* GH #1317: Document serializer configuration (sdeseille)
* PR #1426: Move performance improvement information from Migration guide
to Deployment (Pedro Melo)
Upstream changes:
1.74 2018-04-22 12:30:44Z
- avoid 'uninitialized' warning in URI::File when host has no domain name
set (PR#53, thanks Shoichi Kaji!)
Upstream changes:
2.06 2018-04-09 20:23:54+00:00 UTC
- New JSON Constraint
- Improve email tests, so that MX tests are only run if internet access
- Tests improved to ensure all locales pass
- Corrected Email Validation so that spaces in the address cause failures
- add new auto_error_field_class() method to add classes directly
to field tag
- constraints_from_dbic() can now be called on Blocks,
handles 'nested_name', and support added for BOOL and DECIMAL columns
- remove bundled/renamed MooseX::Attribute::Chained and depend on the
fixed version
- Remove out-of-date reference to lacunaexpanse.
Version 0.14.1
Resolved a regression with status code handling in the integrated development server.
Version 0.14
HTTP exceptions are now automatically caught by Request.application.
Added support for edge as browser.
Added support for platforms that lack SpooledTemporaryFile.
Add support for etag handling through if-match
Added support for the SameSite cookie attribute.
Added werkzeug.wsgi.ProxyMiddleware
Implemented has for NullCache
get_multi on cache clients now returns lists all the time.
Improved the watchdog observer shutdown for the reloader to not crash on exit on older Python versions.
Added support for filename* filename attributes according to RFC 2231
Resolved an issue where machine ID for the reloader PIN was not read accurately on windows.
Added a workaround for syntax errors in init files in the reloader.
Added support for using the reloader with console scripts on windows.
The built-in HTTP server will no longer close a connection in cases where no HTTP body is expected (204, 204, HEAD requests etc.)
The EnvironHeaders object now skips over empty content type and lengths if they are set to falsy values.
Werkzeug will no longer send the content-length header on 1xx or 204/304 responses.
Cookie values are now also permitted to include slashes and equal signs without quoting.
Relaxed the regex for the routing converter arguments.
If cookies are sent without values they are now assumed to have an empty value and the parser accepts this. Previously this could have corrupted cookies that followed the value.
The test Client and EnvironBuilder now support mimetypes like the request object does.
Added support for static weights in URL rules.
Better handle some more complex reloader scenarios where sys.path contained non directory paths.
EnvironHeaders no longer raises weird errors if non string keys are passed to it.
3.2.1
Fix automatic deployment to PyPI.
3.2.0
Features:
Added new fixture django_assert_num_queries for testing the number of database queries
–fail-on-template-vars has been improved and should now return full/absolute path
Support for setting the live server port
unittest: help with setUpClass not being a classmethod
Bug fixes:
Fix –reuse-db and –create-db not working together
Numerous fixes in the documentation. These should not go unnoticed.
Compatibilitya:
Support for Django 2.0 has been added.
Support for Django before 1.8 has been dropped.
