Version 0.9.3
-------------
(bugfix release, released on July 25th 2013)
- Restored beahvior of the ``data`` descriptor of the request class to pre 0.9
behavior. This now also means that ``.data`` and ``.get_data()`` have
different behavior. New code should use ``.get_data()`` always.
In addition to that there is now a flag for the ``.get_data()`` method that
controls what should happen with form data parsing and the form parser will
honor cached data. This makes dealing with custom form data more consistent.
Upstream changes:
0.618 (03.29.2013) - John Siracusa <siracusa@gmail.com>
* Made compatible with perl 5.17.10 (RT 84279)
0.617 (12.30.2012) - John Siracusa <siracusa@gmail.com>
* Added base 2.18 as a prerequisite to avoid a load-order bug that
occurs with some older versions.
* Preserve custom class attributes on label objects (RT 82333)
(Patch by Tom Heady)
0.616 (05.09.2012) - John Siracusa <siracusa@gmail.com>
* Added add_class(es) and delete_class(es) methods.
* Added was_submitted() method to the submit button class.
* Calling clear() on a hidden field now clears it.
0.615 (05.01.2012) - John Siracusa <siracusa@gmail.com>
* Minor efficiency improvements in HTML generation.
0.614 (04.02.2012) - John Siracusa <siracusa@gmail.com>
* Deprecated and undocumented the form_rank_counter() method. It will
be removed in a future release.
* Fixed a bug that could cause a repeated form to get the wrong rank.
0.613 (04.02.2012) - John Siracusa <siracusa@gmail.com>
* Added make_next_form() method to repeatable forms.
* Documented the empty_is_ok() attribute of repeatable forms.
0.612 (03.26.2012) - John Siracusa <siracusa@gmail.com>
* Worked around fatal error triggered by loading Rose::HTML::Form
in the perl debugger in some older versions of perl. (e.g.,
perl -I lib -d lib/Rose/HTML/Form.pm)
Upstream changes:
0.034 2013-06-26 19:02:25 America/New_York
[ADDED]
- Added support for 'Basic' authorization from
user:password parameters in the URL
0.033 2013-06-21 06:26:51 America/New_York
[FIXED]
- Modifying the 'agent' attribute with the accessor will append the
default agent string, just like setting it during construction
0.032 2013-06-20 11:41:24 America/New_York
[ADDED]
- Added 'no_proxy' attribute, defaulting to $ENV{no_proxy}
0.031 2013-06-16 23:18:18 America/New_York
[FIXED]
- Fixed bug receiving 0-length content bodies
0.030 2013-06-13 11:46:15 America/New_York
[FIXED]
- Requests with the empty string as body content no longer generate
'content-type' and 'content-length' headers.
0.029 2013-04-17 13:49:07 America/New_York
[FIXED]
- Checks for new enough OpenSSL library before using SNI (otherwise
IO::Socket::SSL throws warnings)
Changelog:
Version 5.0.9 July 15th 2013
Fixes for mounting an WebDAV into an ownCloud
Improved expiration of older versions in the case of a full storage
IE8 fixes
Increased speed when syncing shared files
Oracle compatibility fixes
Make upgrade routine more robust
Fix gallery for certain php configurations
Fix pdf viewer close button
user_external fixes
Several smaller fixes
Version 5.0.8 July 10th 2013
SECURITY: XSS vulnerability in “Share Interface” (oC-SA-2013-029)
SECURITY: Authentication bypass in “user_webdavauth” (oC-SA-2013-030)
New anonymous upload feature
Fix syncing of external filesystems
External filesystems performance improvements
Improve compatibility with Oracle
Improved and simplified theming
Internet explorer 8 fixes
Fixes for partial file uploads
LDAP: fix handling of User and Group Bases
Improved and more robust upgrade system
A lot of encryption system fixes
Do not add groups if user has no groups
Several Contacts fixes
A lot of smaller bugfixes all over the place
0.2.6
-----
* Add options to disable the login decorators.
* if availabe, use X-Forwarded-For header instead of request.remote_addr for
the session protectin id
Version 0.9.2
-------------
(bugfix release, released on July 18th 2013)
- Added `unsafe` parameter to :func:`~werkzeug.urls.url_quote`.
- Fixed an issue with :func:`~werkzeug.urls.url_quote_plus` not quoting
`'+'` correctly.
- Ported remaining parts of :class:`~werkzeug.contrib.RedisCache` to
Python 3.3.
- Ported remaining parts of :class:`~werkzeug.contrib.MemcachedCache` to
Python 3.3
- Fixed a deprecation warning in the contrib atom module.
- Fixed a regression with setting of content types through the
headers dictionary instead with the content type parameter.
- Use correct name for stdlib secure string comparision function.
- Fixed a wrong reference in the docstring of
:func:`~werkzeug.local.release_local`.
- Fixed an `AttributeError` that sometimes occurred when accessing the
:attr:`werkzeug.wrappers.BaseResponse.is_streamed` attribute.
CppCMS is a free high performance web development framework.
It uses modern C++ and a design borrowing heavily from frameworks
like Django or Java Servlets to handle very high load levels while
minimizing CPU and memory use.
- SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
- core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
strings. The default limit for ap_pregsub() can be adjusted at compile
time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick]
- core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
on Linux kernel versions 3.x and above. Bug#55121. [Bradley Heilbrun
<apache heilbrun.org>]
- mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]
- mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
- mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. Bug#53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
- mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
- mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. Bug#52212, Bug#54698.
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
- mod_proxy_balancer: Added balancer parameter failontimeout to allow server
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
- mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
password. [Daniel Ruggeri]
- htdigest: Fix buffer overflow when reading digest password file
with very long lines. Bug#54893. [Rainer Jung]
- mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
<ben reser.org>]
- mod_dav: Ensure URI is correctly uriencoded on return. Bug#54611
[Timothy Wood <tjw omnigroup.com>]
- mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths. Bug#53910 [Timothy Wood <tjw omnigroup.com>]
- mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
result in a 412 Precondition Failed for a COPY operation. PR54610
[Timothy Wood <tjw omnigroup.com>]
- mod_dav: When a PROPPATCH attempts to remove a non-existent dead
property on a resource for which there is no dead property in the same
namespace httpd segfaults. Bug#52559 [Diego Santa Cruz
<diego.santaCruz spinetix.com>]
- mod_dav: Do not fail PROPPATCH when prop namespace is not known.
Bug#52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
- mod_dav: Do not segfault on PROPFIND with a zero length DBM.
Bug#52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
are replaced with .include "../../devel/readline/buildlink3.mk", and
USE_GNU_READLINE are removed,
* .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE
are replaced with .include "../../mk/readline.buildlink3.mk".
Upstream changes:
0.27 02/26/2013
- Remove more HTTP::Headers assumptions
0.26 02/26/2013
- Add parent dependency
0.25 11/10/2012
- Fix problem with META.yml
0.24 11/10/2012
- Skip CONNECT test on Windows
0.23 11/05/2012
- Fix test failures from newer HTTP::Headers
0.22
- Filter out Status header since it's forbidden in PSGI spec (miyagawa)
0.21
- Bump version to fix some CPAN issues.
0.20
- Fix auto guessing of RewriteLocation.
Upstream changes:
1.0028 2013-06-15 01:42:52 PDT
[IMPROVEMENTS]
- Skip cgi related tests for Win32 (chorny) #413
- Skip tests that could potentially write empty bytes, which could cause
issues on some servers on local sockets with HTTP::Tiny
- Skip tests that require HTTP::Cookies, if not available #414
1.0027 2013-06-13 21:30:12 PDT
[IMPROVEMENTS]
- Not a dev release, including XS free version of Plack::Test*
- Fix cgibin tests that often fail on Win32 #375
1.0026 2013-06-12 23:00:21 PDT
[INCOMPATIBLE CHANGES]
- use HTTP::Tiny in Plack::Test::Suite and Plack::Test::Server rather than skipping it.
1.0025 2013-06-12 13:08:58 PDT
[INCOMPATIBLE CHANGES]
- No XS! Eliminates dependency to LWP::UserAgent by making it completely optional for
testing. If you run Plack::Test with Server implemenetation or run Plack::Test::Suite
(for PSGI handlers) without LWP installed, the tests will automatically be skipped.
This removes the eventual sub-dependency to HTML::Parser, which is the only XS dependency
in Plack. #408
[IMPROVEMENTS]
- Fixed the warning in OO usage of Plack::Builder (doy) #407
- Shotgun loader now dies if used in Win32 since it leaks memory #320, #400
- Suppress warnings for Test::TCP (kazeburo) #406
- $res->to_app shortcut (ether) #409
* Protect against buffer overrun in DNS query generation
* SourceFormat Enforcement
* Bug 3297: Fix openSSL related build failures
* Fix build on FreeBSD 9.x platform with clang
* Update enigmail to 1.5.2.
Changelog:
SeaMonkey-specific changes
Mark -> As Read now checks the state of all selected messages instead of only the first one's.
Notifications for mixed content blocker have been implemented.
A new 3rd-party cookie restriction to visited websites option has been added to the Cookies pref pane.
The context menu Search option is now available for textareas and input fields.
Website storage mechanisms are now available in the Data Manager (localStorage, indexedDB, etc.).
"Open Containing Folder" is now already available during download.
See the changes page for minor changes.
Mozilla platform changes
asm.js optimizations (OdinMonkey) have been enabled for major performance improvements.
Improved WebGL rendering performance through asynchronous canvas updates.
Plain text files displayed within the browser will now word-wrap.
For user security, the Components object is no longer accessible from web content.
Improved memory usage and display time when rendering images.
The Pointer Lock API can now be used outside of fullscreen.
CSS3 Flexbox has been implemented and enabled by default.
The new Web Notifications API has been implemented.
Added clipboardData API for JavaScript access to a user's clipboard.
Support for new HTML5 <data> and <time> elements has been added.
Fixed several stability issues.
* Deal with git behavior change in 1.7.2 and newer that broke support
for commits with an empty commit message.
* Pass --no-edit when used with git 1.7.8 and newer.
o properly escape generated HTML
o add authentication for redirections, from martin@netbsd.org
o handle chained ssl certifications, from elric@netbsd.org
o add basic support for gzipped files, from elric@netbsd.org
o properly escape generated URIs
* blogspam: Fix encoding issue in RPC::XML call.
Thanks, Changaco
* comments: The formats allowed to be used in comments can be configured
using comments_allowformats.
Thanks, Michal Sojka
* calendar: When there are multiple pages for a given day, they're
displayed in a popup on mouseover.
Thanks, Louis
* osm: Remove trailing slash from KML maps icon.
* page.tmpl: omit searchform, trails, sidebar and most metadata in CGI
(smcv)
* openid: Automatically upgrade openid_realm to https when
accessed via https.
* The ip() pagespec can now contain glob characters to match eg, a subnet
full of spammers.
* Fix crash that could occur when a needsbuild hook returned a file
that does not exist.
* Fix python proxy to not crash when fed unicode data in getstate
and setstate.
Thanks, chrysn
* Fix committing attachments when using svn.
[SECURITY]
- CR escaping for Set-Cookie and P3P headers was improved. There was potential
for newline injection in these headers.
(Thanks to anazawa, https://github.com/markstos/CGI.pm/pull/23)
[INTERNALS]
- Changed how the deprecated endform function was defined for compatibilty
with the development version of Perl.
- Fix failures in t/tmpdir.t when run as root
https://github.com/markstos/CGI.pm/issues/22, RT#80659)
- Made it possible to force a sorted order for things like hash
attributes so that tests are not dependent on a particular hash
ordering. This will be required in modern perls which will
change the ordering per process. (Yves, RT#80659)
- formatting of CGI::Carp documentation was improved. Thanks to benkasminbullock.
- un-TODO some tests in t/tmpdir.t that were passing in most cases.
More on this:
https://github.com/markstos/CGI.pm/issues/19#cc73dc9807
* Mock http responses to avoid unnecessary network requests -- Randy Stauner
* Fix for RT#55591: Incorrect default value for 'codes_to_determinate'
from yibe via github.
- Makefile.PL updated
- removed TLS test for now, some cpan testers reporting issues with
the configuration, seems pointless given the Makefile
- removed some of the tests that seem to fail on congested machines
(eg: cpantesters).
- [SREZIC] added mirror support:
https://rt.cpan.org/Ticket/Display.html?id=44569
Version 0.8.4
-------------
Released 2013/3/28
- Recaptcha Validator now returns provided message (issue #66)
- Minor doc fixes
- Fixed issue with tests barking because of nose/multiprocessing issue.
Version 0.10.1
--------------
(bugfix release, released on June 14th 2013)
- Fixed an issue where ``|tojson`` was not quoting single quotes which
made the filter not work properly in HTML attributes. Now it's
possible to use that filter in single quoted attributes. This should
make using that filter with angular.js easier.
- Added support for byte strings back to the session system. This broke
compatibility with the common case of people putting binary data for
token verification into the session.
- Fixed an issue were registering the same method twice for the same endpoint
would trigger an exception incorrectly.
Version 0.10
------------
Released on June 13nd 2013, codename Limoncello.
- Changed default cookie serialization format from pickle to JSON to
limit the impact an attacker can do if the secret key leaks. See
:ref:`upgrading-to-010` for more information.
- Added ``template_test`` methods in addition to the already existing
``template_filter`` method family.
- Added ``template_global`` methods in addition to the already existing
``template_filter`` method family.
- Set the content-length header for x-sendfile.
- ``tojson`` filter now does not escape script blocks in HTML5 parsers.
- ``tojson`` used in templates is now safe by default due. This was
allowed due to the different escaping behavior.
- Flask will now raise an error if you attempt to register a new function
on an already used endpoint.
- Added wrapper module around simplejson and added default serialization
of datetime objects. This allows much easier customization of how
JSON is handled by Flask or any Flask extension.
- Removed deprecated internal ``flask.session`` module alias. Use
``flask.sessions`` instead to get the session module. This is not to
be confused with ``flask.session`` the session proxy.
- Templates can now be rendered without request context. The behavior is
slightly different as the ``request``, ``session`` and ``g`` objects
will not be available and blueprint's context processors are not
called.
- The config object is now available to the template as a real global and
not through a context processor which makes it available even in imported
templates by default.
- Added an option to generate non-ascii encoded JSON which should result
in less bytes being transmitted over the network. It's disabled by
default to not cause confusion with existing libraries that might expect
``flask.json.dumps`` to return bytestrings by default.
- ``flask.g`` is now stored on the app context instead of the request
context.
- ``flask.g`` now gained a ``get()`` method for not erroring out on non
existing items.
- ``flask.g`` now can be used with the ``in`` operator to see what's defined
and it now is iterable and will yield all attributes stored.
- ``flask.Flask.request_globals_class`` got renamed to
``flask.Flask.app_ctx_globals_class`` which is a better name to what it
does since 0.10.
- `request`, `session` and `g` are now also added as proxies to the template
context which makes them available in imported templates. One has to be
very careful with those though because usage outside of macros might
cause caching.
- Flask will no longer invoke the wrong error handlers if a proxy
exception is passed through.
- Added a workaround for chrome's cookies in localhost not working
as intended with domain names.
- Changed logic for picking defaults for cookie values from sessions
to work better with Google Chrome.
- Added `message_flashed` signal that simplifies flashing testing.
- Added support for copying of request contexts for better working with
greenlets.
- Removed custom JSON HTTP exception subclasses. If you were relying on them
you can reintroduce them again yourself trivially. Using them however is
strongly discouraged as the interface was flawed.
- Python requirements changed: requiring Python 2.6 or 2.7 now to prepare
for Python 3.3 port.
- Changed how the teardown system is informed about exceptions. This is now
more reliable in case something handles an exception halfway through
the error handling process.
- Request context preservation in debug mode now keeps the exception
information around which means that teardown handlers are able to
distinguish error from success cases.
- Added the ``JSONIFY_PRETTYPRINT_REGULAR`` configuration variable.
- Flask now orders JSON keys by default to not trash HTTP caches due to
different hash seeds between different workers.
- Added `appcontext_pushed` and `appcontext_popped` signals.
- The builtin run method now takes the ``SERVER_NAME`` into account when
picking the default port to run on.
- Added `flask.request.get_json()` as a replacement for the old
`flask.request.json` property.
Version 0.9.1
-------------
(bugfix release, released on June 14th 2013)
- Fixed an issue with integers no longer being accepted in certain
parts of the routing system or URL quoting functions.
- Fixed an issue with `url_quote` not producing the right escape
codes for single digit codepoints.
- Fixed an issue with :class:`~werkzeug.wsgi.SharedDataMiddleware` not
reading the path correctly and breaking on etag generation in some
cases.
- Properly handle `Expect: 100-continue` in the development server
to resolve issues with curl.
- Automatically exhaust the input stream on request close. This should
fix issues where not touching request files results in a timeout.
- Fixed exhausting of streams not doing anything if a non-limited
stream was passed into the multipart parser.
- Raised the buffer sizes for the multipart parser.
Version 0.9
-----------
Released on June 13nd 2013, codename Planierraupe.
- Added support for :meth:`~werkzeug.wsgi.LimitedStream.tell`
on the limited stream.
- :class:`~werkzeug.datastructures.ETags` now is nonzero if it
contains at least one etag of any kind, including weak ones.
- Added a workaround for a bug in the stdlib for SSL servers.
- Improved SSL interface of the devserver so that it can generate
certificates easily and load them from files.
- Refactored test client to invoke the open method on the class
for redirects. This makes subclassing more powerful.
- :func:`werkzeug.wsgi.make_chunk_iter` and
:func:`werkzeug.wsgi.make_line_iter` now support processing of
iterators and streams.
- URL generation by the routing system now no longer quotes
``+``.
- URL fixing now no longer quotes certain reserved characters.
- The :func:`werkzeug.security.generate_password_hash` and
check functions now support any of the hashlib algorithms.
- `wsgi.get_current_url` is now ascii safe for browsers sending
non-ascii data in query strings.
- improved parsing behavior for :func:`werkzeug.http.parse_options_header`
- added more operators to local proxies.
- added a hook to override the default converter in the routing
system.
- The description field of HTTP exceptions is now always escaped.
Use markup objects to disable that.
- Added number of proxy argument to the proxy fix to make it more
secure out of the box on common proxy setups. It will by default
no longer trust the x-forwarded-for header as much as it did
before.
- Added support for fragment handling in URI/IRI functions.
- Added custom class support for :func:`werkzeug.http.parse_dict_header`.
- Renamed `LighttpdCGIRootFix` to `CGIRootFix`.
- Always treat `+` as safe when fixing URLs as people love misusing them.
- Added support to profiling into directories in the contrib profiler.
- The escape function now by default escapes quotes.
- Changed repr of exceptions to be less magical.
- Simplified exception interface to no longer require environmnts
to be passed to recieve the response object.
- Added sentinel argument to IterIO objects.
- Added pbkdf2 support for the security module.
- Added a plain request type that disables all form parsing to only
leave the stream behind.
- Removed support for deprecated `fix_headers`.
- Removed support for deprecated `header_list`.
- Removed support for deprecated parameter for `iter_encoded`.
- Removed support for deprecated non-silent usage of the limited
stream object.
- Removed support for previous dummy `writable` parameter on
the cached property.
- Added support for explicitly closing request objects to close
associated resources.
- Conditional request handling or access to the data property on responses no
longer ignores direct passthrough mode.
- Removed werkzeug.templates and werkzeug.contrib.kickstart.
- Changed host lookup logic for forwarded hosts to allow lists of
hosts in which case only the first one is picked up.
- Added `wsgi.get_query_string`, `wsgi.get_path_info` and
`wsgi.get_script_name` and made the `wsgi.pop_path_info` and
`wsgi.peek_path_info` functions perform unicode decoding. This
was necessary to avoid having to expose the WSGI encoding dance
on Python 3.
- Added `content_encoding` and `content_md5` to the request object's
common request descriptor mixin.
- added `options` and `trace` to the test client.
- Overhauled the utilization of the input stream to be easier to use
and better to extend. The detection of content payload on the input
side is now more compliant with HTTP by detecting off the content
type header instead of the request method. This also now means that
the stream property on the request class is always available instead
of just when the parsing fails.
- Added support for using :class:`werkzeug.wrappers.BaseResponse` in a with
statement.
- Changed `get_app_iter` to fetch the response early so that it does not
fail when wrapping a response iterable. This makes filtering easier.
- Introduced `get_data` and `set_data` methods for responses.
- Introduced `get_data` for requests.
- Soft deprecated the `data` descriptors for request and response objects.
- Added `as_bytes` operations to some of the headers to simplify working
with things like cookies.
- Made the debugger paste tracebacks into github's gist service as
private pastes.
Version 0.8.4
-------------
(bugfix release, release date to be announced)
- Added a favicon to the debugger which fixes problem with
state changes being triggered through a request to
/favicon.ico in Google Chrome. This should fix some
problems with Flask and other frameworks that use
context local objects on a stack with context preservation
on errors.
- Fixed an issue with scolling up in the debugger.
- Fixed an issue with debuggers running on a different URL
than the URL root.
- Fixed a problem with proxies not forwarding some rarely
used special methods properly.
- Added a workaround to prevent the XSS protection from Chrome
breaking the debugger.
- Skip redis tests if redis is not running.
- Fixed a typo in the multipart parser that caused content-type
to not be picked up properly.
