1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
What's New in WebOb 1.6
=======================
Compatibility
~~~~~~~~~~~~~
- Python 3.2 is no longer a supported platform by WebOb
Security
~~~~~~~~
- exc._HTTPMove and any subclasses will now raise a ValueError if the location
field contains a line feed or carriage return. These values may lead to
possible HTTP Response Splitting. The header_getter descriptor has also been
modified to no longer accept headers with a line feed or carriage return.
WebOb does not protect against all possible ways of injecting line feeds or
carriage returns into headers, and should only be thought of as a single line
of defense. Any user input should be sanitized.
See https://github.com/Pylons/webob/pull/229 and
https://github.com/Pylons/webob/issues/217 for more information.
Features
~~~~~~~~
- When WebOb sends an HTTP Exception it will now lazily escape the keys in the
environment, so that only those keys that are actually used in the HTTP
exception are escaped. This solves the problem of keys that are not
serializable as a string in the environment. See
https://github.com/Pylons/webob/pull/139 for more information.
- MIMEAccept now accepts comparisons against wildcards, this allows one to
match on just the media type or sub-type.
Example:
.. code-block:: pycon
>>> accept = MIMEAccept('text/html')
>>> 'text/*' in accept
True
>>> '*/html' in accept
True
>>> '*' in accept
True
- WebOb uses the user agent's Accept header to change what type of information
is returned to the client. This allows the HTTP Exception to return either
HTML, text, or a JSON response. This allows WebOb HTTP Exceptions to be used
in applications where the client is expecting a JSON response. See
https://github.com/Pylons/webob/pull/230 and
https://github.com/Pylons/webob/issues/209 for more information.
Bugfixes
~~~~~~~~
- Response.from_file now parses the status line correctly when the status line
contains an HTTP with version, as well as a status text that contains
multiple white spaces (e.g HTTP/1.1 404 Not Found). See
https://github.com/Pylons/webob/issues/250
- Request.decode would attempt to read from an already consumed stream, it is
now reading from the correct stream. See
https://github.com/Pylons/webob/pull/183 for more information.
- The ``application/json`` media type does not allow for a ``charset`` because
discovery of the encoding is done at the JSON layer, and it must always be
UTF-{8,16,32}. See the IANA specification at
https://www.iana.org/assignments/media-types/application/json, which notes:
No "charset" parameter is defined for this registration.
Adding one really has no effect on compliant recipients.
`IETF RFC 4627 <https://www.ietf.org/rfc/rfc4627.txt>`_ describes the method
for encoding discovery using the JSON content itself. Upon initialization of
a Response, WebOb will no longer add a ``charset`` if the content-type is set
to JSON. See https://github.com/Pylons/webob/pull/197,
https://github.com/Pylons/webob/issues/237, and
https://github.com/Pylons/pyramid/issues/1611
|
