What’s New in WebOb 1.6
Compatibility
- Python 3.2 is no longer a supported platform by WebOb
Security
exc._HTTPMove and any subclasses will now raise a ValueError if the location field contains a line feed or carriage return. These values may lead to possible HTTP Response Splitting. The header_getter descriptor has also been modified to no longer accept headers with a line feed or carriage return.
WebOb does not protect against all possible ways of injecting line feeds or carriage returns into headers, and should only be thought of as a single line of defense. Any user input should be sanitized.
See https://github.com/Pylons/webob/pull/229 and https://github.com/Pylons/webob/issues/217 for more information.
Features
When WebOb sends an HTTP Exception it will now lazily escape the keys in the environment, so that only those keys that are actually used in the HTTP exception are escaped. This solves the problem of keys that are not serializable as a string in the environment. See https://github.com/Pylons/webob/pull/139 for more information.
MIMEAccept now accepts comparisons against wildcards, this allows one to match on just the media type or sub-type.
Example:
>>> accept = MIMEAccept('text/html')
>>> 'text/*' in accept
True
>>> '*/html' in accept
True
>>> '*' in accept
True
WebOb uses the user agent’s Accept header to change what type of information is returned to the client. This allows the HTTP Exception to return either HTML, text, or a JSON response. This allows WebOb HTTP Exceptions to be used in applications where the client is expecting a JSON response. See https://github.com/Pylons/webob/pull/230 and https://github.com/Pylons/webob/issues/209 for more information.
Bugfixes
Response.from_file now parses the status line correctly when the status line contains an HTTP with version, as well as a status text that contains multiple white spaces (e.g HTTP/1.1 404 Not Found). See https://github.com/Pylons/webob/issues/250
Request.decode would attempt to read from an already consumed stream, it is now reading from the correct stream. See https://github.com/Pylons/webob/pull/183 for more information.
The
application/json
media type does not allow for acharset
because discovery of the encoding is done at the JSON layer, and it must always be UTF-{8,16,32}. See the IANA specification at https://www.iana.org/assignments/media-types/application/json, which notes:No “charset” parameter is defined for this registration. Adding one really has no effect on compliant recipients.
IETF RFC 4627 describes the method for encoding discovery using the JSON content itself. Upon initialization of a Response, WebOb will no longer add a
charset
if the content-type is set to JSON. See https://github.com/Pylons/webob/pull/197, https://github.com/Pylons/webob/issues/237, and https://github.com/Pylons/pyramid/issues/1611