- WebOb Change History
- 1.8.7 (2021-02-17)
- 1.8.6 (2020-01-21)
- 1.8.5 (2019-01-03)
- 1.8.4 (2018-11-11)
- 1.8.3 (2018-10-14)
- 1.8.2 (2018-06-05)
- 1.8.1 (2018-04-10)
- 1.8.0 (2018-04-04)
- 1.7rc1 (2016-11-18)
- 1.6.0 (2016-03-15)
- 1.5.1 (2015-10-30)
- 1.5.0 (2015-10-11)
- 1.5.0a0 (2015-07-25)
- 1.4 (2014-05-14)
- 1.3.1 (2013-12-13)
- 1.3 (2013-12-10)
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2
- 1.2rc1
- 1.2b3
- 1.2b2
- 1.2b1
- 1.2a2
- 1.2a1
- 1.1.1
- 1.1
- 1.1rc1
- 1.1b2
- 1.1b1
- 1.0.8
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- 1.0.3
- 1.0.2
- 1.0.1
- 1.0
- 0.9.8
- 0.9.7.1
- 0.9.7
- 0.9.6.1
- 0.9.6
- 0.9.5
- 0.9.4
- 0.9.3
- 0.9.2
- 0.9.1
- 0.9
- 0.8.5
- 0.8.4
- 0.8.3
- 0.8.2
- 0.8.1
- 0.8
WebOb Change History
1.8.7 (2021-02-17)
Bugfix
Decoding deflate-encoded responses now supports data which is packed in a zlib container as it is supposed to be. The old, non-standard behaviour is still supported.
1.8.6 (2020-01-21)
Experimental Features
The SameSite value now includes a new option named “None”, this is a new change that was introduced in https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
Please be aware that older clients are incompatible with this change: https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does not enable SameSite on cookies by default, so there is no backwards incompatible change here.
Validation of SameSite values can be disabled by toggling a module flag. This is in anticipation of future changes in evolving cookie standards. The discussion in https://github.com/Pylons/webob/pull/407 (which initially expanded the allowed options) notes the sudden change to browser cookie implementation details may happen again.
In May 2019, Google announced a new model for privacy controls in their browsers, which affected the list of valid options for the SameSite attribute of cookies. In late 2019, the company began to roll out these changes to their browsers to force developer adoption of the new specification. See https://www.chromium.org/updates/same-site and https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more details on this change.
1.8.5 (2019-01-03)
Warnings
- Fixed one last remaining invalid escape sequence in a docstring.
1.8.4 (2018-11-11)
Bugfix
- Response.content_type now accepts unicode strings on Python 2 and encodes them to latin-1. See https://github.com/Pylons/webob/pull/389 and https://github.com/Pylons/webob/issues/388
- Accept header classes now support a .copy() function that may be used to create a copy. This allows
create_accept_header
and other like functions to accept an pre-existing Accept header. See https://github.com/Pylons/webob/pull/386 and https://github.com/Pylons/webob/issues/385
Warnings
- Some backslashes introduced with the new accept handling code were causing DeprecationWarnings upon compiling the source to pyc files, all of the backslashes have been reigned in as appropriate, and users should no longer see DeprecationWarnings for invalid escape sequence. See https://github.com/Pylons/webob/issues/384
1.8.3 (2018-10-14)
Bugfix
acceptparse.AcceptValidHeader
,acceptparse.AcceptInvalidHeader
, andacceptparse.AcceptNoHeader
will now always ignore offers that do not match the required media type grammar when calling.acceptable_offers()
. Previous versions raised aValueError
for invalid offers inAcceptValidHeader
and returned them as acceptable in the others. See https://github.com/Pylons/webob/pull/372
Feature
- Add Request.remote_host, exposing REMOTE_HOST environment variable.
- Added
acceptparse.Accept.parse_offer
to codify what types of offers are compatible withacceptparse.AcceptValidHeader.acceptable_offers
,acceptparse.AcceptMissingHeader.acceptable_offers
, andacceptparse.AcceptInvalidHeader.acceptable_offers
. This API also normalizes the offer with lowercased type/subtype and parameter names. See https://github.com/Pylons/webob/pull/376 and https://github.com/Pylons/webob/pull/379
1.8.2 (2018-06-05)
Bugfix
- SameSite may now be passed as str or bytes to Response.set_cookie and cookies.make_cookie. This was an oversight as all other arguments would be correctly coerced before being serialized. See https://github.com/Pylons/webob/issues/361 and https://github.com/Pylons/webob/pull/362
1.8.1 (2018-04-10)
Bugfix
- acceptparse.MIMEAccept which is deprecated in WebOb 1.8.0 made a backwards incompatible change that led to it raising on an invalid Accept header. This behaviour has now been reversed, as well as some other fixes to allow MIMEAccept to behave more like the old version. See https://github.com/Pylons/webob/pull/356
1.8.0 (2018-04-04)
Feature
request.POST
now supports any requests with the appropriate Content-Type. Allowing any HTTP method to access form encoded content, including DELETE, PUT, and others. See https://github.com/Pylons/webob/pull/352
Compatibility
- WebOb is no longer officially supported on Python 3.3 which was EOL’ed on 2017-09-29.
Backwards Incompatibilities
Many changes have been made to the way WebOb does Accept handling, not just for the Accept header itself, but also for Accept-Charset, Accept-Encoding and Accept-Language. This was a Google Summer of Code project completed by Whiteroses (https://github.com/whiteroses). Many thanks to Google for running GSoC, the Python Software Foundation for organising and a huge thanks to Ira for completing the work. See https://github.com/Pylons/webob/pull/338 and https://github.com/Pylons/webob/pull/335. Documentation is available at https://docs.pylonsproject.org/projects/webob/en/master/api/webob.html
When calling a
@wsgify
decorated function, the default arguments passed to@wsgify
are now used when called with the request, and not as a start_responsedef hello(req, name):
return "Hello, %s!" % name
app = wsgify(hello, args=("Fred",))
req = Request.blank('/')
resp = req.get_response(app) # => "Hello, Fred"
resp2 = app(req) # => "Hello, Fred"
Previously the
resp2
line would have failed with aTypeError
. With this change there is no way to override the default arguments with no arguments. See https://github.com/Pylons/webob/pull/203When setting
app_iter
on aResponse
object thecontent_md5
header is no longer cleared. This behaviour is odd and disallows setting thecontent_md5
and then returning an iterator for chunked content encoded responses. See https://github.com/Pylons/webob/issues/86
Experimental Features
These features are experimental and may change at any point in the future.
- The cookie APIs now have the ability to set the SameSite attribute on a cookie in both
webob.cookies.make_cookie
andwebob.cookies.CookieProfile
. See https://github.com/Pylons/webob/pull/255
Bugfix
- Exceptions now use string.Template.safe_substitute rather than string.Template.substitute. The latter would raise for missing mappings, the former will simply not substitute the missing variable. This is safer in case the WSGI environ does not contain the keys necessary for the body template. See https://github.com/Pylons/webob/issues/345.
- Request.host_url, Request.host_port, Request.domain correctly parse IPv6 Host headers as provided by a browser. See https://github.com/Pylons/webob/pull/332
- Request.authorization would raise ValueError for unusual or malformed header values. See https://github.com/Pylons/webob/issues/231
- Allow unnamed fields in form data to be properly transcoded when calling request.decode with an alternate encoding. See https://github.com/Pylons/webob/pull/309
Response.__init__
would discardapp_iter
when aResponse
had no body, this would cause issues whenapp_iter
was an object that was tied to the life-cycle of a web application and had to be properly closed.app_iter
is more advanced API forResponse
and thus even if it contains a body and is thus against the HTTP RFC’s, we should let the users shoot themselves by returning a body. See https://github.com/Pylons/webob/issues/305
1.7rc1 (2016-11-18)
Compatibility
- WebOb is no longer supported on Python 2.6 and PyPy3 (due to pip no longer supporting Python 3.2 even on PyPy)
Backwards Incompatibility
Response.set_cookie
no longer accepts a key argument. This was deprecated in WebOb 1.5 and as mentioned in the deprecation, is being removed in 1.7Response.__init__
will no longer set the default Content-Type, nor Content-Length on Responses that don’t have a body. This allows WebOb to return proper responses for things like Response(status=’204 No Content’).Response.text
will no longer raise if the Content-Type does not have a charset, it will fall back to using the newdefault_body_encoding`. To get the old behaviour back please sub-class ``Response
and setdefault_body_encoding
toNone
. See https://github.com/Pylons/webob/pull/287- WebOb no longer supports Chunked Encoding, this means that if you are using WebOb and need Chunked Encoding you will be required to have a proxy that unchunks the request for you. Please read https://github.com/Pylons/webob/issues/279 for more background.
Feature
Response
has a newdefault_body_encoding
which may be used to allow getting/settingResponse.text
when a Content-Type has no charset. See https://github.com/Pylons/webob/pull/287webob.Request
with any HTTP method is now allowed to have a body. This allows DELETE to have a request body for passing extra information. See https://github.com/Pylons/webob/pull/283 and https://github.com/Pylons/webob/pull/274- Add
tell()
toResponseBodyFile
so that it may be used for example for zipfile support. See https://github.com/Pylons/webob/pull/117 - Allow the return from
wsgify.middleware
to be used as a decorator. See https://github.com/Pylons/webob/pull/228
Bugfix
Fixup
cgi.FieldStorage
on Python 3.x to work-around issue reported in Python bug report 27777 and 24764. This is currently applied for Python versions less than 3.7. See https://github.com/Pylons/webob/pull/294Response.set_cookie
now acceptsdatetime
objects for theexpires
kwarg and will correctly convert them to UTC with no tzinfo for use in calculating themax_age
. See https://github.com/Pylons/webob/issues/254 and https://github.com/Pylons/webob/pull/292Fixes
request.PATH_SAFE
to contain all of the path safe characters according to RFC3986. See https://github.com/Pylons/webob/pull/291WebOb’s exceptions will lazily read underlying variables when inserted into templates to avoid expensive computations/crashes when inserting into the template. This had a bad performance regression on Py27 because of the way the lazified class was created and returned. See https://github.com/Pylons/webob/pull/284
wsgify.__call__
raised aTypeError
with an unhelpful message, it will now return therepr
for the wrapped function: https://github.com/Pylons/webob/issues/119Response.content_type
removes the charset content-type parameter unless the new content-type is a text like type that has a charset parameter. See https://github.com/Pylons/webob/pull/261 and https://github.com/Pylons/webob/issues/130Response.json
‘sjson.dumps
/json.loads
are now always UTF-8. It no longer tries to use the charset.The
Response.__init__
will by default no longer set the Content-Type to the default if aheaderlist
is provided. This fixes issues wherebyRequest.get_response()
would return a Response that didn’t match the actual response. See https://github.com/Pylons/webob/pull/261 and https://github.com/Pylons/webob/issues/205Cleans up the remainder of the issues with the updated WebOb exceptions that were taught to return JSON in version 1.6. See https://github.com/Pylons/webob/issues/237 and https://github.com/Pylons/webob/issues/236
Response.from_file
now parses the status line correctly when the status line contains an HTTP with version, as well as a status text that contains multiple white spaces (e.g HTTP/1.1 404 Not Found). See https://github.com/Pylons/webob/issues/250Response
now has a new property namedhas_body
that may be used to interrogate theResponse
to find out ifResponse.body
is or isn’t set.This is used in the exception handling code so that if you use a WebOb HTTP Exception and pass a generator to
app_iter
WebOb won’t attempt to read the whole thing and instead allows it to be returned to the WSGI server. See https://github.com/Pylons/webob/pull/259
1.6.0 (2016-03-15)
Compatibility
- Python 3.2 is no longer supported by WebOb
Bugfix
- Request.decode attempted to read from the an already consumed stream, it has now been redirected to another stream to read from. See https://github.com/Pylons/webob/pull/183
- The application/json media type does not allow for a charset as discovery of the encoding is done at the JSON layer. Upon initialization of a Response WebOb will no longer add a charset if the content-type is set to JSON. See https://github.com/Pylons/webob/pull/197 and https://github.com/Pylons/pyramid/issues/1611
Features
- Lazily HTML escapes environment keys in HTTP Exceptions so that those keys in the environ that are not used in the output of the page don’t raise an exception due to inability to be properly escaped. See https://github.com/Pylons/webob/pull/139
- MIMEAccept now accepts comparisons against wildcards, this allows one to match on just the media type or sub-type, without having to explicitly match on both the media type and sub-type at the same time. See https://github.com/Pylons/webob/pull/185
- Add the ability to return a JSON body from an exception. Using the Accept information in the request, the exceptions will now automatically return a JSON version of the exception instead of just HTML or text. See https://github.com/Pylons/webob/pull/230 and https://github.com/Pylons/webob/issues/209
Security
- exc._HTTPMove and any subclasses will now raise a ValueError if the location field contains a line feed or carriage return. These values may lead to possible HTTP Response Splitting. The header_getter descriptor has also been modified to no longer accept headers with a line feed or carriage return. See: https://github.com/Pylons/webob/pull/229 and https://github.com/Pylons/webob/issues/217
1.5.1 (2015-10-30)
Bug Fixes
- The exceptions HTTPNotAcceptable, HTTPUnsupportedMediaType and HTTPNotImplemented will now correctly use the sub-classed template rather than the default error template. See https://github.com/Pylons/webob/issues/221
- Response’s from_file now correctly deals with a status line that contains an HTTP version identifier. HTTP/1.1 200 OK is now correctly parsed, whereas before this would raise an error upon setting the Response.status in from_file. See https://github.com/Pylons/webob/issues/121
1.5.0 (2015-10-11)
Bug Fixes
- The cookie API functions will now make sure that max_age is an integer or an string that can convert to an integer. Previously passing in max_age=’test’ would have silently done the wrong thing.
Features
- Unbreak req.POST when the request method is PATCH. Instead of returning something cmpletely unrelated we return NoVar. See: https://github.com/Pylons/webob/pull/215
- HTTP Status Code 308 is now supported as a Permanent Redirect. See https://github.com/Pylons/webob/pull/207
Backwards Incompatibilities
Response.set_cookie
renamed the only required parameter from “key” to “name”. The code will now still accept “key” as a keyword argument, and will issue a DeprecationWarning until WebOb 1.7.- The
status
attribute of aResponse
object no longer takes a string likeNone None
and allows that to be set as the status. It now has to at least match the pattern of<integer status code> <explenation of status code>
. Invalid status strings will now raise aValueError
.
1.5.0a0 (2015-07-25)
Backwards Incompatibilities
Morsel
will no longer accept a cookie value that does not meet RFC6265’s cookie-octet specification. Upon callingMorsel.serialize
a warning will be issued, in the future this will raise aValueError
, please update your cookie handling code. See https://github.com/Pylons/webob/pull/172The cookie-octet specification in RFC6265 states the following characters are valid in a cookie value:
Hex Range Actual Characters [0x21 ]
!
[0x25-0x2B]
#$%&’()*+
[0x2D-0x3A]
-./0123456789:
[0x3C-0x5B]
<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[
[0x5D-0x7E]
]^_`abcdefghijklmnopqrstuvwxyz{|}~
RFC6265 suggests using base 64 to serialize data before storing data in a cookie.
Cookies that meet the RFC6265 standard will no longer be quoted, as this is unnecessary. This is a no-op as far as browsers and cookie storage is concerned.
Response.set_cookie
now uses the internalmake_cookie
API, which will issue warnings if cookies are set with invalid bytes. See https://github.com/Pylons/webob/pull/172
Features
- Add support for some new caching headers, stale-while-revalidate and stale-if-error that can be used by reverse proxies to cache stale responses temporarily if the backend disappears. From RFC5861. See https://github.com/Pylons/webob/pull/189
Bug Fixes
- Response.status now uses duck-typing for integers, and has also learned to raise a ValueError if the status isn’t an integer followed by a space, and then the reason. See https://github.com/Pylons/webob/pull/191
- Fixed a bug in
webob.multidict.GetDict
which resulted in the QUERY_STRING not being updated when changes were made to query params usingRequest.GET.extend()
. - Read the body of a request if we think it might have a body. This fixes PATCH to support bodies. See https://github.com/Pylons/webob/pull/184
- Response.from_file returns HTTP headers as latin1 rather than UTF-8, this fixes the usage on Google AppEngine. See https://github.com/Pylons/webob/issues/99 and https://github.com/Pylons/webob/pull/150
- Fix a bug in parsing the auth parameters that contained bad white space. This makes the parsing fall in line with what’s required in RFC7235. See https://github.com/Pylons/webob/issues/158
- Use ‘rn’ line endings in
Response.__str__
. See: https://github.com/Pylons/webob/pull/146
Documentation Changes
response.set_cookie
now has proper documentation formax_age
andexpires
. The code has also been refactored to usecookies.make_cookie
instead of duplicating the code. This fixes https://github.com/Pylons/webob/issues/166 and https://github.com/Pylons/webob/issues/171- Documentation didn’t match the actual code for the wsgify function signature. See https://github.com/Pylons/webob/pull/167
- Remove the WebDAV only from certain HTTP Exceptions, these exceptions may also be used by REST services for example.
1.4 (2014-05-14)
Features
- Remove
webob.__version__
, the version number had not been kept in sync with the official pkg version. To obtain the WebOb version number, usepkg_resources.get_distribution('webob').version
instead.
Bug Fixes
- Fix a bug in
EmptyResponse
that prevents it from setting self.close as appropriate due to testing truthiness of object rather than if it is something other thanNone
. - Fix a bug in
SignedSerializer
preventing secrets from containing higher-order characters. See https://github.com/Pylons/webob/issues/136 - Use the
hmac.compare_digest
method when available for constant-time comparisons.
1.3.1 (2013-12-13)
Bug Fixes
- Fix a bug in
SignedCookieProfile
whereby we didn’t keep the original serializer around, this would cause us to haveSignedSerializer
be added on top of aSignedSerializer
which would cause it to be run twice when attempting to verify a cookie. See https://github.com/Pylons/webob/pull/127
Backwards Incompatibilities
- When
CookieProfile.get_value
andSignedCookieProfile.get_value
fails to deserialize a badly encoded value, we now returnNone
as if the cookie was never set in the first place instead of allowing aValueError
to be raised to the calling code. See https://github.com/Pylons/webob/pull/126
1.3 (2013-12-10)
Features
- Added a read-only
domain
property toBaseRequest
. This property returns the domain portion of the host value. For example, if the environment contains anHTTP_HOST
value offoo.example.com:8000
,request.domain
will returnfoo.example.com
. - Added five new APIs:
webob.cookies.CookieProfile
,webob.cookies.SignedCookieProfile
,webob.cookies.JSONSerializer
andwebob.cookies.SignedSerializer
, andwebob.cookies.make_cookie
. These APIs are convenience APIs for generating and parsing cookie headers as well as dealing with signing cookies. - Cookies generated via webob.cookies quoted characters in cookie values that did not need to be quoted per RFC 6265. The following characters are no longer quoted in cookie values:
~/=<>()[]{}?@
. The full set of non-letter-or-digit unquoted cookie value characters is now!#$%&'*+-.^_`|~/: =<>()[]{}?@
. See http://tools.ietf.org/html/rfc6265#section-4.1.1 for more information. - Cookie names are now restricted to the set of characters expected by RFC 6265. Previously they could contain unsupported characters such as
/
. - Older versions of Webob escaped the doublequote to
\"
and the backslash to\\
when quoting cookie values. Now, instead, cookie serialization generates\042
for the doublequote and\134
for the backslash. This is what is expected as per RFC 6265. Note that old cookie values that do have the older style quoting in them will still be unquoted correctly, however. - Added support for draft status code 451 (“Unavailable for Legal Reasons”). See http://tools.ietf.org/html/draft-tbray-http-legally-restricted-status-00
- Added status codes 428, 429, 431 and 511 to
util.status_reasons
(they were already present in a previous release aswebob.exc
exceptions).
Bug Fixes
- MIMEAccept happily parsed malformed wildcard strings like “image/pn*“ at parse time, but then threw an AssertionError during matching. See https://github.com/Pylons/webob/pull/83 .
- Preserve document ordering of GET and POST request data when POST data passed to Request.blank is a MultiDict. See https://github.com/Pylons/webob/pull/96
- Allow query strings attached to PATCH requests to populate request.params. See https://github.com/Pylons/webob/pull/106
- Added Python 3.3 trove classifier.
1.2.3
- Maintainership transferred to Pylons Project <http://www.pylonsproject.org/>
- Fix parsing of form submissions where fields have transfer-content-encoding headers.
1.2.2
- Fix multiple calls to
cache_expires()
not fully overriding the previously set headers. - Fix parsing of form submissions where fields have different encodings.
1.2.1
- Add index page (e.g.,
index.html
) support for webob.static.DirectoryApp. - Detect mime-type when creating a test request with file uploads (
Request.blank("/", POST=dict(file1=("foo.jpg", "xxx")))
) - Relax parsing of
Accept
andRange
headers to allow uppercase and extra whitespace. - Fix docs references to some deprecated classes.
1.2
- Fix webob.client handling of connection-refused on Windows.
- Use
simplejson
in webob.request if present. - Fix
resp.retry_after = <long>
interpreting value as a UNIX timestamp (should interpret as time delta in seconds).
1.2rc1
Add
Response.json
andRequest.json
which reads and sets the body using a JSON encoding (previously only the readable attributeRequest.json_body
existed).Request.json_body
is still available as an alias.Rename
Response.status_int
toResponse.status_code
(the.status_int
name is still available and will be supported indefinitely).Add
Request.text
, the unicode version of the request body (similar toResponse.text
).Add webob.client which contains the WSGI application
send_request_app
andSendRequest
. All requests sent to this application are turned into HTTP requests.Renamed
Request.get_response(app)
toRequest.send(app)
. The.get_response()
name is still available.Use
send_request_app
as the default application forRequest.send()
, so you can do:resp = Request.blank("http://python.org").send()
Add webob.static which contains two new WSGI applications,
FileApp
serve one static file andDirectoryApp
to serve the content of a directory. They should provide a reusable implementation of WebOb File-Serving Example. It also comes with support forwsgi.file_wrapper
.The implementation has been imported and simplified from
PasteOb.fileapp
.Add
dev
anddocs
setup.py aliases (to install development and docs dependencies respectively, e.g. “python setup.py dev”).
1.2b3
Added
request.host_port
API (returns port number implied by HTTP_HOST, falling back to SERVER_PORT).Added
request.client_addr
API (returns IP address implied by HTTP_X_FORWARDED_FOR, falling back to REMOTE_ADDR).Fix corner-case
response.status_int
andresponse.status
mutation bug on py3 (use explicit floor division).Backwards incompatibility: Request and BaseRequest objects now return Unicode for
request.path_info
andrequest.script_name
under Python 2. Rationale: the legacy behavior of returning the respective raw environ values was nonsensical on Python 3. Working with non-ascii encoded environ variables as raw WSGI values under Python 3 makes no sense, as PEP 3333 specifies that environ variables are bytes-tunneled-as-latin-1 strings.If you don’t care about Python 3, and you need strict backwards compatibility, to get legacy behavior of returning bytes on Python 2 for these attributes, use
webob.LegacyRequest
instead ofwebob.Request
. Although it’s possible to usewebob.LegacyRequest
under Python 3, it makes no sense, and it should not be used there.The above backwards incompatibility fixed nonsensical behavior of
request.host_url
,request.application_url
,request.path_url
,request.path
,request.path_qs
,request.url
,request.relative_url
,request.path_info_peek
,request.path_info_pop
under Python 3. These methods previously dealt with raw SCRIPT_NAME and PATH_INFO values, which caused nonsensical results.The WebOb Request object now respects an additional WSGI environment variable:
webob.url_encoding
.webob.url_encoding
will be used to decode the raw WSGI PATH_INFO and SCRIPT_NAME variables when therequest.path_info
andrequest.script_name
APIs are used.Request objects now accept an additional constructor parameter:
url_encoding
.url_encoding
will be used to decode PATH_INFO and SCRIPT_NAME from its WSGI-encoded values. Ifwebob.url_encoding
is not set in the environ andurl_encoding
is not passed to the Request constructor, the default valueutf-8
will be used to decode the PATH_INFO and SCRIPT_NAME.Note that passing
url_encoding
will cause the WSGI environment variablewebob.url_encoding
to be set.Fix
webob.response._request_uri
internal function to generate sensible request URI under Python 3. This fixed a problem under Python 3 if you were using non-absolute Location headers in responses.
1.2b2
- Fix
request.cookies.get('name', 'default')
. Previouslydefault
was ignored.
1.2b1
- Mutating the
request.cookies
property now reflects the mutations into theHTTP_COOKIES
environ header. Response.etag = (tag, False)
sets weak etag.Range
only parses single range now.Range.satisfiable(..)
is gone.Accept.best_matches()
is gone; uselist(request.accept)
orrequest.accept.best_match(..)
instead (applies to all Accept-* headers) or similar withrequest.accept_language
.Response.request
andResponse.environ
attrs are undeprecated and no longer raise exceptions when used. These can also be passed to the Response constructor. This is to support codebases that pass them to the constructor or assign them to a response instance. However, some behavior differences from 1.1 exist. In particular, synchronization is no longer done between environ and request attribute properties of Response; you may pass either to the constructor (or both) or assign one or the other or both, but they wont be managed specially and will remain the same over the lifetime of the response just as you passed them. Default values for bothrequest
andenviron
on any given response areNone
now.- Undeprecated
uscript_name
andupath_info
. - For backwards compatibility purposes, switch
req.script_name
andpath_info
back again to contain “raw” undecoded native strings rather than text. Useuscript_name
andupath_info
to get the text version of SCRIPT_NAME and PATH_INFO. - Don’t raise an exception if
unicode_errors
ordecode_param_names
is passed to the Request constructor. Instead, emit a warning. For benefit of Pylons 1.X, which passes both. - Don’t raise an exception if HTTPException.exception is used; instead emit a warning. For benefit of Pylons 1.X, which uses it.
1.2a2
req.script_name
andpath_info
now contain text, not bytes.- Deprecated
uscript_name
andupath_info
. charset
argument toRequest
as well as the attribute can only be set to UTF-8 or the value already present in theContent-Type
header.unicode_errors
attribute ofRequest
and related functionality is gone.- To process requests that come in an encoding different from UTF-8, the request needs to be transcoded like this:
req = req.decode('windows-1251')
- Added support for weak ETag matching in conditional responses.
- Most of etag-related functionality was refactored.
1.2a1
- Python 3.2 compatibility.
- No longer compatible with Python 2.5 (only 2.6, 2.7, and 3.2 are supported).
- Switched VCS from Mercurial to Git
- Moved development to GitHub
- Added full history from PyCon 2011 sprint to the repository
- Change
LimitedLengthFile
andFakeCGIBody
to inherit fromio.RawIOBase
and benefit fromio.BufferedReader
. - Do not set
resp.request
inreq.get_response(app)
Response.request
and.environ
attrs are deprecated and raise exceptions when used.- Deprecated request attributes
str_GET
,str_POST
,str_cookies
andstr_params
now raise exceptions when touched. - Remove testing dependency on WebTest.
- Remove UnicodeMultiDict class; the result of
Request.GET
andRequest.POST
is now just a plainMultiDict
. - The
decode_param_names
Request constructor argument has been removed, along with theRequest.decode_param_names
attribute. - The
Request.as_string()
method is now better known asRequest.as_bytes()
. - The
Request.from_string()
method is now better known asRequest.from_bytes()
. - A new method named
Request.as_text()
now exists. - A new method named
Request.from_text()
now exists. - The
webob.dec.wsgify
repr() is now much less informative, but a lot easier to test and maintain.
1.1.1
- Fix disconnect detection being incorrect in some cases (issue 21).
- Fix exception when calling
.accept.best_match(..)
on a header containing'*'
(instead of'*/*'
). - Extract some of the
Accept
code into subclasses (AcceptCharset
,AcceptLanguage
). - Improve language matching so that the app can now offer a generic language code and it will match any of the accepted dialects (
'en' in AcceptLanguage('en-gb')
). - Normalize locale names when matching (
'en_GB' in AcceptLanguage('en-gb')
). - Deprecate
etag.weak_match(..)
. - Deprecate
Response.request
andResponse.environ
attrs.
1.1
- Remove deprecation warnings for
unicode_body
andubody
.
1.1rc1
- Deprecate
Response.ubody
/.unicode_body
in favor of new.text
attribute (the old names will be removed in 1.3 or even later). - Make
Response.write
much more efficient (issue 18). - Make sure copying responses does not reset Content-Length or Content-MD5 of the original (and that of future copies).
- Change
del res.body
semantics so that it doesn’t make the response invalid, but only removes the response body. - Remove
Response._body
so the_app_iter
is the only representation.
1.1b2
- Add detection for browser / user-agent disconnects. If the client disconnected before sending the entire request body (POST / PUT),
req.POST
,req.body
and other related properties and methods will raise an exception. Previously this caused the application get a truncated request with no indication that it is incomplete. - Make
Response.body_file
settable. This is now valid:Response(body_file=open('foo.bin'), content_type=...)
- Revert the restriction on req.body not being settable for GET and some other requests. Such requests actually can have a body according to HTTP BIS (see also commit message)
- Add support for file upload testing via
Request.blank(POST=..)
. Patch contributed by Tim Perevezentsev. See also: ticket, changeset. - Deprecate
req.str_GET
,str_POST
,str_params
andstr_cookies
(warning). - Deprecate
req.decode_param_names
(warning). - Change
req.decode_param_names
default toTrue
. This means that.POST
,.GET
,.params
and.cookies
keys are now unicode. This is necessary for WebOb to behave as close as possible on Python 2 and Python 3.
1.1b1
- We have acquired the webob.org domain, docs are now hosted at docs.webob.org
- Make
accept.quality(..)
return best match quality, not first match quality. - Fix
Range.satisfiable(..)
edge cases. - Make sure
WSGIHTTPException
instances return the same headers forHEAD
andGET
requests. - Drop Python 2.4 support
- Deprecate
HTTPException.exception
(warning on use). - Deprecate
accept.first_match(..)
(warning on use). Use.best_match(..)
instead. - Complete deprecation of
req.[str_]{post|query}vars
properties (exception on use). - Remove
FakeCGIBody.seek
hack (no longer necessary).
1.0.8
- Escape commas in cookie values (see also: stdlib Cookie bug)
- Change cookie serialization to more closely match how cookies usually are serialized (unquoted expires, semicolon separators even between morsels)
- Fix some rare cases in cookie parsing
- Enhance the req.is_body_readable to always guess GET, HEAD, DELETE and TRACE as unreadable and PUT and POST as readable (issue 12)
- Deny setting req.body or req.body_file to non-empty values for GET, HEAD and other bodiless requests
- Fix running nosetests with arguments on UNIX systems (issue 11)
1.0.7
- Fix
Accept
header matching for items with zero-quality (issue 10) - Hide password values in
MultiDict.__repr__
1.0.6
- Use
environ['wsgi.input'].read()
instead of.read(-1)
because the former is explicitly mentioned in PEP-3333 and CherryPy server does not support the latter. - Add new
environ['webob.is_body_readable']
flag which specifies if the input stream is readable even if theCONTENT_LENGTH
is not set. WebOb now only ever reads the input stream if the content-length is known or this flag is set. - The two changes above fix a hangup with CherryPy and wsgiref servers (issue 6)
req.body_file
is now safer to read directly. ForGET
and other similar requests it returns an emptyStringIO
orBytesIO
object even if the server passed in something else.- Setting
req.body_file
to a string now produces a PendingDeprecationWarning. It will produce DeprecationWarning in 1.1 and raise an error in 1.2. Either setreq.body_file
to a file-like object or setreq.body
to a string value. - Fix
.pop()
and.setdefault(..)
methods ofreq/resp.cache_control
- Thanks to the participants of Pyramid sprint at the PyCon US 2011 WebOb now has 100% test coverage.
1.0.5
- Restore Python 2.4 compatibility.
1.0.4
- The field names escaping bug semi-fixed in 1.0.3 and originally blamed on cgi module was in fact a
webob.request._encode_multipart
bug (also in Google Chrome) and was lurking in webob code for quite some time — 1.0.2 just made it trigger more often. Now it is fixed properly. - Make sure that req.url and related properties do not unnecessarily escape some chars (
:@&+$
) in the URI path (issue 5) - Revert some changes from 1.0.3 that have broken backwards compatibility for some apps. Getting
req.body_file
does not make input stream seekable, but there’s a new propertyreq.body_file_seekable
that does. Request.get_response
andRequest.call_application
seek the input body to start before calling the app (if possible).- Accessing
req.body
‘rewinds’ the input stream back to pos 0 as well. - When accessing
req.POST
we now avoid making the body seekable as the input stream data are preserved inFakeCGIBody
anyway. - Add new method
Request.from_string
. - Make sure
Request.as_string()
uses CRLF to separate headers. - Improve parity between
Request.as_string()
and.from_file
/.from_string
methods, so that the latter can parse output of the former and create a similar request object which wasn’t always the case previously.
1.0.3
- Correct a caching issue introduced in WebOb 1.0.2 that was causing unnecessary reparsing of POST requests.
- Fix a bug regarding field names escaping for forms submitted as
multipart/form-data
. For more infromation see the bug report and discussion and 1.0.4 notes for further fix. - Add
req.http_version
attribute.
1.0.2
- Primary maintainer is now Sergey Schetinin.
- Issue tracker moved from Trac to bitbucket’s issue tracker
- WebOb 1.0.1 changed the behavior of
MultiDict.update
to be more in line with other dict-like objects. We now also issue a warning when we detect that the client code seems to expect the old, extending semantics. - Make
Response.set_cookie(key, None)
set the ‘delete-cookie’ (same as.delete_cookie(key)
) - Make
req.upath_info
andreq.uscript_name
settable - Add :meth:
Request.as_string()
method - Add a
req.is_body_seekable
property - Support for the
deflate
method withresp.decode_content()
- To better conform to WSGI spec we no longer attempt to use seek on
wsgi.input
file instead we assume it is not seekable unlessenv['webob.is_body_seekable']
is set. When making the body seekable we set that flag. - A call to
req.make_body_seekable()
now guarantees that the body is seekable, is at 0 position and that a correctreq.content_length
is present. req.body_file
is always seekable. To accessenv['wsgi.input']
without any processing, usereq.body_file_raw
. (Partially reverted in 1.0.4)- Fix responses to HEAD requests with Range.
- Fix
del resp.content_type
,del req.body
,del req.cache_control
- Fix
resp.merge_cookies()
when called with an argument that is not a Response instance. - Fix
resp.content_body = None
(was removing Cache-Control instead) - Fix
req.body_file = f
settingCONTENT_LENGTH
to-1
(now removes from environ) - Fix: make sure req.copy() leaves the original with seekable body
- Fix handling of WSGI environs with missing
SCRIPT_NAME
- A lot of tests were added by Mariano Mara and Danny Navarro.
1.0.1
- As WebOb requires Python 2.4 or later, drop some compatibility modules and update the code to use the decorator syntax.
- Implement optional on-the-fly response compression (
resp.encode_content(lazy=True)
) - Drop
util.safezip
module and makeutil
a module instead of a subpackage. Mergestatusreasons
into it. - Instead of using stdlib
Cookie
with monkeypatching, add a derived but thoroughly rewritten, cleaner, safer and fasterwebob.cookies
module. - Fix:
Response.merge_cookies
now copies the headers before modification instead of doing it in-place. - Fix: setting request header attribute to
None
deletes that header. (Bug only affected the 1.0 release). - Use
io.BytesIO
for the request body file on Python 2.7 and newer. - If a UnicodeMultiDict was used as the
multi
argument of another UnicodeMultiDict, and acgi.FieldStorage
with afilename
with high-order characters was present in the underlying UnicodeMultiDict, aUnicodeEncodeError
would be raised when any helper method caused the_decode_value
method to be called, because the method would try to decode an already decoded string. - Fix tests to pass under Python 2.4.
- Add descriptive docstrings to each exception in
webob.exc
. - Change the behaviour of
MultiDict.update
to overwrite existing header values instead of adding new headers. The extending semantics are now available via theextend
method. - Fix a bug in
webob.exc.WSGIHTTPException.__init__
. If a list ofheaders
was passed as a sequence which contained duplicate keys (for example, multipleSet-Cookie
headers), all but one of those headers would be lost, because the list was effectively flattened into a dictionary as the result of callingself.headers.update
. Fixed via callingself.headers.extend
instead.
1.0
- 1.0, yay!
- Pull in werkzeug Cookie fix for malformed cookie bug.
- Implement
Request.from_file()
andResponse.from_file()
which are kind of the inversion ofstr(req)
andstr(resp)
- Add optional
pattern
argument toRequest.path_info_pop()
that requires thepath_info
segment to match the passed regexp to get popped and returned. - Rewrite most of descriptor implementations for speed.
- Reorder descriptor declarations to group them by their semantics.
- Move code around so that there are fewer compat modules.
- Change :meth:
HTTPError.__str__
to better conform to PEP 352. - Make
Request.cache_control
a view on the headers. - Correct Accept-Language and Accept-Charset matching to fully conform to the HTTP spec.
- Expose parts of
Request.blank()
asenviron_from_url()
andenviron_add_POST()
- Fix Authorization header parsing for some corner cases.
- Fix an error generated if the user-agent sends a ‘Content_Length’ header (note the underscore).
- Kill
Request.default_charset
. Request charset defaults to UTF-8. This ensures that all values inreq.GET
,req.POST
andreq.params
are always unicode. - Fix the
headerlist
andcontent_type
constructor arguments priorities forHTTPError
and subclasses. - Add support for weak etags to conditional Response objects.
- Fix locale-dependence for some cookie dates strings.
- Improve overall test coverage.
- Rename class
webob.datastruct.EnvironHeaders
towebob.headers.EnvironHeaders
- Rename class
webob.headerdict.HeaderDict
towebob.headers.ResponseHeaders
- Rename class
webob.updatedict.UpdateDict
towebob.cachecontrol.UpdateDict
0.9.8
- Fix issue with WSGIHTTPException inadvertently generating unicode body and failing to encode it
- WWW-Authenticate response header is accessible as
response.www_authenticate
response.www_authenticate
andrequest.authorization
hold None or tuple(auth_method, params)
whereparams
is a dictionary (or a string whenauth_method
is not one of known auth schemes and for Authenticate: Basic …)- Don’t share response headers when getting a response like
resp = req.get_response(some_app)
; this can avoid some funny errors with modifying headers and reusing Response objects. - Add overwrite argument to
Response.set_cookie()
that make the new value overwrite the previously set. False by default. - Add strict argument to
Response.unset_cookie()
that controls if an exception should be raised in case there are no cookies to unset. True by default. - Fix
req.GET.copy()
- Make sure that 304 Not Modified responses generated by
Response.conditional_response_app()
exclude Content-{Length/Type} headers - Fix
Response.copy()
not being an independent copy - When the requested range is not satisfiable, return a 416 error (was returning entire body)
- Truncate response for range requests that go beyond the end of body (was treating as invalid).
0.9.7.1
- Fix an import problem with Pylons
0.9.7
- Moved repository from svn location to http://bitbucket.org/ianb/webob/
- Arguments to
Accept.best_match()
must be specific types, not wildcards. The server should know a list of specic types it can offer and usebest_match
to select a specific one. - With
req.accept.best_match([types])
prefer the first type in the list (previously it preferred later types). - Also, make sure that if the user-agent accepts multiple types and there are multiple matches to the types that the application offers,
req.accept.best_match([..])
returns the most specific match. So if the server can satisfy eitherimage/*
ortext/plain
types, the latter will be picked independent from the order the accepted or offered types are listed (given they have the same quality rating). - Fix Range, Content-Range and AppIter support all of which were broken in many ways, incorrectly parsing ranges, reporting incorrect content-ranges, failing to generate the correct body to satisfy the range from
app_iter
etc. - Fix assumption that presense of a
seek
method means that the stream is seekable. - Add
ubody
alias forResponse.unicode_body
- Add Unicode versions of
Request.script_name
andpath_info
:uscript_name
andupath_info
. - Split __init__.py into four modules: request, response, descriptors and datetime_utils.
- Fix
Response.body
access resetting Content-Length to zero for HEAD responses. - Support passing Unicode bodies to
WSGIHTTPException
constructors. - Make
bool(req.accept)
returnFalse
for requests with missing Accept header. - Add HTTP version to
Request.__str__()
output. - Resolve deprecation warnings for parse_qsl on Python 2.6 and newer.
- Fix
Response.md5_etag()
setting Content-MD5 in incorrect format. - Add
Request.authorization
property for Authorization header. - Make sure ETag value is always quoted (required by RFC)
- Moved most
Request
behavior into a new class namedBaseRequest
. TheRequest
class is now a superclass forBaseRequest
and a simple mixin which managesenviron['webob.adhoc_attrs']
when__setitem__
,__delitem__
and__getitem__
are called. This allows framework developers who do not want theenviron['webob.adhoc_attrs']
mutation behavior from__setattr__
. (chrism) - Added response attribute
response.content_disposition
for its associated header. - Changed how
charset
is determined onwebob.Request
objects. Now thecharset
parameter is read on the Content-Type header, if it is present. Otherwise adefault_charset
parameter is read, or thecharset
argument to the Request constructor. This is more similar to howwebob.Response
handles the charset. - Made the case of the Content-Type header consistent (note: this might break some doctests).
- Make
req.GET
settable, such thatreq.environ['QUERY_STRING']
is updated. - Fix problem with
req.POST
causing a re-parse of the body when you instantiate multipleRequest
objects over the same environ (e.g., when using middleware that looks atreq.POST
). - Recreate the request body properly when a
POST
includes file uploads. - When
req.POST
is updated, the generated body will include the new values. - Added a
POST
parameter towebob.Request.blank()
; when given this will create a request body for the POST parameters (list of two-tuples or dictionary-like object). Note: this does not handle unicode or file uploads. - Added method
webob.Response.merge_cookies()
, which takes theSet-Cookie
headers from a Response, and merges them with another response or WSGI application. (This is useful for flash messages.) - Fix a problem with creating exceptions like
webob.exc.HTTPNotFound(body='<notfound/>', content_type='application/xml')
(i.e., non-HTML exceptions). - When a Location header is not absolute in a Response, it will be made absolute when the Response is called as a WSGI application. This makes the response less bound to a specific request.
- Added webob.dec, a decorator for making WSGI applications from functions with the signature
resp = app(req)
.
0.9.6.1
- Fixed
Response.__init__()
, which for some content types would raise an exception. - The
req.body
property will not recreate a StringIO object unnecessarily when rereading the body.
0.9.6
- Removed environ_getter from
webob.Request
. This largely-unused option allowed a Request object to be instantiated with a dynamic underlying environ. Since it wasn’t used much, and might have been ill-advised from the beginning, and affected performance, it has been removed (from Chris McDonough). - Speed ups for
webob.Response.__init__()
andwebob.Request.__init__()
- Fix defaulting of
CONTENT_TYPE
instead ofCONTENT_LENGTH
to 0 inRequest.str_POST
. - Added
webob.Response.copy()
0.9.5
- Fix
Request.blank('/').copy()
raising an exception. - Fix a potential memory leak with HEAD requests and 304 responses.
- Make webob.html_escape() respect the
.__html__()
magic method, which allows you to use HTML in webob.exc.HTTPException instances. - Handle unicode values for
resp.location
. - Allow arbitrary keyword arguments to
exc.HTTP*
(the same keywords you can send towebob.Response
). - Allow setting
webob.Response.cache_expires()
(usually it is called as a method). This is primarily to allowResponse(cache_expires=True)
.
0.9.4
- Quiet Python 2.6 deprecation warnings.
- Added an attribute
unicode_errors
towebob.Response
— if set to something likeunicode_errors='replace'
it will decoderesp.body
appropriately. The default isstrict
(which was the former un-overridable behavior).
0.9.3
- Make sure that if changing the body the Content-MD5 header is removed. (Otherwise a lot of middleware would accidentally corrupt responses).
- Fixed
Response.encode_content('identity')
case (was a no-op even for encoded bodies). - Fixed
Request.remove_conditional_headers()
that was removing If-Match header instead of If-None-Match. - Fixed
resp.set_cookie(max_age=timedelta(...))
request.POST
now supports PUT requests with the appropriate Content-Type.
0.9.2
- Add more arguments to
Request.remove_conditional_headers()
for more fine-grained control: remove_encoding, remove_range, remove_match, remove_modified. All of them are True by default. - Add an set_content_md5 argument to
Response.md5_etag()
that calculates and sets Content-MD5 reponse header from current body. - Change formatting of cookie expires, to use the more traditional format
Wed, 5-May-2001 15:34:10 GMT
(dashes instead of spaces). Browsers should deal with either format, but some other code expects dashes. - Added in
sorted
function for backward compatibility with Python 2.3. - Allow keyword arguments to
webob.Request
, which assign attributes (possibly overwriting values in the environment). - Added methods
webob.Request.make_body_seekable()
andwebob.Request.copy_body()
, which make it easier to share a request body among different consuming applications, doing something like req.make_body_seekable(); req.body_file.seek(0)
0.9.1
request.params.copy()
now returns a writable MultiDict (before it returned an unwritable object).- There were several things broken with
UnicodeMultiDict
whendecode_param_names
is turned on (when the dictionary keys are unicode). - You can pass keyword arguments to
Request.blank()
that will be used to constructRequest
(e.g.,Request.blank('/', decode_param_names=True)
). - If you set headers like
response.etag
to a unicode value, they will be encoded as ISO-8859-1 (however, they will remain encoded, andresponse.etag
will not be a unicode value). - When parsing, interpret times with no timezone as UTC (previously they would be interpreted as local time).
- Set the Expires property on cookies when using
response.set_cookie()
. This is inherited frommax_age
. - Support Unicode cookie values
0.9
- Added
req.urlarg
, which represents positional arguments inenviron['wsgiorg.routing_args']
. - For Python 2.4, added attribute get/set proxies on exception objects from, for example,
webob.exc.HTTPNotFound().exception
, so that they act more like normal response objects (despite not being new-style classes orwebob.Response
objects). In Python 2.5 the exceptions arewebob.Response
objects.
Backward Incompatible Changes
- The
Response
constructor has changed: it is nowResponse([body], [status], ...)
(before it wasResponse([status], [body], ...)
). Body may be str or unicode. - The
Response
class defaults totext/html
for the Content-Type, andutf8
for the charset (charset is only set ontext/*
andapplication/*+xml
responses).
Bugfixes and Small Changes
- Use
BaseCookie
instead ofSimpleCookie
for parsing cookies. - Added
resp.write(text)
method, which is equivalent toresp.body += text
orresp.unicode_body += text
, depending on the type oftext
. - The
decode_param_names
argument (used likeRequest(decode_param_names=True)
) was being ignored. - Unicode decoding of file uploads and file upload filenames were causing errors when decoding non-file-upload fields (both fixes from Ryan Barrett).
0.8.5
- Added response methods
resp.encode_content()
andresp.decode_content()
to gzip or ungzip content. Response(status=404)
now works (before you would have to usestatus="404 Not Found"
).- Bugfix (typo) with reusing POST body.
- Added
226 IM Used
response status. - Backport of
string.Template
included for Python 2.3 compatibility.
0.8.4
__setattr__
would keepRequest
subclasses from having properly settable environ proxies (likereq.path_info
).
0.8.3
request.POST
was giving FieldStorage objects for every attribute, not just file uploads. This is fixed now.- Added request attributes
req.server_name
andreq.server_port
for the environ keysSERVER_NAME
andSERVER_PORT
. - Avoid exceptions in
req.content_length
, even ifenviron['CONTENT_LENGTH']
is somehow invalid.
0.8.2
- Python 2.3 compatibility: backport of
reversed(seq)
- Made separate
.exception
attribute onwebob.exc
objects, since new-style classes can’t be raised as exceptions. - Deprecate
req.postvars
andreq.queryvars
, instead using the sole namesreq.GET
andreq.POST
(alsoreq.str_GET
andreq.str_POST
). The old names give a warning; will give an error in next release, and be completely gone in the following release. req.user_agent
is now just a simple string (parsing the User-Agent header was just too volatile, and required too much knowledge about current browsers). Similarly,req.referer_search_query()
is gone.- Added parameters
version
andcomment
toResponse.set_cookie()
, per William Dode’s suggestion. - Was accidentally consuming file uploads, instead of putting the
FieldStorage
object directly in the parameters.
0.8.1
- Added
res.set_cookie(..., httponly=True)
to set theHttpOnly
attribute on the cookie, which keeps Javascript from reading the cookie. - Added some WebDAV-related responses to
webob.exc
- Set default
Last-Modified
when usingresponse.cache_expire()
(fixes issue with Opera) - Generally fix
.cache_control
0.8
First release. Nothing is new, or everything is new, depending on how you think about it.