Webob

Feature
~~~~~~~

- Rename "master" git branch to "main"

- Add support for Python 3.12.

- Add Request.remote_host, exposing REMOTE_HOST environment variable.

- Added ``acceptparse.Accept.parse_offer`` to codify what types of offers
are compatible with ``acceptparse.AcceptValidHeader.acceptable_offers``,
``acceptparse.AcceptMissingHeader.acceptable_offers``, and
``acceptparse.AcceptInvalidHeader.acceptable_offers``. This API also
normalizes the offer with lowercased type/subtype and parameter names.
See https://github.com/Pylons/webob/pull/376 and
https://github.com/Pylons/webob/pull/379

Compatibility
~~~~~~~~~~~~~


Backwards Incompatibilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Drop support for Python 2.7, 3.4, 3.5, 3.6, and 3.7.

Experimental Features
~~~~~~~~~~~~~~~~~~~~~

- The SameSite value now includes a new option named "None", this is a new
change that was introduced in
https://tools.ietf.org/html/draft-west-cookie-incrementalism-00

Please be aware that older clients are incompatible with this change:
https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does
not enable SameSite on cookies by default, so there is no backwards
incompatible change here.

See https://github.com/Pylons/webob/issues/406

- Validation of SameSite values can be disabled by toggling a module flag. This
is in anticipation of future changes in evolving cookie standards.
The discussion in https://github.com/Pylons/webob/pull/407 (which initially
expanded the allowed options) notes the sudden change to browser cookie
implementation details may happen again.

In May 2019, Google announced a new model for privacy controls in their
browsers, which affected the list of valid options for the SameSite attribute
of cookies. In late 2019, the company began to roll out these changes to their
browsers to force developer adoption of the new specification.
See https://www.chromium.org/updates/same-site and
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more
details on this change.

See https://github.com/Pylons/webob/pull/409


Bugfix
~~~~~~

- Response.content_type now accepts unicode strings on Python 2 and encodes
them to latin-1. See https://github.com/Pylons/webob/pull/389 and
https://github.com/Pylons/webob/issues/388

- Accept header classes now support a .copy() function that may be used to
create a copy. This allows ``create_accept_header`` and other like functions
to accept an pre-existing Accept header. See
https://github.com/Pylons/webob/pull/386 and
https://github.com/Pylons/webob/issues/385

- SameSite may now be passed as str or bytes to `Response.set_cookie` and
`cookies.make_cookie`. This was an oversight as all other arguments would be
correctly coerced before being serialized. See
https://github.com/Pylons/webob/issues/361 and
https://github.com/Pylons/webob/pull/362

- acceptparse.MIMEAccept which is deprecated in WebOb 1.8.0 made a backwards
incompatible change that led to it raising on an invalid Accept header. This
behaviour has now been reversed, as well as some other fixes to allow
MIMEAccept to behave more like the old version. See
https://github.com/Pylons/webob/pull/356

- ``acceptparse.AcceptValidHeader``, ``acceptparse.AcceptInvalidHeader``, and
``acceptparse.AcceptNoHeader`` will now always ignore offers that do not
match the required media type grammar when calling ``.acceptable_offers()``.
Previous versions raised a ``ValueError`` for invalid offers in
``AcceptValidHeader`` and returned them as acceptable in the others.
See https://github.com/Pylons/webob/pull/372

- ``Response.body_file.write`` and ``Response.write`` now returns the written
length. See https://github.com/Pylons/webob/pull/422

Warnings
~~~~~~~~

- Some backslashes introduced with the new accept handling code were causing
DeprecationWarnings upon compiling the source to pyc files, all of the
backslashes have been reigned in as appropriate, and users should no longer
see DeprecationWarnings for invalid escape sequence. See
https://github.com/Pylons/webob/issues/384

------------------

Feature
~~~~~~~

- ``request.POST`` now supports any requests with the appropriate
Content-Type. Allowing any HTTP method to access form encoded content,
including DELETE, PUT, and others. See
https://github.com/Pylons/webob/pull/352

Compatibility
~~~~~~~~~~~~~

- WebOb is no longer officially supported on Python 3.3 which was EOL'ed on
2017-09-29.

Backwards Incompatibilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Many changes have been made to the way WebOb does Accept handling, not just
for the Accept header itself, but also for Accept-Charset, Accept-Encoding
and Accept-Language. This was a `Google Summer of Code
<https://summerofcode.withgoogle.com/>`_ project completed by
Whiteroses (https://github.com/whiteroses). Many thanks to Google for running
GSoC, the Python Software Foundation for organising and a huge thanks to Ira
for completing the work. See https://github.com/Pylons/webob/pull/338 and
https://github.com/Pylons/webob/pull/335. Documentation is available at
https://docs.pylonsproject.org/projects/webob/en/main/api/webob.html

- When calling a ``wsgify`` decorated function, the default arguments passed
to ``wsgify`` are now used when called with the request, and not as a
`start_response`

.. code::

def hello(req, name):
return "Hello, %s!" % name
app = wsgify(hello, args=("Fred",))

req = Request.blank('/')
resp = req.get_response(app) => "Hello, Fred"
resp2 = app(req) => "Hello, Fred"

Previously the ``resp2`` line would have failed with a ``TypeError``. With
this change there is no way to override the default arguments with no
arguments. See https://github.com/Pylons/webob/pull/203

- When setting ``app_iter`` on a ``Response`` object the ``content_md5`` header
is no longer cleared. This behaviour is odd and disallows setting the
``content_md5`` and then returning an iterator for chunked content encoded
responses. See https://github.com/Pylons/webob/issues/86

Experimental Features
~~~~~~~~~~~~~~~~~~~~~

These features are experimental and may change at any point in the future.

- The cookie APIs now have the ability to set the SameSite attribute on a
cookie in both ``webob.cookies.make_cookie`` and
``webob.cookies.CookieProfile``. See https://github.com/Pylons/webob/pull/255

Bugfix
~~~~~~

- Exceptions now use string.Template.safe_substitute rather than
string.Template.substitute. The latter would raise for missing mappings, the
former will simply not substitute the missing variable. This is safer in case
the WSGI environ does not contain the keys necessary for the body template.
See https://github.com/Pylons/webob/issues/345.

- Request.host_url, Request.host_port, Request.domain correctly parse IPv6 Host
headers as provided by a browser. See
https://github.com/Pylons/webob/pull/332

- Request.authorization would raise ValueError for unusual or malformed header
values. See https://github.com/Pylons/webob/issues/231

- Allow unnamed fields in form data to be properly transcoded when calling
request.decode with an alternate encoding. See
https://github.com/Pylons/webob/pull/309

- ``Response.__init__`` would discard ``app_iter`` when a ``Response`` had no
body, this would cause issues when ``app_iter`` was an object that was tied
to the life-cycle of a web application and had to be properly closed.
``app_iter`` is more advanced API for ``Response`` and thus even if it
contains a body and is thus against the HTTP RFC's, we should let the users
shoot themselves by returning a body. See
https://github.com/Pylons/webob/issues/305

-------------------

Compatibility
~~~~~~~~~~~~~

- WebOb is no longer supported on Python 2.6 and PyPy3 (due to pip no longer
supporting Python 3.2 even on PyPy)

Backwards Incompatibility
~~~~~~~~~~~~~~~~~~~~~~~~~

- ``Response.set_cookie`` no longer accepts a key argument. This was deprecated
in WebOb 1.5 and as mentioned in the deprecation, is being removed in 1.7

- ``Response.__init__`` will no longer set the default Content-Type, nor
Content-Length on Responses that don't have a body. This allows WebOb to
return proper responses for things like `Response(status='204 No Content')`.

- ``Response.text`` will no longer raise if the Content-Type does not have a
charset, it will fall back to using the new ``default_body_encoding`. To get
the old behaviour back please sub-class ``Response`` and set
``default_body_encoding`` to ``None``. See
https://github.com/Pylons/webob/pull/287

- WebOb no longer supports Chunked Encoding, this means that if you are using
WebOb and need Chunked Encoding you will be required to have a proxy that
unchunks the request for you. Please read
https://github.com/Pylons/webob/issues/279 for more background.

Feature
~~~~~~~

- ``Response`` has a new ``default_body_encoding`` which may be used to allow
getting/setting ``Response.text`` when a Content-Type has no charset. See
https://github.com/Pylons/webob/pull/287

- ``webob.Request`` with any HTTP method is now allowed to have a body. This
allows DELETE to have a request body for passing extra information. See
https://github.com/Pylons/webob/pull/283 and
https://github.com/Pylons/webob/pull/274

- Add ``tell()`` to ``ResponseBodyFile`` so that it may be used for example for
zipfile support. See https://github.com/Pylons/webob/pull/117

- Allow the return from ``wsgify.middleware`` to be used as a decorator. See
https://github.com/Pylons/webob/pull/228

Bugfix
~~~~~~

- Fixup ``cgi.FieldStorage`` on Python 3.x to work-around issue reported in
Python bug report 27777 and 24764. This is currently applied for Python
versions less than 3.7. See https://github.com/Pylons/webob/pull/294

- ``Response.set_cookie`` now accepts ``datetime`` objects for the ``expires``
kwarg and will correctly convert them to UTC with no tzinfo for use in
calculating the ``max_age``. See https://github.com/Pylons/webob/issues/254
and https://github.com/Pylons/webob/pull/292

- Fixes ``request.PATH_SAFE`` to contain all of the path safe characters
according to RFC3986. See https://github.com/Pylons/webob/pull/291

- WebOb's exceptions will lazily read underlying variables when inserted into
templates to avoid expensive computations/crashes when inserting into the
template. This had a bad performance regression on Py27 because of the way
the lazified class was created and returned. See
https://github.com/Pylons/webob/pull/284

- ``wsgify.__call__`` raised a ``TypeError`` with an unhelpful message, it will
now return the ``repr`` for the wrapped function:
https://github.com/Pylons/webob/issues/119

- ``Response.content_type`` removes the charset content-type parameter unless
the new content-type is a text like type that has a charset parameter. See
https://github.com/Pylons/webob/pull/261 and
https://github.com/Pylons/webob/issues/130

- ``Response.json``'s ``json.dumps``/``json.loads`` are now always UTF-8. It no
longer tries to use the charset.

- The ``Response.__init__`` will by default no longer set the Content-Type to
the default if a ``headerlist`` is provided. This fixes issues whereby
``Request.get_response()`` would return a Response that didn't match the
actual response. See https://github.com/Pylons/webob/pull/261 and
https://github.com/Pylons/webob/issues/205

- Cleans up the remainder of the issues with the updated WebOb exceptions that
were taught to return JSON in version 1.6. See
https://github.com/Pylons/webob/issues/237 and
https://github.com/Pylons/webob/issues/236

- ``Response.from_file`` now parses the status line correctly when the status
line contains an HTTP with version, as well as a status text that contains
multiple white spaces (e.g HTTP/1.1 404 Not Found). See
https://github.com/Pylons/webob/issues/250

- ``Response`` now has a new property named ``has_body`` that may be used to
interrogate the ``Response`` to find out if ``Response.body`` is or isn't
set.

This is used in the exception handling code so that if you use a WebOb HTTP
Exception and pass a generator to ``app_iter`` WebOb won't attempt to read
the whole thing and instead allows it to be returned to the WSGI server. See
https://github.com/Pylons/webob/pull/259

------------------

Compatibility
~~~~~~~~~~~~~

- Python 3.2 is no longer supported by WebOb

Bugfix
~~~~~~

- Request.decode attempted to read from the an already consumed stream, it has
now been redirected to another stream to read from. See
https://github.com/Pylons/webob/pull/183

- The application/json media type does not allow for a charset as discovery of
the encoding is done at the JSON layer. Upon initialization of a Response
WebOb will no longer add a charset if the content-type is set to JSON. See
https://github.com/Pylons/webob/pull/197 and
https://github.com/Pylons/pyramid/issues/1611

Features
~~~~~~~~

- Lazily HTML escapes environment keys in HTTP Exceptions so that those keys in
the environ that are not used in the output of the page don't raise an
exception due to inability to be properly escaped. See
https://github.com/Pylons/webob/pull/139

- MIMEAccept now accepts comparisons against wildcards, this allows one to
match on just the media type or sub-type, without having to explicitly match
on both the media type and sub-type at the same time. See
https://github.com/Pylons/webob/pull/185

- Add the ability to return a JSON body from an exception. Using the Accept
information in the request, the exceptions will now automatically return a
JSON version of the exception instead of just HTML or text. See
https://github.com/Pylons/webob/pull/230 and
https://github.com/Pylons/webob/issues/209

Security
~~~~~~~~

- exc._HTTPMove and any subclasses will now raise a ValueError if the location
field contains a line feed or carriage return. These values may lead to
possible HTTP Response Splitting. The header_getter descriptor has also been
modified to no longer accept headers with a line feed or carriage return.
See: https://github.com/Pylons/webob/pull/229 and
https://github.com/Pylons/webob/issues/217

------------------

Bug Fixes
~~~~~~~~~

- The exceptions HTTPNotAcceptable, HTTPUnsupportedMediaType and
HTTPNotImplemented will now correctly use the sub-classed template rather
than the default error template. See https://github.com/Pylons/webob/issues/221

- Response's from_file now correctly deals with a status line that contains an
HTTP version identifier. HTTP/1.1 200 OK is now correctly parsed, whereas
before this would raise an error upon setting the Response.status in
from_file. See https://github.com/Pylons/webob/issues/121

------------------

Bug Fixes
~~~~~~~~~

- The cookie API functions will now make sure that `max_age` is an integer or
an string that can convert to an integer. Previously passing in
max_age='test' would have silently done the wrong thing.

Features
~~~~~~~~

- Unbreak req.POST when the request method is PATCH. Instead of returning
something cmpletely unrelated we return NoVar. See:
https://github.com/Pylons/webob/pull/215

- HTTP Status Code 308 is now supported as a Permanent Redirect. See
https://github.com/Pylons/webob/pull/207

Backwards Incompatibilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~

- ``Response.set_cookie`` renamed the only required parameter from "key" to
"name". The code will now still accept "key" as a keyword argument, and will
issue a DeprecationWarning until WebOb 1.7.

- The ``status`` attribute of a ``Response`` object no longer takes a string
like ``None None`` and allows that to be set as the status. It now has to at
least match the pattern of ``<integer status code> <explenation of status
code>``. Invalid status strings will now raise a ``ValueError``.