Webob

--------------------

Backwards Incompatibilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~

- ``Morsel`` will no longer accept a cookie value that does not meet RFC6265's
cookie-octet specification. Upon calling ``Morsel.serialize`` a warning will
be issued, in the future this will raise a ``ValueError``, please update your
cookie handling code. See https://github.com/Pylons/webob/pull/172

The cookie-octet specification in RFC6265 states the following characters are
valid in a cookie value:

=============== =======================================
Hex Range Actual Characters
=============== =======================================
``[0x21 ]`` ``!``
``[0x25-0x2B]`` ``$%&'()*+``
``[0x2D-0x3A]`` ``-./0123456789:``
``[0x3C-0x5B]`` ``<=>?ABCDEFGHIJKLMNOPQRSTUVWXYZ[``
``[0x5D-0x7E]`` ``]^_`abcdefghijklmnopqrstuvwxyz{|}~``
=============== =======================================

RFC6265 suggests using base 64 to serialize data before storing data in a
cookie.

Cookies that meet the RFC6265 standard will no longer be quoted, as this is
unnecessary. This is a no-op as far as browsers and cookie storage is
concerned.

- ``Response.set_cookie`` now uses the internal ``make_cookie`` API, which will
issue warnings if cookies are set with invalid bytes. See
https://github.com/Pylons/webob/pull/172

Features
~~~~~~~~

- Add support for some new caching headers, stale-while-revalidate and
stale-if-error that can be used by reverse proxies to cache stale responses
temporarily if the backend disappears. From RFC5861. See
https://github.com/Pylons/webob/pull/189

Bug Fixes
~~~~~~~~~

- Response.status now uses duck-typing for integers, and has also learned to
raise a ValueError if the status isn't an integer followed by a space, and
then the reason. See https://github.com/Pylons/webob/pull/191

- Fixed a bug in ``webob.multidict.GetDict`` which resulted in the
QUERY_STRING not being updated when changes were made to query
params using ``Request.GET.extend()``.

- Read the body of a request if we think it might have a body. This fixes PATCH
to support bodies. See https://github.com/Pylons/webob/pull/184

- Response.from_file returns HTTP headers as latin1 rather than UTF-8, this
fixes the usage on Google AppEngine. See
https://github.com/Pylons/webob/issues/99 and
https://github.com/Pylons/webob/pull/150

- Fix a bug in parsing the auth parameters that contained bad white space. This
makes the parsing fall in line with what's required in RFC7235. See
https://github.com/Pylons/webob/issues/158

- Use '\r\n' line endings in ``Response.__str__``. See:
https://github.com/Pylons/webob/pull/146

Documentation Changes
~~~~~~~~~~~~~~~~~~~~~

- ``response.set_cookie`` now has proper documentation for ``max_age`` and
``expires``. The code has also been refactored to use ``cookies.make_cookie``
instead of duplicating the code. This fixes
https://github.com/Pylons/webob/issues/166 and
https://github.com/Pylons/webob/issues/171

- Documentation didn't match the actual code for the wsgify function signature.
See https://github.com/Pylons/webob/pull/167

- Remove the WebDAV only from certain HTTP Exceptions, these exceptions may
also be used by REST services for example.

----------------

Features
~~~~~~~~

- Remove ``webob.__version__``, the version number had not been kept in sync
with the official pkg version. To obtain the WebOb version number, use
``pkg_resources.get_distribution('webob').version`` instead.

Bug Fixes
~~~~~~~~~

- Fix a bug in ``EmptyResponse`` that prevents it from setting self.close as
appropriate due to testing truthiness of object rather than if it is
something other than ``None``.

- Fix a bug in ``SignedSerializer`` preventing secrets from containing
higher-order characters. See https://github.com/Pylons/webob/issues/136

- Use the ``hmac.compare_digest`` method when available for constant-time
comparisons.

------------------

Bug Fixes
~~~~~~~~~

- Fix a bug in ``SignedCookieProfile`` whereby we didn't keep the original
serializer around, this would cause us to have ``SignedSerializer`` be added on
top of a ``SignedSerializer`` which would cause it to be run twice when
attempting to verify a cookie. See https://github.com/Pylons/webob/pull/127

Backwards Incompatibilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~

- When ``CookieProfile.get_value`` and ``SignedCookieProfile.get_value`` fails
to deserialize a badly encoded value, we now return ``None`` as if the cookie
was never set in the first place instead of allowing a ``ValueError`` to be
raised to the calling code. See https://github.com/Pylons/webob/pull/126

----------------

Features
~~~~~~~~

- Added a read-only ``domain`` property to ``BaseRequest``. This property
returns the domain portion of the host value. For example, if the
environment contains an ``HTTP_HOST`` value of ``foo.example.com:8000``,
``request.domain`` will return ``foo.example.com``.

- Added five new APIs: ``webob.cookies.CookieProfile``,
``webob.cookies.SignedCookieProfile``, ``webob.cookies.JSONSerializer`` and
``webob.cookies.SignedSerializer``, and ``webob.cookies.make_cookie``. These
APIs are convenience APIs for generating and parsing cookie headers as well
as dealing with signing cookies.

- Cookies generated via webob.cookies quoted characters in cookie values that
did not need to be quoted per RFC 6265. The following characters are no
longer quoted in cookie values: ``~/=<>()[]{}?`` . The full set of
non-letter-or-digit unquoted cookie value characters is now
``!$%&'*+-.^_`|~/: =<>()[]{}?``. See
https://tools.ietf.org/html/rfc6265#section-4.1.1 for more information.

- Cookie names are now restricted to the set of characters expected by RFC
6265. Previously they could contain unsupported characters such as ``/``.

- Older versions of Webob escaped the doublequote to ``\"`` and the backslash
to ``\\`` when quoting cookie values. Now, instead, cookie serialization
generates ``\042`` for the doublequote and ``\134`` for the backslash. This
is what is expected as per RFC 6265. Note that old cookie values that do
have the older style quoting in them will still be unquoted correctly,
however.

- Added support for draft status code 451 ("Unavailable for Legal Reasons").
See https://tools.ietf.org/html/draft-tbray-http-legally-restricted-status-00

- Added status codes 428, 429, 431 and 511 to ``util.status_reasons`` (they
were already present in a previous release as ``webob.exc`` exceptions).

Bug Fixes
~~~~~~~~~

- MIMEAccept happily parsed malformed wildcard strings like "image/pn*" at
parse time, but then threw an AssertionError during matching. See
https://github.com/Pylons/webob/pull/83 .

- Preserve document ordering of GET and POST request data when POST data passed
to Request.blank is a MultiDict. See https://github.com/Pylons/webob/pull/96

- Allow query strings attached to PATCH requests to populate request.params.
See https://github.com/Pylons/webob/pull/106

- Added Python 3.3 trove classifier.

------------

* Maintainership transferred to `Pylons Project <http://www.pylonsproject.org/>`

* Fix parsing of form submissions where fields have
transfer-content-encoding headers.

------------

* Fix multiple calls to ``cache_expires()`` not fully overriding the
previously set headers.

* Fix parsing of form submissions where fields have different encodings.