Webob

-----

* Python 2.3 compatibility: backport of ``reversed(seq)``

* Made separate ``.exception`` attribute on ``webob.exc`` objects,
since new-style classes can't be raised as exceptions.

* Deprecate ``req.postvars`` and ``req.queryvars``, instead using the
sole names ``req.GET`` and ``req.POST`` (also ``req.str_GET`` and
``req.str_POST``). The old names give a warning; will give an error
in next release, and be completely gone in the following release.

* ``req.user_agent`` is now just a simple string (parsing the
User-Agent header was just too volatile, and required too much
knowledge about current browsers). Similarly,
``req.referer_search_query()`` is gone.

* Added parameters ``version`` and ``comment`` to
``Response.set_cookie()``, per William Dode's suggestion.

* Was accidentally consuming file uploads, instead of putting the
``FieldStorage`` object directly in the parameters.

-----

* Added ``res.set_cookie(..., httponly=True)`` to set the ``HttpOnly``
attribute on the cookie, which keeps Javascript from reading the
cookie.

* Added some WebDAV-related responses to ``webob.exc``

* Set default ``Last-Modified`` when using ``response.cache_expire()``
(fixes issue with Opera)

* Generally fix ``.cache_control``

---

First release. Nothing is new, or everything is new, depending on how
you think about it.



Unreleased
----------

Security Fix
~~~~~~~~~~~~

- The use of WebOb's Response object to redirect a request to a new location
can lead to an open redirect if the Location header is not a full URI.

See https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
and CVE-2024-42353

Thanks to Sara Gao for the report