What’s New in WebOb 1.6

Compatibility

  • Python 3.2 is no longer a supported platform by WebOb

Security

  • exc._HTTPMove and any subclasses will now raise a ValueError if the location field contains a line feed or carriage return. These values may lead to possible HTTP Response Splitting. The header_getter descriptor has also been modified to no longer accept headers with a line feed or carriage return.

    WebOb does not protect against all possible ways of injecting line feeds or carriage returns into headers, and should only be thought of as a single line of defense. Any user input should be sanitized.

    See https://github.com/Pylons/webob/pull/229 and https://github.com/Pylons/webob/issues/217 for more information.

Features

  • When WebOb sends an HTTP Exception it will now lazily escape the keys in the environment, so that only those keys that are actually used in the HTTP exception are escaped. This solves the problem of keys that are not serializable as a string in the environment. See https://github.com/Pylons/webob/pull/139 for more information.

  • MIMEAccept now accepts comparisons against wildcards, this allows one to match on just the media type or sub-type.

    Example:

    1. >>> accept = MIMEAccept('text/html')
    2. >>> 'text/*' in accept
    3. True
    4. >>> '*/html' in accept
    5. True
    6. >>> '*' in accept
    7. True
  • WebOb uses the user agent’s Accept header to change what type of information is returned to the client. This allows the HTTP Exception to return either HTML, text, or a JSON response. This allows WebOb HTTP Exceptions to be used in applications where the client is expecting a JSON response. See https://github.com/Pylons/webob/pull/230 and https://github.com/Pylons/webob/issues/209 for more information.

Bugfixes