diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 69a7129..0000000
--- a/.travis.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Wire up travis
-language: python
-sudo: false
-
-matrix:
- include:
- - python: 2.7
- env: TOXENV=py27
- - python: 3.4
- env: TOXENV=py34
- - python: 3.5
- env: TOXENV=py35
- - python: 3.6
- env: TOXENV=py36
- - python: 3.6
- env: TOXENV=docs
- - python: nightly
- env: TOXENV=py37
- - python: pypy
- env: TOXENV=pypy
- - python: 3.6
- env: TOXENV=py27,py36,coverage
- allow_failures:
- - env: TOXENV=py37
-
-install:
- - travis_retry pip install tox
-
-script:
- - travis_retry tox
-
-notifications:
- email:
- - pyramid-checkins@lists.repoze.org
diff --git a/CHANGES.txt b/CHANGES.txt
index 429fdd7..4136c5f 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,3 +1,39 @@
+1.8.9 (2024-11-23)
+------------------
+
+Bugfix
+~~~~~~
+
+- Add `legacy-cgi` to required packages to be installed for Python 3.13
+ compatibility. See https://github.com/Pylons/webob/pull/469
+
+1.8.8 (2024-08-13)
+------------------
+
+Security Fix
+~~~~~~~~~~~~
+
+- The use of WebOb's Response object to redirect a request to a new location
+ can lead to an open redirect if the Location header is not a full URI.
+
+ See https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+ and CVE-2024-42353
+
+ Thanks to Sara Gao for the report
+
+1.8.7 (2021-02-17)
+------------------
+
+Bugfix
+~~~~~~
+
+- Decoding deflate-encoded responses now supports data which is packed in
+ a zlib container as it is supposed to be. The old, non-standard behaviour
+ is still supported.
+
+ See https://github.com/Pylons/webob/pull/426
+
+
1.8.6 (2020-01-21)
------------------
diff --git a/MANIFEST.in b/MANIFEST.in
new file mode 100644
index 0000000..9442ef8
--- /dev/null
+++ b/MANIFEST.in
@@ -0,0 +1,15 @@
+graft src
+graft docs
+prune docs/_build
+graft tests
+
+include README.rst
+include CHANGES.txt HISTORY.txt
+include contributing.md RELEASING.rst
+include pyproject.toml
+include .coveragerc .flake8 tox.ini
+include .readthedocs.yaml
+include appveyor.yml rtd.txt
+
+global-exclude __pycache__ *.py[cod]
+global-exclude .DS_Store
diff --git a/PKG-INFO b/PKG-INFO
index 3a96fdc..024013e 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,258 +1,13 @@
Metadata-Version: 2.1
Name: WebOb
-Version: 1.8.6
+Version: 1.8.9
Summary: WSGI request and response object
Home-page: http://webob.org/
Author: Ian Bicking
Author-email: ianb@colorstudy.com
Maintainer: Pylons Project
License: MIT
-Description: WebOb
- =====
-
- .. image:: https://travis-ci.org/Pylons/webob.png?branch=master
- :target: https://travis-ci.org/Pylons/webob
-
- .. image:: https://readthedocs.org/projects/webob/badge/?version=stable
- :target: https://docs.pylonsproject.org/projects/webob/en/stable/
- :alt: Documentation Status
-
- WebOb provides objects for HTTP requests and responses. Specifically
- it does this by wrapping the `WSGI `_ request
- environment and response status/headers/app_iter(body).
-
- The request and response objects provide many conveniences for parsing
- HTTP request and forming HTTP responses. Both objects are read/write:
- as a result, WebOb is also a nice way to create HTTP requests and
- parse HTTP responses.
-
- Support and Documentation
- -------------------------
-
- See the `WebOb Documentation website `_ to view
- documentation, report bugs, and obtain support.
-
- License
- -------
-
- WebOb is offered under the `MIT-license
- `_.
-
- Authors
- -------
-
- WebOb was authored by Ian Bicking and is currently maintained by the `Pylons
- Project `_ and a team of contributors.
-
- 1.8.6 (2020-01-21)
- ------------------
-
- Experimental Features
- ~~~~~~~~~~~~~~~~~~~~~
-
- - The SameSite value now includes a new option named "None", this is a new
- change that was introduced in
- https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
-
- Please be aware that older clients are incompatible with this change:
- https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does
- not enable SameSite on cookies by default, so there is no backwards
- incompatible change here.
-
- See https://github.com/Pylons/webob/issues/406
-
- - Validation of SameSite values can be disabled by toggling a module flag. This
- is in anticipation of future changes in evolving cookie standards.
- The discussion in https://github.com/Pylons/webob/pull/407 (which initially
- expanded the allowed options) notes the sudden change to browser cookie
- implementation details may happen again.
-
- In May 2019, Google announced a new model for privacy controls in their
- browsers, which affected the list of valid options for the SameSite attribute
- of cookies. In late 2019, the company began to roll out these changes to their
- browsers to force developer adoption of the new specification.
- See https://www.chromium.org/updates/same-site and
- https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more
- details on this change.
-
- See https://github.com/Pylons/webob/pull/409
-
- 1.8.5 (2019-01-03)
- ------------------
-
- Warnings
- ~~~~~~~~
-
- - Fixed one last remaining invalid escape sequence in a docstring.
-
- 1.8.4 (2018-11-11)
- ------------------
-
- Bugfix
- ~~~~~~
-
- - Response.content_type now accepts unicode strings on Python 2 and encodes
- them to latin-1. See https://github.com/Pylons/webob/pull/389 and
- https://github.com/Pylons/webob/issues/388
-
- - Accept header classes now support a .copy() function that may be used to
- create a copy. This allows ``create_accept_header`` and other like functions
- to accept an pre-existing Accept header. See
- https://github.com/Pylons/webob/pull/386 and
- https://github.com/Pylons/webob/issues/385
-
- Warnings
- ~~~~~~~~
-
- - Some backslashes introduced with the new accept handling code were causing
- DeprecationWarnings upon compiling the source to pyc files, all of the
- backslashes have been reigned in as appropriate, and users should no longer
- see DeprecationWarnings for invalid escape sequence. See
- https://github.com/Pylons/webob/issues/384
-
- 1.8.3 (2018-10-14)
- ------------------
-
- Bugfix
- ~~~~~~
-
- - ``acceptparse.AcceptValidHeader``, ``acceptparse.AcceptInvalidHeader``, and
- ``acceptparse.AcceptNoHeader`` will now always ignore offers that do not
- match the required media type grammar when calling ``.acceptable_offers()``.
- Previous versions raised a ``ValueError`` for invalid offers in
- ``AcceptValidHeader`` and returned them as acceptable in the others.
- See https://github.com/Pylons/webob/pull/372
-
- Feature
- ~~~~~~~
-
- - Add Request.remote_host, exposing REMOTE_HOST environment variable.
-
- - Added ``acceptparse.Accept.parse_offer`` to codify what types of offers
- are compatible with ``acceptparse.AcceptValidHeader.acceptable_offers``,
- ``acceptparse.AcceptMissingHeader.acceptable_offers``, and
- ``acceptparse.AcceptInvalidHeader.acceptable_offers``. This API also
- normalizes the offer with lowercased type/subtype and parameter names.
- See https://github.com/Pylons/webob/pull/376 and
- https://github.com/Pylons/webob/pull/379
-
- 1.8.2 (2018-06-05)
- ------------------
-
- Bugfix
- ~~~~~~
-
- - SameSite may now be passed as str or bytes to `Response.set_cookie` and
- `cookies.make_cookie`. This was an oversight as all other arguments would be
- correctly coerced before being serialized. See
- https://github.com/Pylons/webob/issues/361 and
- https://github.com/Pylons/webob/pull/362
-
-
- 1.8.1 (2018-04-10)
- ------------------
-
- Bugfix
- ~~~~~~
-
- - acceptparse.MIMEAccept which is deprecated in WebOb 1.8.0 made a backwards
- incompatible change that led to it raising on an invalid Accept header. This
- behaviour has now been reversed, as well as some other fixes to allow
- MIMEAccept to behave more like the old version. See
- https://github.com/Pylons/webob/pull/356
-
- 1.8.0 (2018-04-04)
- ------------------
-
- Feature
- ~~~~~~~
-
- - ``request.POST`` now supports any requests with the appropriate
- Content-Type. Allowing any HTTP method to access form encoded content,
- including DELETE, PUT, and others. See
- https://github.com/Pylons/webob/pull/352
-
- Compatibility
- ~~~~~~~~~~~~~
-
- - WebOb is no longer officially supported on Python 3.3 which was EOL'ed on
- 2017-09-29.
-
- Backwards Incompatibilities
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
- - Many changes have been made to the way WebOb does Accept handling, not just
- for the Accept header itself, but also for Accept-Charset, Accept-Encoding
- and Accept-Language. This was a `Google Summer of Code
- `_ project completed by
- Whiteroses (https://github.com/whiteroses). Many thanks to Google for running
- GSoC, the Python Software Foundation for organising and a huge thanks to Ira
- for completing the work. See https://github.com/Pylons/webob/pull/338 and
- https://github.com/Pylons/webob/pull/335. Documentation is available at
- https://docs.pylonsproject.org/projects/webob/en/master/api/webob.html
-
- - When calling a ``@wsgify`` decorated function, the default arguments passed
- to ``@wsgify`` are now used when called with the request, and not as a
- `start_response`
-
- .. code::
-
- def hello(req, name):
- return "Hello, %s!" % name
- app = wsgify(hello, args=("Fred",))
-
- req = Request.blank('/')
- resp = req.get_response(app) # => "Hello, Fred"
- resp2 = app(req) # => "Hello, Fred"
-
- Previously the ``resp2`` line would have failed with a ``TypeError``. With
- this change there is no way to override the default arguments with no
- arguments. See https://github.com/Pylons/webob/pull/203
-
- - When setting ``app_iter`` on a ``Response`` object the ``content_md5`` header
- is no longer cleared. This behaviour is odd and disallows setting the
- ``content_md5`` and then returning an iterator for chunked content encoded
- responses. See https://github.com/Pylons/webob/issues/86
-
- Experimental Features
- ~~~~~~~~~~~~~~~~~~~~~
-
- These features are experimental and may change at any point in the future.
-
- - The cookie APIs now have the ability to set the SameSite attribute on a
- cookie in both ``webob.cookies.make_cookie`` and
- ``webob.cookies.CookieProfile``. See https://github.com/Pylons/webob/pull/255
-
- Bugfix
- ~~~~~~
-
- - Exceptions now use string.Template.safe_substitute rather than
- string.Template.substitute. The latter would raise for missing mappings, the
- former will simply not substitute the missing variable. This is safer in case
- the WSGI environ does not contain the keys necessary for the body template.
- See https://github.com/Pylons/webob/issues/345.
-
- - Request.host_url, Request.host_port, Request.domain correctly parse IPv6 Host
- headers as provided by a browser. See
- https://github.com/Pylons/webob/pull/332
-
- - Request.authorization would raise ValueError for unusual or malformed header
- values. See https://github.com/Pylons/webob/issues/231
-
- - Allow unnamed fields in form data to be properly transcoded when calling
- request.decode with an alternate encoding. See
- https://github.com/Pylons/webob/pull/309
-
- - ``Response.__init__`` would discard ``app_iter`` when a ``Response`` had no
- body, this would cause issues when ``app_iter`` was an object that was tied
- to the life-cycle of a web application and had to be properly closed.
- ``app_iter`` is more advanced API for ``Response`` and thus even if it
- contains a body and is thus against the HTTP RFC's, we should let the users
- shoot themselves by returning a body. See
- https://github.com/Pylons/webob/issues/305
-
Keywords: wsgi request web http
-Platform: UNKNOWN
Classifier: Development Status :: 6 - Mature
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
@@ -267,5 +22,293 @@ Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*
+License-File: docs/license.txt
+Requires-Dist: legacy-cgi>=2.6; python_version >= "3.13"
Provides-Extra: testing
+Requires-Dist: pytest>=3.1.0; extra == "testing"
+Requires-Dist: coverage; extra == "testing"
+Requires-Dist: pytest-cov; extra == "testing"
+Requires-Dist: pytest-xdist; extra == "testing"
Provides-Extra: docs
+Requires-Dist: Sphinx>=1.7.5; extra == "docs"
+Requires-Dist: pylons-sphinx-themes; extra == "docs"
+
+WebOb
+=====
+
+.. image:: https://travis-ci.org/Pylons/webob.png?branch=master
+ :target: https://travis-ci.org/Pylons/webob
+
+.. image:: https://readthedocs.org/projects/webob/badge/?version=stable
+ :target: https://docs.pylonsproject.org/projects/webob/en/stable/
+ :alt: Documentation Status
+
+WebOb provides objects for HTTP requests and responses. Specifically
+it does this by wrapping the `WSGI `_ request
+environment and response status/headers/app_iter(body).
+
+The request and response objects provide many conveniences for parsing
+HTTP request and forming HTTP responses. Both objects are read/write:
+as a result, WebOb is also a nice way to create HTTP requests and
+parse HTTP responses.
+
+Support and Documentation
+-------------------------
+
+See the `WebOb Documentation website `_ to view
+documentation, report bugs, and obtain support.
+
+License
+-------
+
+WebOb is offered under the `MIT-license
+`_.
+
+Authors
+-------
+
+WebOb was authored by Ian Bicking and is currently maintained by the `Pylons
+Project `_ and a team of contributors.
+
+1.8.9 (2024-11-23)
+------------------
+
+Bugfix
+~~~~~~
+
+- Add `legacy-cgi` to required packages to be installed for Python 3.13
+ compatibility. See https://github.com/Pylons/webob/pull/469
+
+1.8.8 (2024-08-13)
+------------------
+
+Security Fix
+~~~~~~~~~~~~
+
+- The use of WebOb's Response object to redirect a request to a new location
+ can lead to an open redirect if the Location header is not a full URI.
+
+ See https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+ and CVE-2024-42353
+
+ Thanks to Sara Gao for the report
+
+1.8.7 (2021-02-17)
+------------------
+
+Bugfix
+~~~~~~
+
+- Decoding deflate-encoded responses now supports data which is packed in
+ a zlib container as it is supposed to be. The old, non-standard behaviour
+ is still supported.
+
+ See https://github.com/Pylons/webob/pull/426
+
+
+1.8.6 (2020-01-21)
+------------------
+
+Experimental Features
+~~~~~~~~~~~~~~~~~~~~~
+
+- The SameSite value now includes a new option named "None", this is a new
+ change that was introduced in
+ https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
+
+ Please be aware that older clients are incompatible with this change:
+ https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does
+ not enable SameSite on cookies by default, so there is no backwards
+ incompatible change here.
+
+ See https://github.com/Pylons/webob/issues/406
+
+- Validation of SameSite values can be disabled by toggling a module flag. This
+ is in anticipation of future changes in evolving cookie standards.
+ The discussion in https://github.com/Pylons/webob/pull/407 (which initially
+ expanded the allowed options) notes the sudden change to browser cookie
+ implementation details may happen again.
+
+ In May 2019, Google announced a new model for privacy controls in their
+ browsers, which affected the list of valid options for the SameSite attribute
+ of cookies. In late 2019, the company began to roll out these changes to their
+ browsers to force developer adoption of the new specification.
+ See https://www.chromium.org/updates/same-site and
+ https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more
+ details on this change.
+
+ See https://github.com/Pylons/webob/pull/409
+
+1.8.5 (2019-01-03)
+------------------
+
+Warnings
+~~~~~~~~
+
+- Fixed one last remaining invalid escape sequence in a docstring.
+
+1.8.4 (2018-11-11)
+------------------
+
+Bugfix
+~~~~~~
+
+- Response.content_type now accepts unicode strings on Python 2 and encodes
+ them to latin-1. See https://github.com/Pylons/webob/pull/389 and
+ https://github.com/Pylons/webob/issues/388
+
+- Accept header classes now support a .copy() function that may be used to
+ create a copy. This allows ``create_accept_header`` and other like functions
+ to accept an pre-existing Accept header. See
+ https://github.com/Pylons/webob/pull/386 and
+ https://github.com/Pylons/webob/issues/385
+
+Warnings
+~~~~~~~~
+
+- Some backslashes introduced with the new accept handling code were causing
+ DeprecationWarnings upon compiling the source to pyc files, all of the
+ backslashes have been reigned in as appropriate, and users should no longer
+ see DeprecationWarnings for invalid escape sequence. See
+ https://github.com/Pylons/webob/issues/384
+
+1.8.3 (2018-10-14)
+------------------
+
+Bugfix
+~~~~~~
+
+- ``acceptparse.AcceptValidHeader``, ``acceptparse.AcceptInvalidHeader``, and
+ ``acceptparse.AcceptNoHeader`` will now always ignore offers that do not
+ match the required media type grammar when calling ``.acceptable_offers()``.
+ Previous versions raised a ``ValueError`` for invalid offers in
+ ``AcceptValidHeader`` and returned them as acceptable in the others.
+ See https://github.com/Pylons/webob/pull/372
+
+Feature
+~~~~~~~
+
+- Add Request.remote_host, exposing REMOTE_HOST environment variable.
+
+- Added ``acceptparse.Accept.parse_offer`` to codify what types of offers
+ are compatible with ``acceptparse.AcceptValidHeader.acceptable_offers``,
+ ``acceptparse.AcceptMissingHeader.acceptable_offers``, and
+ ``acceptparse.AcceptInvalidHeader.acceptable_offers``. This API also
+ normalizes the offer with lowercased type/subtype and parameter names.
+ See https://github.com/Pylons/webob/pull/376 and
+ https://github.com/Pylons/webob/pull/379
+
+1.8.2 (2018-06-05)
+------------------
+
+Bugfix
+~~~~~~
+
+- SameSite may now be passed as str or bytes to `Response.set_cookie` and
+ `cookies.make_cookie`. This was an oversight as all other arguments would be
+ correctly coerced before being serialized. See
+ https://github.com/Pylons/webob/issues/361 and
+ https://github.com/Pylons/webob/pull/362
+
+
+1.8.1 (2018-04-10)
+------------------
+
+Bugfix
+~~~~~~
+
+- acceptparse.MIMEAccept which is deprecated in WebOb 1.8.0 made a backwards
+ incompatible change that led to it raising on an invalid Accept header. This
+ behaviour has now been reversed, as well as some other fixes to allow
+ MIMEAccept to behave more like the old version. See
+ https://github.com/Pylons/webob/pull/356
+
+1.8.0 (2018-04-04)
+------------------
+
+Feature
+~~~~~~~
+
+- ``request.POST`` now supports any requests with the appropriate
+ Content-Type. Allowing any HTTP method to access form encoded content,
+ including DELETE, PUT, and others. See
+ https://github.com/Pylons/webob/pull/352
+
+Compatibility
+~~~~~~~~~~~~~
+
+- WebOb is no longer officially supported on Python 3.3 which was EOL'ed on
+ 2017-09-29.
+
+Backwards Incompatibilities
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- Many changes have been made to the way WebOb does Accept handling, not just
+ for the Accept header itself, but also for Accept-Charset, Accept-Encoding
+ and Accept-Language. This was a `Google Summer of Code
+ `_ project completed by
+ Whiteroses (https://github.com/whiteroses). Many thanks to Google for running
+ GSoC, the Python Software Foundation for organising and a huge thanks to Ira
+ for completing the work. See https://github.com/Pylons/webob/pull/338 and
+ https://github.com/Pylons/webob/pull/335. Documentation is available at
+ https://docs.pylonsproject.org/projects/webob/en/master/api/webob.html
+
+- When calling a ``@wsgify`` decorated function, the default arguments passed
+ to ``@wsgify`` are now used when called with the request, and not as a
+ `start_response`
+
+ .. code::
+
+ def hello(req, name):
+ return "Hello, %s!" % name
+ app = wsgify(hello, args=("Fred",))
+
+ req = Request.blank('/')
+ resp = req.get_response(app) # => "Hello, Fred"
+ resp2 = app(req) # => "Hello, Fred"
+
+ Previously the ``resp2`` line would have failed with a ``TypeError``. With
+ this change there is no way to override the default arguments with no
+ arguments. See https://github.com/Pylons/webob/pull/203
+
+- When setting ``app_iter`` on a ``Response`` object the ``content_md5`` header
+ is no longer cleared. This behaviour is odd and disallows setting the
+ ``content_md5`` and then returning an iterator for chunked content encoded
+ responses. See https://github.com/Pylons/webob/issues/86
+
+Experimental Features
+~~~~~~~~~~~~~~~~~~~~~
+
+These features are experimental and may change at any point in the future.
+
+- The cookie APIs now have the ability to set the SameSite attribute on a
+ cookie in both ``webob.cookies.make_cookie`` and
+ ``webob.cookies.CookieProfile``. See https://github.com/Pylons/webob/pull/255
+
+Bugfix
+~~~~~~
+
+- Exceptions now use string.Template.safe_substitute rather than
+ string.Template.substitute. The latter would raise for missing mappings, the
+ former will simply not substitute the missing variable. This is safer in case
+ the WSGI environ does not contain the keys necessary for the body template.
+ See https://github.com/Pylons/webob/issues/345.
+
+- Request.host_url, Request.host_port, Request.domain correctly parse IPv6 Host
+ headers as provided by a browser. See
+ https://github.com/Pylons/webob/pull/332
+
+- Request.authorization would raise ValueError for unusual or malformed header
+ values. See https://github.com/Pylons/webob/issues/231
+
+- Allow unnamed fields in form data to be properly transcoded when calling
+ request.decode with an alternate encoding. See
+ https://github.com/Pylons/webob/pull/309
+
+- ``Response.__init__`` would discard ``app_iter`` when a ``Response`` had no
+ body, this would cause issues when ``app_iter`` was an object that was tied
+ to the life-cycle of a web application and had to be properly closed.
+ ``app_iter`` is more advanced API for ``Response`` and thus even if it
+ contains a body and is thus against the HTTP RFC's, we should let the users
+ shoot themselves by returning a body. See
+ https://github.com/Pylons/webob/issues/305
diff --git a/debian/.gitignore b/debian/.gitignore
new file mode 100644
index 0000000..2c8afeb
--- /dev/null
+++ b/debian/.gitignore
@@ -0,0 +1 @@
+/files
diff --git a/debian/changelog b/debian/changelog
index 80c1132..fbf94bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,52 @@
+python-webob (1:1.8.9-1) unstable; urgency=medium
+
+ * Team upload.
+ * Adjust debian/watch for recent PyPI URL changes.
+ * New upstream release:
+ - CVE-2024-42353: The use of WebOb's Response object to redirect a
+ request to a new location could lead to an open redirect if the
+ Location header is not a full URI (closes: #1078879).
+ * Fix file names in patched intersphinx_mapping.
+ * Use dh-sequence-python3 and dh-sequence-sphinxdoc.
+
+ -- Colin Watson Sun, 12 Jan 2025 17:39:16 +0000
+
+python-webob (1:1.8.7-3) unstable; urgency=medium
+
+ * Fixed python3-legacy-cgi depends to python3-webob, not the doc.
+
+ -- Thomas Goirand Fri, 15 Nov 2024 11:11:53 +0100
+
+python-webob (1:1.8.7-2) unstable; urgency=medium
+
+ * Add python3-legacy-cgi as (build-)depends (Closes: #1082281).
+
+ -- Thomas Goirand Fri, 15 Nov 2024 09:11:22 +0100
+
+python-webob (1:1.8.7-1) unstable; urgency=medium
+
+ * Team upload.
+ * New upstream version 1.8.7
+
+ -- Alexandre Detiste Fri, 01 Mar 2024 09:42:33 +0100
+
+python-webob (1:1.8.6-3) unstable; urgency=medium
+
+ [ Debian Janitor ]
+ * Bump debhelper from old 12 to 13.
+
+ -- Jelmer Vernooij Mon, 17 Oct 2022 02:56:06 +0100
+
+python-webob (1:1.8.6-2) unstable; urgency=medium
+
+ [ Ondřej Nový ]
+ * d/control: Update Maintainer field with new Debian Python Team
+ contact address.
+ * d/control: Update Vcs-* fields with new Debian Python Team Salsa
+ layout.
+
+ -- Sandro Tosi Thu, 09 Jun 2022 21:37:09 -0400
+
python-webob (1:1.8.6-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff --git a/debian/control b/debian/control
index aab0934..cefc0ff 100644
--- a/debian/control
+++ b/debian/control
@@ -1,24 +1,26 @@
Source: python-webob
Section: python
Priority: optional
-Maintainer: Debian Python Modules Team
+Maintainer: Debian Python Team
Uploaders:
Soren Hansen ,
Thomas Goirand ,
Build-Depends:
- debhelper-compat (= 12),
- dh-python,
+ debhelper-compat (= 13),
+ dh-sequence-python3,
+ dh-sequence-sphinxdoc,
python3-sphinx,
python3-all,
python3-setuptools,
Build-Depends-Indep:
python3-doc,
+ python3-legacy-cgi,
python3-pytest,
python3-simplejson,
Standards-Version: 3.9.8
Homepage: https://webob.org/
-Vcs-Git: https://salsa.debian.org/python-team/modules/python-webob.git
-Vcs-Browser: https://salsa.debian.org/python-team/modules/python-webob
+Vcs-Git: https://salsa.debian.org/python-team/packages/python-webob.git
+Vcs-Browser: https://salsa.debian.org/python-team/packages/python-webob
Package: python-webob-doc
Architecture: all
diff --git a/debian/patches/411.diff b/debian/patches/411.diff
deleted file mode 100644
index e1cd5b1..0000000
--- a/debian/patches/411.diff
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/tests/conftest.py
-+++ b/tests/conftest.py
-@@ -60,7 +60,7 @@ def serve():
- log.debug("shutting server down")
- server.shutdown()
- worker.join(1)
-- if worker.isAlive():
-+ if worker.is_alive():
- log.warning('worker is hanged')
- else:
- log.debug("server stopped")
diff --git a/debian/patches/intersphinx-local.patch b/debian/patches/intersphinx-local.patch
index 49d2755..e2a5dfa 100644
--- a/debian/patches/intersphinx-local.patch
+++ b/debian/patches/intersphinx-local.patch
@@ -1,21 +1,19 @@
From: Barry Warsaw
Date: Tue, 12 Jul 2016 11:00:18 -0400
-Subject: Use local python{,3}-doc for intersphinx.
+Subject: Use local python3-doc for intersphinx
-Patch-Name: intersphinx-local.patch
---
- docs/conf.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ docs/conf.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/conf.py b/docs/conf.py
-index 914d0f9..be3e626 100644
+index e855910..601e970 100644
--- a/docs/conf.py
+++ b/docs/conf.py
-@@ -154,5 +154,6 @@ epub_exclude_files = ['search.html']
+@@ -154,5 +154,5 @@ epub_exclude_files = ['search.html']
# Example configuration for intersphinx: refer to the Python standard library.
intersphinx_mapping = {
- 'python': ('https://docs.python.org/3', None),
+ 'python': ('/usr/share/doc/python3-doc/html', None),
-+ 'python3': ('/usr/share/doc/python3-doc/html', None),
}
diff --git a/debian/patches/series b/debian/patches/series
index 8d94b27..02711a0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
intersphinx-local.patch
-411.diff
diff --git a/debian/rules b/debian/rules
index 5801dcd..ee76f85 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,7 +5,7 @@ export PYBUILD_NAME=webob
#export DH_VERBOSE=1
%:
- dh $@ --with python3,sphinxdoc --buildsystem=pybuild
+ dh $@ --buildsystem=pybuild
override_dh_auto_test:
# enable network, tests.test_in_wsgiref.test_request_reading needs it
diff --git a/debian/watch b/debian/watch
index 6bf3ac7..dc55a79 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,3 @@
version=3
opts=uversionmangle=s/(rc|a|b|c)/~$1/ \
-https://pypi.debian.net/WebOb/WebOb-(.+)\.(?:zip|tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))
+https://pypi.debian.net/WebOb/(?:(?i)WebOb)-(.+)\.(?:zip|tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))
diff --git a/docs/conf.py b/docs/conf.py
index 914d0f9..e855910 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -34,7 +34,7 @@
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
diff --git a/setup.py b/setup.py
index cdd7496..df50317 100644
--- a/setup.py
+++ b/setup.py
@@ -25,7 +25,7 @@
setup(
name='WebOb',
- version='1.8.6',
+ version='1.8.9',
description="WSGI request and response object",
long_description=README + '\n\n' + CHANGES,
classifiers=[
@@ -52,6 +52,9 @@
packages=find_packages('src', exclude=['tests']),
package_dir={'': 'src'},
python_requires='>=2.7,!=3.0.*,!=3.1.*,!=3.2.*',
+ install_requires=[
+ "legacy-cgi>=2.6; python_version>='3.13'",
+ ],
zip_safe=True,
extras_require={
'testing': testing_extras,
diff --git a/src/WebOb.egg-info/PKG-INFO b/src/WebOb.egg-info/PKG-INFO
new file mode 100644
index 0000000..024013e
--- /dev/null
+++ b/src/WebOb.egg-info/PKG-INFO
@@ -0,0 +1,314 @@
+Metadata-Version: 2.1
+Name: WebOb
+Version: 1.8.9
+Summary: WSGI request and response object
+Home-page: http://webob.org/
+Author: Ian Bicking
+Author-email: ianb@colorstudy.com
+Maintainer: Pylons Project
+License: MIT
+Keywords: wsgi request web http
+Classifier: Development Status :: 6 - Mature
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Topic :: Internet :: WWW/HTTP :: WSGI
+Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
+Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Middleware
+Classifier: Programming Language :: Python :: 2.7
+Classifier: Programming Language :: Python :: 3.4
+Classifier: Programming Language :: Python :: 3.5
+Classifier: Programming Language :: Python :: 3.6
+Classifier: Programming Language :: Python :: 3.7
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Programming Language :: Python :: Implementation :: PyPy
+Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*
+License-File: docs/license.txt
+Requires-Dist: legacy-cgi>=2.6; python_version >= "3.13"
+Provides-Extra: testing
+Requires-Dist: pytest>=3.1.0; extra == "testing"
+Requires-Dist: coverage; extra == "testing"
+Requires-Dist: pytest-cov; extra == "testing"
+Requires-Dist: pytest-xdist; extra == "testing"
+Provides-Extra: docs
+Requires-Dist: Sphinx>=1.7.5; extra == "docs"
+Requires-Dist: pylons-sphinx-themes; extra == "docs"
+
+WebOb
+=====
+
+.. image:: https://travis-ci.org/Pylons/webob.png?branch=master
+ :target: https://travis-ci.org/Pylons/webob
+
+.. image:: https://readthedocs.org/projects/webob/badge/?version=stable
+ :target: https://docs.pylonsproject.org/projects/webob/en/stable/
+ :alt: Documentation Status
+
+WebOb provides objects for HTTP requests and responses. Specifically
+it does this by wrapping the `WSGI `_ request
+environment and response status/headers/app_iter(body).
+
+The request and response objects provide many conveniences for parsing
+HTTP request and forming HTTP responses. Both objects are read/write:
+as a result, WebOb is also a nice way to create HTTP requests and
+parse HTTP responses.
+
+Support and Documentation
+-------------------------
+
+See the `WebOb Documentation website `_ to view
+documentation, report bugs, and obtain support.
+
+License
+-------
+
+WebOb is offered under the `MIT-license
+`_.
+
+Authors
+-------
+
+WebOb was authored by Ian Bicking and is currently maintained by the `Pylons
+Project `_ and a team of contributors.
+
+1.8.9 (2024-11-23)
+------------------
+
+Bugfix
+~~~~~~
+
+- Add `legacy-cgi` to required packages to be installed for Python 3.13
+ compatibility. See https://github.com/Pylons/webob/pull/469
+
+1.8.8 (2024-08-13)
+------------------
+
+Security Fix
+~~~~~~~~~~~~
+
+- The use of WebOb's Response object to redirect a request to a new location
+ can lead to an open redirect if the Location header is not a full URI.
+
+ See https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+ and CVE-2024-42353
+
+ Thanks to Sara Gao for the report
+
+1.8.7 (2021-02-17)
+------------------
+
+Bugfix
+~~~~~~
+
+- Decoding deflate-encoded responses now supports data which is packed in
+ a zlib container as it is supposed to be. The old, non-standard behaviour
+ is still supported.
+
+ See https://github.com/Pylons/webob/pull/426
+
+
+1.8.6 (2020-01-21)
+------------------
+
+Experimental Features
+~~~~~~~~~~~~~~~~~~~~~
+
+- The SameSite value now includes a new option named "None", this is a new
+ change that was introduced in
+ https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
+
+ Please be aware that older clients are incompatible with this change:
+ https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does
+ not enable SameSite on cookies by default, so there is no backwards
+ incompatible change here.
+
+ See https://github.com/Pylons/webob/issues/406
+
+- Validation of SameSite values can be disabled by toggling a module flag. This
+ is in anticipation of future changes in evolving cookie standards.
+ The discussion in https://github.com/Pylons/webob/pull/407 (which initially
+ expanded the allowed options) notes the sudden change to browser cookie
+ implementation details may happen again.
+
+ In May 2019, Google announced a new model for privacy controls in their
+ browsers, which affected the list of valid options for the SameSite attribute
+ of cookies. In late 2019, the company began to roll out these changes to their
+ browsers to force developer adoption of the new specification.
+ See https://www.chromium.org/updates/same-site and
+ https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more
+ details on this change.
+
+ See https://github.com/Pylons/webob/pull/409
+
+1.8.5 (2019-01-03)
+------------------
+
+Warnings
+~~~~~~~~
+
+- Fixed one last remaining invalid escape sequence in a docstring.
+
+1.8.4 (2018-11-11)
+------------------
+
+Bugfix
+~~~~~~
+
+- Response.content_type now accepts unicode strings on Python 2 and encodes
+ them to latin-1. See https://github.com/Pylons/webob/pull/389 and
+ https://github.com/Pylons/webob/issues/388
+
+- Accept header classes now support a .copy() function that may be used to
+ create a copy. This allows ``create_accept_header`` and other like functions
+ to accept an pre-existing Accept header. See
+ https://github.com/Pylons/webob/pull/386 and
+ https://github.com/Pylons/webob/issues/385
+
+Warnings
+~~~~~~~~
+
+- Some backslashes introduced with the new accept handling code were causing
+ DeprecationWarnings upon compiling the source to pyc files, all of the
+ backslashes have been reigned in as appropriate, and users should no longer
+ see DeprecationWarnings for invalid escape sequence. See
+ https://github.com/Pylons/webob/issues/384
+
+1.8.3 (2018-10-14)
+------------------
+
+Bugfix
+~~~~~~
+
+- ``acceptparse.AcceptValidHeader``, ``acceptparse.AcceptInvalidHeader``, and
+ ``acceptparse.AcceptNoHeader`` will now always ignore offers that do not
+ match the required media type grammar when calling ``.acceptable_offers()``.
+ Previous versions raised a ``ValueError`` for invalid offers in
+ ``AcceptValidHeader`` and returned them as acceptable in the others.
+ See https://github.com/Pylons/webob/pull/372
+
+Feature
+~~~~~~~
+
+- Add Request.remote_host, exposing REMOTE_HOST environment variable.
+
+- Added ``acceptparse.Accept.parse_offer`` to codify what types of offers
+ are compatible with ``acceptparse.AcceptValidHeader.acceptable_offers``,
+ ``acceptparse.AcceptMissingHeader.acceptable_offers``, and
+ ``acceptparse.AcceptInvalidHeader.acceptable_offers``. This API also
+ normalizes the offer with lowercased type/subtype and parameter names.
+ See https://github.com/Pylons/webob/pull/376 and
+ https://github.com/Pylons/webob/pull/379
+
+1.8.2 (2018-06-05)
+------------------
+
+Bugfix
+~~~~~~
+
+- SameSite may now be passed as str or bytes to `Response.set_cookie` and
+ `cookies.make_cookie`. This was an oversight as all other arguments would be
+ correctly coerced before being serialized. See
+ https://github.com/Pylons/webob/issues/361 and
+ https://github.com/Pylons/webob/pull/362
+
+
+1.8.1 (2018-04-10)
+------------------
+
+Bugfix
+~~~~~~
+
+- acceptparse.MIMEAccept which is deprecated in WebOb 1.8.0 made a backwards
+ incompatible change that led to it raising on an invalid Accept header. This
+ behaviour has now been reversed, as well as some other fixes to allow
+ MIMEAccept to behave more like the old version. See
+ https://github.com/Pylons/webob/pull/356
+
+1.8.0 (2018-04-04)
+------------------
+
+Feature
+~~~~~~~
+
+- ``request.POST`` now supports any requests with the appropriate
+ Content-Type. Allowing any HTTP method to access form encoded content,
+ including DELETE, PUT, and others. See
+ https://github.com/Pylons/webob/pull/352
+
+Compatibility
+~~~~~~~~~~~~~
+
+- WebOb is no longer officially supported on Python 3.3 which was EOL'ed on
+ 2017-09-29.
+
+Backwards Incompatibilities
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- Many changes have been made to the way WebOb does Accept handling, not just
+ for the Accept header itself, but also for Accept-Charset, Accept-Encoding
+ and Accept-Language. This was a `Google Summer of Code
+ `_ project completed by
+ Whiteroses (https://github.com/whiteroses). Many thanks to Google for running
+ GSoC, the Python Software Foundation for organising and a huge thanks to Ira
+ for completing the work. See https://github.com/Pylons/webob/pull/338 and
+ https://github.com/Pylons/webob/pull/335. Documentation is available at
+ https://docs.pylonsproject.org/projects/webob/en/master/api/webob.html
+
+- When calling a ``@wsgify`` decorated function, the default arguments passed
+ to ``@wsgify`` are now used when called with the request, and not as a
+ `start_response`
+
+ .. code::
+
+ def hello(req, name):
+ return "Hello, %s!" % name
+ app = wsgify(hello, args=("Fred",))
+
+ req = Request.blank('/')
+ resp = req.get_response(app) # => "Hello, Fred"
+ resp2 = app(req) # => "Hello, Fred"
+
+ Previously the ``resp2`` line would have failed with a ``TypeError``. With
+ this change there is no way to override the default arguments with no
+ arguments. See https://github.com/Pylons/webob/pull/203
+
+- When setting ``app_iter`` on a ``Response`` object the ``content_md5`` header
+ is no longer cleared. This behaviour is odd and disallows setting the
+ ``content_md5`` and then returning an iterator for chunked content encoded
+ responses. See https://github.com/Pylons/webob/issues/86
+
+Experimental Features
+~~~~~~~~~~~~~~~~~~~~~
+
+These features are experimental and may change at any point in the future.
+
+- The cookie APIs now have the ability to set the SameSite attribute on a
+ cookie in both ``webob.cookies.make_cookie`` and
+ ``webob.cookies.CookieProfile``. See https://github.com/Pylons/webob/pull/255
+
+Bugfix
+~~~~~~
+
+- Exceptions now use string.Template.safe_substitute rather than
+ string.Template.substitute. The latter would raise for missing mappings, the
+ former will simply not substitute the missing variable. This is safer in case
+ the WSGI environ does not contain the keys necessary for the body template.
+ See https://github.com/Pylons/webob/issues/345.
+
+- Request.host_url, Request.host_port, Request.domain correctly parse IPv6 Host
+ headers as provided by a browser. See
+ https://github.com/Pylons/webob/pull/332
+
+- Request.authorization would raise ValueError for unusual or malformed header
+ values. See https://github.com/Pylons/webob/issues/231
+
+- Allow unnamed fields in form data to be properly transcoded when calling
+ request.decode with an alternate encoding. See
+ https://github.com/Pylons/webob/pull/309
+
+- ``Response.__init__`` would discard ``app_iter`` when a ``Response`` had no
+ body, this would cause issues when ``app_iter`` was an object that was tied
+ to the life-cycle of a web application and had to be properly closed.
+ ``app_iter`` is more advanced API for ``Response`` and thus even if it
+ contains a body and is thus against the HTTP RFC's, we should let the users
+ shoot themselves by returning a body. See
+ https://github.com/Pylons/webob/issues/305
diff --git a/src/WebOb.egg-info/SOURCES.txt b/src/WebOb.egg-info/SOURCES.txt
new file mode 100644
index 0000000..22b1ce3
--- /dev/null
+++ b/src/WebOb.egg-info/SOURCES.txt
@@ -0,0 +1,96 @@
+.coveragerc
+.gitignore
+CHANGES.txt
+HISTORY.txt
+MANIFEST.in
+README.rst
+RELEASING.rst
+appveyor.yml
+contributing.md
+rtd.txt
+setup.cfg
+setup.py
+tox.ini
+docs/Makefile
+docs/changes.txt
+docs/comment-example.txt
+docs/conf.py
+docs/differences.txt
+docs/do-it-yourself.txt
+docs/doctests.py
+docs/file-example.txt
+docs/index.txt
+docs/jsonrpc-example.txt
+docs/license.txt
+docs/reference.txt
+docs/whatsnew-1.5.txt
+docs/whatsnew-1.6.txt
+docs/whatsnew-1.7.txt
+docs/whatsnew-1.8.txt
+docs/wiki-example.txt
+docs/_static/.empty
+docs/api/client.txt
+docs/api/cookies.txt
+docs/api/dec.txt
+docs/api/exceptions.txt
+docs/api/multidict.txt
+docs/api/request.txt
+docs/api/response.txt
+docs/api/static.txt
+docs/api/webob.txt
+docs/comment-example-code/example.py
+docs/experimental/samesite.txt
+docs/file-example-code/test-file.txt
+docs/jsonrpc-example-code/jsonrpc.py
+docs/jsonrpc-example-code/test_jsonrpc.py
+docs/jsonrpc-example-code/test_jsonrpc.txt
+docs/wiki-example-code/example.py
+src/WebOb.egg-info/PKG-INFO
+src/WebOb.egg-info/SOURCES.txt
+src/WebOb.egg-info/dependency_links.txt
+src/WebOb.egg-info/requires.txt
+src/WebOb.egg-info/top_level.txt
+src/WebOb.egg-info/zip-safe
+src/webob/__init__.py
+src/webob/acceptparse.py
+src/webob/byterange.py
+src/webob/cachecontrol.py
+src/webob/client.py
+src/webob/compat.py
+src/webob/cookies.py
+src/webob/datetime_utils.py
+src/webob/dec.py
+src/webob/descriptors.py
+src/webob/etag.py
+src/webob/exc.py
+src/webob/headers.py
+src/webob/multidict.py
+src/webob/request.py
+src/webob/response.py
+src/webob/static.py
+src/webob/util.py
+tests/conftest.py
+tests/performance_test.py
+tests/test_acceptparse.py
+tests/test_byterange.py
+tests/test_cachecontrol.py
+tests/test_client.py
+tests/test_client_functional.py
+tests/test_compat.py
+tests/test_cookies.py
+tests/test_cookies_bw.py
+tests/test_datetime_utils.py
+tests/test_dec.py
+tests/test_descriptors.py
+tests/test_etag.py
+tests/test_etag_nose.py
+tests/test_exc.py
+tests/test_headers.py
+tests/test_in_wsgiref.py
+tests/test_misc.py
+tests/test_multidict.py
+tests/test_request.py
+tests/test_response.py
+tests/test_static.py
+tests/test_transcode.py
+tests/test_util.py
\ No newline at end of file
diff --git a/src/WebOb.egg-info/dependency_links.txt b/src/WebOb.egg-info/dependency_links.txt
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/src/WebOb.egg-info/dependency_links.txt
@@ -0,0 +1 @@
+
diff --git a/src/WebOb.egg-info/requires.txt b/src/WebOb.egg-info/requires.txt
new file mode 100644
index 0000000..abcd45c
--- /dev/null
+++ b/src/WebOb.egg-info/requires.txt
@@ -0,0 +1,13 @@
+
+[:python_version >= "3.13"]
+legacy-cgi>=2.6
+
+[docs]
+Sphinx>=1.7.5
+pylons-sphinx-themes
+
+[testing]
+pytest>=3.1.0
+coverage
+pytest-cov
+pytest-xdist
diff --git a/src/WebOb.egg-info/top_level.txt b/src/WebOb.egg-info/top_level.txt
new file mode 100644
index 0000000..1c2028e
--- /dev/null
+++ b/src/WebOb.egg-info/top_level.txt
@@ -0,0 +1 @@
+webob
diff --git a/src/WebOb.egg-info/zip-safe b/src/WebOb.egg-info/zip-safe
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/src/WebOb.egg-info/zip-safe
@@ -0,0 +1 @@
+
diff --git a/src/webob/response.py b/src/webob/response.py
index 108a02f..efc38ec 100644
--- a/src/webob/response.py
+++ b/src/webob/response.py
@@ -1249,8 +1249,15 @@ def decode_content(self):
self.content_encoding = None
gzip_f.close()
else:
- # Weird feature: http://bugs.python.org/issue5784
- self.body = zlib.decompress(self.body, -15)
+ try:
+ # RFC7230 section 4.2.2 specifies that the body should be wrapped
+ # inside a ZLIB (RFC1950) container ...
+ self.body = zlib.decompress(self.body)
+ except zlib.error:
+ # ... but there are nonconformant implementations around which send
+ # the data without the ZLIB container, so we use maximum window size
+ # decompression without header check (the - sign)
+ self.body = zlib.decompress(self.body, -15)
self.content_encoding = None
def md5_etag(self, body=None, set_content_md5=False):
@@ -1277,6 +1284,11 @@ def _make_location_absolute(environ, value):
if SCHEME_RE.search(value):
return value
+ # This is to fix an open redirect issue due to the way that
+ # urlparse.urljoin works. See CVE-2024-42353 and
+ # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+ if value.startswith("//"):
+ value = "/%2f{}".format(value[2:])
new_location = urlparse.urljoin(_request_uri(environ), value)
return new_location
diff --git a/tests/conftest.py b/tests/conftest.py
index ec47c86..e08d64c 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -60,8 +60,8 @@ def _serve(app):
log.debug("shutting server down")
server.shutdown()
worker.join(1)
- if worker.isAlive():
- log.warning('worker is hanged')
+ if worker.is_alive():
+ log.warning("worker is hanged")
else:
log.debug("server stopped")
diff --git a/tests/test_response.py b/tests/test_response.py
index 07c7f50..8a6ac06 100644
--- a/tests/test_response.py
+++ b/tests/test_response.py
@@ -381,6 +381,18 @@ def test_decode_content_with_deflate():
assert res.body == body
assert res.content_encoding is None
+def test_decode_content_with_deflate_and_zlib_header():
+ res = Response()
+ body = b"Hey Hey Hey"
+ # don't chop off the zlib container
+ # https://tools.ietf.org/html/rfc7230#section-4.2.2 says
+ # that chopping it exists but is non-conformant
+ res.body = zlib.compress(body)
+ res.content_encoding = "deflate"
+ res.decode_content()
+ assert res.body == body
+ assert res.content_encoding is None
+
def test_content_length():
r0 = Response('x' * 10, content_length=10)
@@ -1019,6 +1031,17 @@ def test_location():
assert req.get_response(res).location == 'http://localhost/test2.html'
+def test_location_no_open_redirect():
+ # This is a test for a fix for CVE-2024-42353 and
+ # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+ res = Response()
+ res.status = "301"
+ res.location = "//www.example.com/test"
+ assert res.location == "//www.example.com/test"
+ req = Request.blank("/")
+ assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"
+
+
@pytest.mark.xfail(sys.version_info < (3,0),
reason="Python 2.x unicode != str, WSGI requires str. Test "
"added due to https://github.com/Pylons/webob/issues/247. "
diff --git a/tox.ini b/tox.ini
index eb81bd4..eb97b71 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,6 +1,7 @@
[tox]
+requires = virtualenv<20.22.0
envlist =
- py27,py34,py35,py36,py37,pypy,
+ py27,py34,py35,py36,py37,py313,pypy,
docs,coverage,pep8
skip_missing_interpreters = True
@@ -13,6 +14,7 @@ basepython =
py35: python3.5
py36: python3.6
py37: python3.7
+ py313: python3.13
pypy: pypy
py2: python2.7
py3: python3.5
@@ -37,7 +39,7 @@ setenv =
[testenv:docs]
basepython = python3.6
-whitelist_externals = make
+allowlist_externals = make
commands =
pip install webob[docs]
make -C docs html epub BUILDDIR={envdir} "SPHINXOPTS=-W -E"
@@ -49,3 +51,21 @@ commands =
deps =
flake8
+[testenv:build]
+skip_install = true
+commands =
+ # clean up build/ and dist/ folders
+ python -c 'import shutil; shutil.rmtree("build", ignore_errors=True)'
+ # Make sure we aren't forgetting anything
+ check-manifest
+ # build sdist/wheel
+ python -m build .
+ # Verify all is well
+ twine check dist/*
+
+deps =
+ build
+ check-manifest
+ readme_renderer
+ twine
+