WSGI request and response object
Project description
WebOb provides objects for HTTP requests and responses. Specifically it does this by wrapping the WSGI request environment and response status/headers/app_iter(body).
The request and response objects provide many conveniences for parsing HTTP request and forming HTTP responses. Both objects are read/write: as a result, WebOb is also a nice way to create HTTP requests and parse HTTP responses.
Support and Documentation
See the WebOb Documentation website to view documentation, report bugs, and obtain support.
License
WebOb is offered under the MIT-license.
1.8.8 (2024-08-13)
Security Fix
The use of WebOb’s Response object to redirect a request to a new location can lead to an open redirect if the Location header is not a full URI.
See https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3 and CVE-2024-42353
Thanks to Sara Gao for the report
1.8.7 (2021-02-17)
Bugfix
Decoding deflate-encoded responses now supports data which is packed in a zlib container as it is supposed to be. The old, non-standard behaviour is still supported.
1.8.6 (2020-01-21)
Experimental Features
The SameSite value now includes a new option named “None”, this is a new change that was introduced in https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
Please be aware that older clients are incompatible with this change: https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does not enable SameSite on cookies by default, so there is no backwards incompatible change here.
Validation of SameSite values can be disabled by toggling a module flag. This is in anticipation of future changes in evolving cookie standards. The discussion in https://github.com/Pylons/webob/pull/407 (which initially expanded the allowed options) notes the sudden change to browser cookie implementation details may happen again.
In May 2019, Google announced a new model for privacy controls in their browsers, which affected the list of valid options for the SameSite attribute of cookies. In late 2019, the company began to roll out these changes to their browsers to force developer adoption of the new specification. See https://www.chromium.org/updates/same-site and https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more details on this change.
1.8.5 (2019-01-03)
Warnings
Fixed one last remaining invalid escape sequence in a docstring.
1.8.4 (2018-11-11)
Bugfix
Response.content_type now accepts unicode strings on Python 2 and encodes them to latin-1. See https://github.com/Pylons/webob/pull/389 and https://github.com/Pylons/webob/issues/388
Accept header classes now support a .copy() function that may be used to create a copy. This allows create_accept_header and other like functions to accept an pre-existing Accept header. See https://github.com/Pylons/webob/pull/386 and https://github.com/Pylons/webob/issues/385
Warnings
Some backslashes introduced with the new accept handling code were causing DeprecationWarnings upon compiling the source to pyc files, all of the backslashes have been reigned in as appropriate, and users should no longer see DeprecationWarnings for invalid escape sequence. See https://github.com/Pylons/webob/issues/384
1.8.3 (2018-10-14)
Bugfix
acceptparse.AcceptValidHeader, acceptparse.AcceptInvalidHeader, and acceptparse.AcceptNoHeader will now always ignore offers that do not match the required media type grammar when calling .acceptable_offers(). Previous versions raised a ValueError for invalid offers in AcceptValidHeader and returned them as acceptable in the others. See https://github.com/Pylons/webob/pull/372
Feature
Add Request.remote_host, exposing REMOTE_HOST environment variable.
Added acceptparse.Accept.parse_offer to codify what types of offers are compatible with acceptparse.AcceptValidHeader.acceptable_offers, acceptparse.AcceptMissingHeader.acceptable_offers, and acceptparse.AcceptInvalidHeader.acceptable_offers. This API also normalizes the offer with lowercased type/subtype and parameter names. See https://github.com/Pylons/webob/pull/376 and https://github.com/Pylons/webob/pull/379
1.8.2 (2018-06-05)
Bugfix
SameSite may now be passed as str or bytes to Response.set_cookie and cookies.make_cookie. This was an oversight as all other arguments would be correctly coerced before being serialized. See https://github.com/Pylons/webob/issues/361 and https://github.com/Pylons/webob/pull/362
1.8.1 (2018-04-10)
Bugfix
acceptparse.MIMEAccept which is deprecated in WebOb 1.8.0 made a backwards incompatible change that led to it raising on an invalid Accept header. This behaviour has now been reversed, as well as some other fixes to allow MIMEAccept to behave more like the old version. See https://github.com/Pylons/webob/pull/356
1.8.0 (2018-04-04)
Feature
request.POST now supports any requests with the appropriate Content-Type. Allowing any HTTP method to access form encoded content, including DELETE, PUT, and others. See https://github.com/Pylons/webob/pull/352
Compatibility
WebOb is no longer officially supported on Python 3.3 which was EOL’ed on 2017-09-29.
Backwards Incompatibilities
Many changes have been made to the way WebOb does Accept handling, not just for the Accept header itself, but also for Accept-Charset, Accept-Encoding and Accept-Language. This was a Google Summer of Code project completed by Whiteroses (https://github.com/whiteroses). Many thanks to Google for running GSoC, the Python Software Foundation for organising and a huge thanks to Ira for completing the work. See https://github.com/Pylons/webob/pull/338 and https://github.com/Pylons/webob/pull/335. Documentation is available at https://docs.pylonsproject.org/projects/webob/en/master/api/webob.html
When calling a @wsgify decorated function, the default arguments passed to @wsgify are now used when called with the request, and not as a start_response
def hello(req, name): return "Hello, %s!" % name app = wsgify(hello, args=("Fred",)) req = Request.blank('/') resp = req.get_response(app) # => "Hello, Fred" resp2 = app(req) # => "Hello, Fred"
Previously the resp2 line would have failed with a TypeError. With this change there is no way to override the default arguments with no arguments. See https://github.com/Pylons/webob/pull/203
When setting app_iter on a Response object the content_md5 header is no longer cleared. This behaviour is odd and disallows setting the content_md5 and then returning an iterator for chunked content encoded responses. See https://github.com/Pylons/webob/issues/86
Experimental Features
These features are experimental and may change at any point in the future.
The cookie APIs now have the ability to set the SameSite attribute on a cookie in both webob.cookies.make_cookie and webob.cookies.CookieProfile. See https://github.com/Pylons/webob/pull/255
Bugfix
Exceptions now use string.Template.safe_substitute rather than string.Template.substitute. The latter would raise for missing mappings, the former will simply not substitute the missing variable. This is safer in case the WSGI environ does not contain the keys necessary for the body template. See https://github.com/Pylons/webob/issues/345.
Request.host_url, Request.host_port, Request.domain correctly parse IPv6 Host headers as provided by a browser. See https://github.com/Pylons/webob/pull/332
Request.authorization would raise ValueError for unusual or malformed header values. See https://github.com/Pylons/webob/issues/231
Allow unnamed fields in form data to be properly transcoded when calling request.decode with an alternate encoding. See https://github.com/Pylons/webob/pull/309
Response.__init__ would discard app_iter when a Response had no body, this would cause issues when app_iter was an object that was tied to the life-cycle of a web application and had to be properly closed. app_iter is more advanced API for Response and thus even if it contains a body and is thus against the HTTP RFC’s, we should let the users shoot themselves by returning a body. See https://github.com/Pylons/webob/issues/305
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for WebOb-1.8.8-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b60ba63f05c0cf61e086a10c3781a41fcfe30027753a8ae6d819c77592ce83ea |
|
MD5 | 4c0b6ef764dd301d3a87a1894626773a |
|
BLAKE2b-256 | c3c2fbc206db211c11ac85f2b440670ff6f43d44d7601f61b95628f56d271c21 |