| Age | Commit message (Collapse) | Author |
|---|
|
The comment prefix should potential exploints from flash plugins (See
CVE-2014-4671 "Rosetta Flash").
|
|
|
|
Add some validation for the JSONP callback
|
|
|
|
None
fixes #1600
|
|
This fixes two bugs in the ``temporary_response`` context manager:
- ``Request.response`` should be restored even if the renderer raises an
exception
- If ``request.response`` is initially set to ``None``, it should be
restored to ``None`` (rather than deleted).
References: #1563
|
|
These tests test for, among other things, the nits described in comments
on #1563, namely:
- ``Request.response`` should be restored even if the renderer raises an
exception
- If ``request.response`` is initially set to ``None``, it should be
restored to ``None`` (rather than deleted).
(Some of these tests currently fail.)
|
|
The callback variable could be used to arbitrarily inject javascript
into the response object. This validates that the callback doesn't begin
with a number and is standard US ASCII characters, because trying to
make sure the JavaScript function name is actually valid would require
parsing JavaScript itself...
|
|
|
|
Conflicts:
pyramid/view.py
|
|
|
|
subclass fix branch
|
|
|
|
|
|
parameterize _call_view and _find_views to cope
|
|
view finding
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
example
|
|
|
|
|
|
merge to see diffs more clearly
|
|
Conflicts:
pyramid/config/views.py
pyramid/scaffolds/tests.py
tox.ini
|
|
update tox/travis to check code coverage on py3
|
|
|
|
|
|
|
|
|
|
update render_to_response to prevent renderers from mutating request.response
|
|
|
|
`AssetsConfiguratorMixin.override_asset` does:
```python
__import__(override_package)
to_package = sys.modules[override_package]
override_source = PackageAssetSource(to_package, override_prefix)
```
so it's assuming that the `package` argument to `PackageAssetSource.__init__` takes a module object.
But then `PackageAssetSource` had a bunch of methods that did stuff like:
- `pkg_resources.resource_exists(self.package, path)`
- `pkg_resources.resource_filename(self.package, path)`
- `pkg_resources.resource_stream(self.package, path)`
and all these `pkg_resources` functions need their `package_or_requirement`
argument to be a **string**; not a module - see
https://pythonhosted.org/setuptools/pkg_resources.html#basic-resource-access, which says:
> the `package_or_requirement argument` may be either a Python package/module
> name (e.g. `foo.bar`) or a `Requirement` instance.
This causes errors when overriding assets -- e.g.: I am using Kotti and
Kotti has this code (https://github.com/Kotti/Kotti/blob/master/kotti/__init__.py#L251):
```python
for override in [a.strip()
for a in settings['kotti.asset_overrides'].split()
if a.strip()]:
config.override_asset(to_override='kotti', override_with=override)
```
A Kotti add-on called kotti_navigation does this
(https://github.com/Kotti/kotti_navigation/blob/master/kotti_navigation/__init__.py#L12):
```python
settings['kotti.asset_overrides'] += ' kotti_navigation:kotti-overrides/'
```
The above code is all legit as far as I can tell and it works fine in pyramid
1.5.2, but it fails with pyramid master with the following:
```pytb
File "/Users/marca/python/virtualenvs/kotti_inventorysvc/lib/python2.7/site-packages/pkg_resources.py", line 959, in resource_filename
self, resource_name
File "/Users/marca/dev/git-repos/pyramid/pyramid/config/assets.py", line 31, in get_resource_filename
filename = overrides.get_filename(resource_name)
File "/Users/marca/dev/git-repos/pyramid/pyramid/config/assets.py", line 125, in get_filename
result = source.get_filename(path)
File "/Users/marca/dev/git-repos/pyramid/pyramid/config/assets.py", line 224, in get_filename
if pkg_resources.resource_exists(self.package, path):
File "/Users/marca/python/virtualenvs/kotti_inventorysvc/lib/python2.7/site-packages/pkg_resources.py", line 948, in resource_exists
return get_provider(package_or_requirement).has_resource(resource_name)
File "/Users/marca/python/virtualenvs/kotti_inventorysvc/lib/python2.7/site-packages/pkg_resources.py", line 225, in get_provider
__import__(moduleOrReq)
TypeError: __import__() argument 1 must be string, not module
```
This was a little tricky to resolve because the `override_asset` function wants
to pass a module object to `PackageAssetSource.__init__`, but there are a
number of tests in `pyramid/tests/test_config/test_assets.py` that assume that
it takes a string. So I ended up making it legal to pass either one, so that I
don't have to change as much calling code.
See https://github.com/Kotti/kotti_navigation/issues/13
|
|
This enhances existing tests so that they detect the issue in #1580.
Then I'm going to fix the issue in PR #1587.
See #1580
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This exposes the QueryStringCacheBuster and PathSegmentCacheBuster
public APIs alongside the md5-variants. These should be more cleanly
subclassed by people wishing to extend their implementations.
|
|
|
|
|
|
Fix a couple minor documentation issues
|
|
|
|
Also add myself to CONTRIBUTORS.txt
|
