From 6099144cf0b85ecfb9c97e344ef6ca499833725e Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Tue, 30 Oct 2012 01:08:35 -0500 Subject: updated changes --- CHANGES.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 740de0f17..25d2dc75c 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -6,6 +6,14 @@ Features - Added an ``effective_principals`` route and view predicate. +Bug Fixes +--------- + +- :func:`pyramid.security.view_execution_permitted` would return `True` if + no view could be found. This case now raises an exception as it doesn't + make sense make an assertion about a non-existant view. See + https://github.com/Pylons/pyramid/issues/299. + 1.4a3 (2012-10-26) ================== -- cgit v1.2.3 From 07c9ee0ec96eb664974fe314a46389ed59390520 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Fri, 2 Nov 2012 21:05:46 -0400 Subject: - Do not allow the userid returned from the ``authenticated_userid`` or the userid that is one of the list of principals returned by ``effective_principals`` to be either of the strings ``system.Everyone`` or ``system.Authenticated`` when any of the built-in authorization policies that live in ``pyramid.authentication`` are in use. These two strings are reserved for internal usage by Pyramid and they will not be accepted as valid userids. --- CHANGES.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 740de0f17..291795da3 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -6,6 +6,14 @@ Features - Added an ``effective_principals`` route and view predicate. +- Do not allow the userid returned from the ``authenticated_userid`` or the + userid that is one of the list of principals returned by + ``effective_principals`` to be either of the strings ``system.Everyone`` or + ``system.Authenticated`` when any of the built-in authorization policies that + live in ``pyramid.authentication`` are in use. These two strings are + reserved for internal usage by Pyramid and they will not be accepted as valid + userids. + 1.4a3 (2012-10-26) ================== -- cgit v1.2.3 From 47146eb568aa35f88c567fd785f676a89ce76e12 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Fri, 2 Nov 2012 21:07:15 -0400 Subject: garden --- CHANGES.txt | 2 ++ 1 file changed, 2 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 291795da3..80d4a5dee 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -14,6 +14,8 @@ Features reserved for internal usage by Pyramid and they will not be accepted as valid userids. +- Slightly better debug logging from RepozeWho1AuthenticationPolicy. + 1.4a3 (2012-10-26) ================== -- cgit v1.2.3 From a007a4f5a7a6c81ef9bb15f4ccea35212bc020c0 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Fri, 2 Nov 2012 22:00:35 -0400 Subject: - In the past if a renderer returned ``None``, the body of the resulting response would be set explicitly to the empty string. Instead, now, the body is left unchanged, which allows the renderer to set a body itself by using e.g. ``request.response.body = b'foo'``. The body set by the renderer will be unmolested on the way out. See https://github.com/Pylons/pyramid/issues/709 Closes #709 --- CHANGES.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 563851e74..0ef1a0593 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -21,6 +21,16 @@ Features it doesn't make sense to assert that a nonexistent view is execution-permitted. See https://github.com/Pylons/pyramid/issues/299. +Bug Fixes +--------- + +- In the past if a renderer returned ``None``, the body of the resulting + response would be set explicitly to the empty string. Instead, now, the body + is left unchanged, which allows the renderer to set a body itself by using + e.g. ``request.response.body = b'foo'``. The body set by the renderer will + be unmolested on the way out. See + https://github.com/Pylons/pyramid/issues/709 + 1.4a3 (2012-10-26) ================== -- cgit v1.2.3 From cb745b36a4b3b110728bfd4876e2d65649d22f3d Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Fri, 2 Nov 2012 22:48:30 -0400 Subject: garden; fixes #702 --- CHANGES.txt | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 0ef1a0593..86a9e8b50 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -21,6 +21,13 @@ Features it doesn't make sense to assert that a nonexistent view is execution-permitted. See https://github.com/Pylons/pyramid/issues/299. +- Get rid of shady monkeypatching of ``pyramid.request.Request`` and + ``pyramid.response.Response`` done within the ``__init__.py`` of Pyramid. + Webob no longer relies on this being done. Instead, the ResponseClass + attribute of the Pyramid Request class is assigned to the Pyramid response + class; that's enough to satisfy WebOb and behave as it did before with the + monkeypatching. + Bug Fixes --------- -- cgit v1.2.3 From 66fe1d05adbbcb07482972b4fd512676d68388ee Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Sat, 3 Nov 2012 19:02:53 -0400 Subject: - Move ``TopologicalSorter`` from ``pyramid.config.util`` to ``pyramid.util``, move ``CyclicDependencyError`` from ``pyramid.config.util`` to ``pyramid.exceptions``, rename ``Singleton`` to ``Sentinel`` and move from ``pyramid.config.util`` to ``pyramid.config.util``; this is in an effort to move that stuff that may be an API one day out of ``pyramid.config.util, because that package should never be imported from non-Pyramid code. TopologicalSorter is still not an API, but may become one. --- CHANGES.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 86a9e8b50..298bddf7a 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -38,6 +38,17 @@ Bug Fixes be unmolested on the way out. See https://github.com/Pylons/pyramid/issues/709 +Internals +--------- + +- Move ``TopologicalSorter`` from ``pyramid.config.util`` to ``pyramid.util``, + move ``CyclicDependencyError`` from ``pyramid.config.util`` to + ``pyramid.exceptions``, rename ``Singleton`` to ``Sentinel`` and move from + ``pyramid.config.util`` to ``pyramid.config.util``; this is in an effort to + move that stuff that may be an API one day out of ``pyramid.config.util, + because that package should never be imported from non-Pyramid code. + TopologicalSorter is still not an API, but may become one. + 1.4a3 (2012-10-26) ================== -- cgit v1.2.3 From 34d4cd0ea38fdbe0ab0e0832fc2114953ef4e94a Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Sun, 4 Nov 2012 01:02:19 -0500 Subject: - In uncommon cases, the ``pyramid_excview_tween_factory`` might have inadvertently raised a ``KeyError`` looking for ``request_iface`` as an attribute of the request. It no longer fails in this case. See https://github.com/Pylons/pyramid/issues/700 Fixes #700 --- CHANGES.txt | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 298bddf7a..8d5a00e77 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -38,6 +38,11 @@ Bug Fixes be unmolested on the way out. See https://github.com/Pylons/pyramid/issues/709 +- In uncommon cases, the ``pyramid_excview_tween_factory`` might have + inadvertently raised a ``KeyError`` looking for ``request_iface`` as an + attribute of the request. It no longer fails in this case. See + https://github.com/Pylons/pyramid/issues/700 + Internals --------- -- cgit v1.2.3 From 04875452db1da40bd8ed0841869d511b8d86527d Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Sun, 4 Nov 2012 01:51:42 -0500 Subject: fix docs, upgrade tutorials, add change note, deprecate using zope.deprecation instead of a warning, make hashalg arg a kwarg in certain cases in case someone (maybe me) is using nonapi function imports from authentication --- CHANGES.txt | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 8d5a00e77..45fc19762 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -43,6 +43,24 @@ Bug Fixes attribute of the request. It no longer fails in this case. See https://github.com/Pylons/pyramid/issues/700 +Deprecations +------------ + +- The ``pyramid.authentication.AuthTktAuthenticationPolicy`` authentication + policy is deprecated in Pyramid 1.4 due to its use of the MD5 hashing + algorithm, which has known hash collision vulnerabilities. The risk of an + exploit is low. However, for improved authentication security, use the + ``pyramid.authentication.SHA512AuthTktAuthenticationPolicy`` instead. + Cookies generated by the AuthTktAuthenticationPolicy are not compatible with + cookies generated by the SHA512AuthTktAuthenticationPolicy, however, so + switching to the latter will imply that all existing users with a valid + cookie will be required to re-login. The SHA-512 version is not compatible + with Apache's mod_auth_tkt either, so if you are relying on that + compatibility, you'll want to stick with the MD5 version. + + A deprecation warning is now emitted when the AuthTktAuthenticationPolicy is + imported. + Internals --------- @@ -50,7 +68,7 @@ Internals move ``CyclicDependencyError`` from ``pyramid.config.util`` to ``pyramid.exceptions``, rename ``Singleton`` to ``Sentinel`` and move from ``pyramid.config.util`` to ``pyramid.config.util``; this is in an effort to - move that stuff that may be an API one day out of ``pyramid.config.util, + move that stuff that may be an API one day out of ``pyramid.config.util``, because that package should never be imported from non-Pyramid code. TopologicalSorter is still not an API, but may become one. -- cgit v1.2.3 From 19b8207ff1e959669d296407ed112545364a495d Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sun, 4 Nov 2012 11:19:41 -0600 Subject: merged SHA512AuthTktAuthenticationPolicy into AuthTktAuthenticationPolicy AuthTktAuthenticationPolicy now accepts a hashalg parameter and is no longer deprecated. Docs recommend overriding hashalg and using 'sha512'. --- CHANGES.txt | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 45fc19762..390d3c3e3 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -4,6 +4,10 @@ Next release Features -------- +- ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to + support newer hashing algorithms such as ``sha512``. Existing applications + should consider updating if possible. + - Added an ``effective_principals`` route and view predicate. - Do not allow the userid returned from the ``authenticated_userid`` or the @@ -43,24 +47,6 @@ Bug Fixes attribute of the request. It no longer fails in this case. See https://github.com/Pylons/pyramid/issues/700 -Deprecations ------------- - -- The ``pyramid.authentication.AuthTktAuthenticationPolicy`` authentication - policy is deprecated in Pyramid 1.4 due to its use of the MD5 hashing - algorithm, which has known hash collision vulnerabilities. The risk of an - exploit is low. However, for improved authentication security, use the - ``pyramid.authentication.SHA512AuthTktAuthenticationPolicy`` instead. - Cookies generated by the AuthTktAuthenticationPolicy are not compatible with - cookies generated by the SHA512AuthTktAuthenticationPolicy, however, so - switching to the latter will imply that all existing users with a valid - cookie will be required to re-login. The SHA-512 version is not compatible - with Apache's mod_auth_tkt either, so if you are relying on that - compatibility, you'll want to stick with the MD5 version. - - A deprecation warning is now emitted when the AuthTktAuthenticationPolicy is - imported. - Internals --------- -- cgit v1.2.3 From ca4656877ab909b88ee1730cab611c8007ff7a39 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sun, 4 Nov 2012 11:37:35 -0600 Subject: garden --- CHANGES.txt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 45fc19762..a9ce80712 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -14,7 +14,8 @@ Features reserved for internal usage by Pyramid and they will not be accepted as valid userids. -- Slightly better debug logging from RepozeWho1AuthenticationPolicy. +- Slightly better debug logging from + ``pyramid.authentication.RepozeWho1AuthenticationPolicy``. - ``pyramid.security.view_execution_permitted`` used to return `True` if no view could be found. It now raises a ``TypeError`` exception in that case, as @@ -67,7 +68,7 @@ Internals - Move ``TopologicalSorter`` from ``pyramid.config.util`` to ``pyramid.util``, move ``CyclicDependencyError`` from ``pyramid.config.util`` to ``pyramid.exceptions``, rename ``Singleton`` to ``Sentinel`` and move from - ``pyramid.config.util`` to ``pyramid.config.util``; this is in an effort to + ``pyramid.config.util`` to ``pyramid.util``; this is in an effort to move that stuff that may be an API one day out of ``pyramid.config.util``, because that package should never be imported from non-Pyramid code. TopologicalSorter is still not an API, but may become one. -- cgit v1.2.3 From ca3df803c9afd04d7dee612e0bf321cc62cf900f Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sun, 4 Nov 2012 12:34:22 -0600 Subject: emit a warning if a user is using the default hashalg to AuthTkt --- CHANGES.txt | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index b3733a787..43a910f96 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -48,6 +48,15 @@ Bug Fixes attribute of the request. It no longer fails in this case. See https://github.com/Pylons/pyramid/issues/700 +Deprecations +------------ + +- ``pyramid.authentication.AuthTktAuthenticationPolicy`` will emit a warning + if an application is using the policy without explicitly setting the + ``hashalg``. This is because the default is "md5" which is considered + insecure. If you really want "md5" then you must specify it explicitly to + get rid of the warning. + Internals --------- -- cgit v1.2.3 From a8d71ca12aa648aa70e0c00f303e60da1fa97a61 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Sun, 4 Nov 2012 18:39:25 -0500 Subject: - Allow a ``_depth`` argument to ``pyramid.view.view_config``, which will permit limited compisition reuse of the decorator by other software that wants to provide custom decorators that are much like view_config. Closes #637. --- CHANGES.txt | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 43a910f96..5175baa5a 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -33,6 +33,10 @@ Features class; that's enough to satisfy WebOb and behave as it did before with the monkeypatching. +- Allow a ``_depth`` argument to ``pyramid.view.view_config``, which will + permit limited composition reuse of the decorator by other software that + wants to provide custom decorators that are much like view_config. + Bug Fixes --------- -- cgit v1.2.3 From 170124352a495438ef689d3376988bc8aefa8876 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sun, 4 Nov 2012 19:10:16 -0600 Subject: update changelog, close #627 --- CHANGES.txt | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 5175baa5a..d57444ad0 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -37,6 +37,11 @@ Features permit limited composition reuse of the decorator by other software that wants to provide custom decorators that are much like view_config. +- Allow an iterable of decorators to be passed to + ``pyramid.config.Configurator.add_view``. This allows views to be wrapped + by more than one decorator without requiring combining the decorators + yourself. + Bug Fixes --------- -- cgit v1.2.3