1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
unreleased
==========
Features
--------
- Add support for Python 3.11 and 3.12.
- Added HTTP 418 error code via `pyramid.httpexceptions.HTTPImATeapot`.
See https://github.com/Pylons/pyramid/pull/3667
- Coverage reports in tests based on Python 3.12 instead of Python 3.8.
- All scripts now pass a new option ``__script__`` when loading the WSGI app.
For example, ``pserve`` sets ``__script__ == 'pserve'``. This works for
``pserve``, ``pshell``, ``prequest``, ``proutes``, ``ptweens``, ``pviews``,
as well as when using ``pyramid.paster.bootstrap`` directly.
When using ``plaster-pastedeploy`` to load an INI file, this option will
manifest as a new value passed into the ``global_conf`` arg of your
application factory, where you can use it as part of initializing your app.
See https://github.com/Pylons/pyramid/pull/3735
Bug Fixes
---------
- Removed support for null-bytes in the path when making a request for a file
against a static_view. Whille null-bytes are allowed by the HTTP
specification, due to the handling of null-bytes potentially leading to
security vulnerabilities it is no longer supported.
This fixes a security vulnerability that is present due to a bug in Python
3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an
``index.html`` one directory up from the static views path.
Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue.
- Fix issues where permissions may be checked on exception views. This is not
supposed to happen in normal circumstances.
This also prevents issues where a ``request.url`` fails to be decoded when
logging info when ``pyramid.debug_authorization`` is enabled.
See https://github.com/Pylons/pyramid/pull/3741/files
- Applications raising ``pyramid.exceptions.BadCSRFToken`` and
``pyramid.exceptions.BadCSRFOrigin`` were returning invalid HTTP status
lines with values like ``400 Bad CSRF Origin`` instead of
``400 Bad Request``.
See https://github.com/Pylons/pyramid/pull/3742
Backward Incompatibilities
--------------------------
- Drop support for Python 3.6 and 3.7.
- Requests to a static_view are no longer allowed to contain a null-byte in any
part of the path segment.
- Drop support for l*gettext() methods in the i18n module.
These have been deprecated in Python's gettext module since 3.8, and
removed in Python 3.11.
Documentation Changes
---------------------
|
