Jinja 2.10.1 Security Release

written by David Lord on 2019-04-06 in Releases , Security

Jinja 2.10.1 has been released and includes a security-related fix. If you are using the Jinja sandboxed environment you are encouraged to upgrade.

MITRE has assigned CVE-2019-10906 to this issue.

Thank you to Brian Welch for responsibly reporting the issue, and to Armin Ronacher for writing the fix.

The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the str.format_map method could be used to escape the sandbox.

This issue was previously addressed for the str.format method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common str.format_map method was overlooked. This release applies the same sandboxing to both methods.

If you cannot upgrade Jinja, you can override the is_safe_attribute method on the sandbox and explicitly disallow the format_map method on string objects.

Reporting Security Issues

If you think you have discovered a security issue in Jinja or another of the Pallets projects, please email security@palletsprojects.com with details.

Werkzeug 0.15.2 Released

written by David Lord on 2019-04-02 in Releases

Werkzeug 0.15.2 has been released. The changelog lists the changes in detail, which include:

  • Fix an issue where code generation would cause coverage to fail.
  • Fixed some issues with the new test client redirect code. If no cookies are stored, the cookie header is removed. Changes to the environ by the app don't affect the client.
  • The "werkzeug" logger doesn't log messages twice if user code has already configured logging.

Install or Upgrade

Install from PyPI with pip:

pip install -U Werkzeug

Werkzeug 0.15.1 Released

written by David Lord on 2019-03-21 in Releases

Werkzeug 0.15.1 has been released. It fixes a bug in the argument order for the Unauthorzed HTTP exception. description is now the first argument again.

Install or Upgrade

Install from PyPI with pip:

pip install -U Werkzeug

Werkzeug 0.15.0 Released

written by David Lord on 2019-03-19 in Releases

The Pallets team is pleased to release Werkzeug 0.15.0. This represents over a year of work from the community and maintainers, and as such there is an unusually long list of changes. Some of the notable ones are listed below, but there are many more throughout the framework. Read the full changelog to understand what changes may affect your code when upgrading.

  • Building URLs is ~7x faster.
  • Redirects now use HTTP code 308 by default. This preserves the method and form data.
  • int and float URL converters can handle negative numbers.
  • The debugger saw a number of improvements. Python 3's chained exceptions are correctly displayed and logged. Frames of user code are highlighted to make it easier to read tracebacks.
  • The reloader is much better at detecting how to re-run itself. It handles python -m as well as non-Python executable scripts.
  • The test client takes a json parameter, and the response class has a get_json method. This makes testing JSON APIs much more straightforward.
  • URLs with Unicode or percent-escapes are handled better. Quoting when converting between URIs and IRIs is more consistent, and the unquoted URL is logged by the dev server rather than showing percent escapes.
  • Deprecation warnings have been added throughout the code in preparation for version 1.0.
  • Werkzeug now uses pre-commit, black, reorder-python-imports, and flake8 to provide consistent code formatting. The code also moved to a src directory layout.
  • And much more!

werkzeug.contrib has been deprecated

The code under the werkzeug.contrib package has been deprecated. In version 1.0, code will either be moved into werkzeug core, or will be removed completely. Contrib started as a place to put code that wasn't clear where it belonged. In the 12 years since Werkzeug started, the packaging ecosystem and Werkzeug's codebase have evolved. The contrib code has not been widely maintained, often having better implementations elsewhere or no longer being required.

  • ProxyFix, LintMiddleware, and ProfilerMiddleware have moved into werkzeug.middleware.
  • securecookie and sessions have been extracted to the pallets/secure-cookie repository.
  • cache has been extracted to the pallets/cachelib repository.
  • Everything else is deprecated.

Deprecation Warnings

Besides contrib, many other parts of Werkzeug have been marked, either explicitly or implicitly, as deprecated, for many years. This release ensures that every occurrence issues a clear deprecation warning that mentions when the code will be removed. Currently, everything marked deprecated is slated to be removed in version 1.0.

  • Unused compatibility imports for code that was moved to another module within Werkzeug. This code is still available, but should be imported from the correct location.
  • Middleware in werkzeug.wsgi has moved to werkzeug.middleware.
  • The werkzeug.wrappers module was converted to a package of more specific modules. Imports for classes that were publicly documented in the previous version will work without change.

Install or Upgrade

Install from PyPI with pip:

pip install -U Werkzeug

The Pallets organization has joined the Python Software Foundation. We now accept donations through the PSF in order to support our efforts to maintain the projects and grow the community. Click here to donate.

MarkupSafe 1.1.1 Released

written by David Lord on 2019-02-23 in Releases

This is a bugfix release. Changelog

  • If an __html__ method raised an exception, Python would segfault when using MarkupSafe's C speedups. Now the exception will propagate correctly rather than crashing.

Install or Upgrade

Install from PyPI with pip:

pip install -U MarkupSafe

Take the Pallets / Flask Community Survey

written by David Lord on 2019-01-29 in Meta

One of my goals as a Pallets maintainer is to build the community around our projects. The Pallets projects (Flask, Jinja, Click, etc.) are downloaded millions of times each month, but it's hard to get a clear picture of what our users do and want with downloads stats only. We'd like to learn about you and your projects. Knowing more about our community will help us decide what to focus on to grow the Pallets projects.

Click here to take our Community Survey.

Please share the link with friends, coworkers, and the internet! We're looking forward to seeing everyone's responses! You can follow https://twitter.com/PalletsTeam or this blog to get updates about Pallets, including the survey results.

MarkupSafe 1.1.0 Released

written by David Lord on 2018-11-05 in Releases

Changelog

  • Dropped support for Python 2.6 and 3.3.
  • Using newer CPython APIs gave the C extension a 1.5x speedup on Python 3. Python 2 will still get the same speed as before, but you should consider upgrading if possible.
  • The escape function uses the __html__ method on an object if it's available. It will now ensure that result is wrapped in the Markup class, for consistency with other behavior.

Platform Wheels

Installing from PyPI with pip will now install a precompiled wheel if available. Wheels have been compiled for supported CPython versions on Linux, Mac, and Windows.

MarkupSafe comes with a C extension that adds a significant speedup to escaping. However, if a compiler or headers aren't available, the install will fall back to a native Python implementation. Previously, the user would see no indication that they didn't get the speedups, or would see confusing error messages even though the install succeeded. Now, many more users will be able to take advantage of the speedups provided by MarkupSafe without extra configuration.

Documentation

Full documentation has been added in place of the previous README. It is available through Read the Docs at https://markupsafe.palletsprojects.com/.

Install or Upgrade

Install from PyPI with pip:

pip install -U MarkupSafe

We accept donations through the Python Software Foundation in order to support our efforts to maintain the projects and grow the community. Click here to donate.

itsdangerous 1.1.0 Released

written by David Lord on 2018-10-26 in Releases

itsdangerous 1.1.0 has been released to fix compatibility issues that were affecting projects while upgrading. Due to these issues, we had to make a quick decision and pull itsdangerous 1.0.0 from PyPI earlier today to prevent more projects from being affected. We appologize for the difficulty this caused, and the changes in this release should address compatibilty going forward.

1.0.0 changed the default digest algorithm from SHA-1 to SHA-512. SHA-1 as used by itsdangerous was never suceptible to the collision issue published last year, but the change was made for peace of mind. However, this change invalidated existing signatures that were in use.

To address this, 1.1.0 reverts the default digest to SHA-1. It also adds a fallback mechanism to try other algorithms when unsigning. This gives projects a safe way to upgrade signing parameters in the future, while still supporting existing signatures during the upgrade period. A default fallback for SHA-512 was added to support projects that were already affected by the 1.0.0 version. 1.1.0 is therefore compatible with both 0.24 and 1.0.0, so upgrading should be safe in either case.

Additionally, we reverted a change to the project name in setup.py. 1.0.0 changed the capitalization from "itsdangerous" to "ItsDangerous", but this caused issues with some systems. The name will remain as "itsdangerous".

We appologize again for the issues and thank everyone in the community who contributed to the discussion.

Upgrade

Install from PyPI with pip:

pip install -U itsdangerous

It's Dangerous 1.0.0 Released

written by David Lord on 2018-10-18 in Releases

It's Dangerous 1.0.0 has been released. See the changelog for a list of changes since the last release on 2014-03-28.

It's Dangerous provides secure message signing and serialization. Without the secret key used to sign a message, the content cannot be changed without invalidating the signature. This allows, for example, Flask to store information in a session cookie that is transmitted over public networks, and be sure that the data has not been tampered with when loading a subsequent request.

Install or Upgrade

Install from PyPI with pip:

pip install -U ItsDangerous

Imports will change

Previously, It's Dangerous was a single Python module with about 1000 lines of code. The project has been reorganized as a package with submodules, which will make the code easier to navigate going forward.

However, this means that everything that It's Dangerous imported or defined used to be importable from itsdangerous. With the reorganization, only the public API is importable from itsdangerous. To ease transition, "public" was defined as any name that was previously documented in the API section. These compatibility imports will be deprecated and removed in future releases. If you were importing undocumented names, you'll need to import them from the correct submodule now.

Read the Docs

It's Dangerous has moved its docs to Read the Docs. The new URL for the docs is https://itsdangerous.palletsprojects.com/.

The docs were previously hosted on PyPI's docs site (pythonhosted.org/itsdangerous), but this site has been deprecated and it is no longer possible to upload new docs there. Unfortunately, due to the deprecation, there is no way to add a redirect to the new docs. As of this release, any URLs pointing to the old site will break.

Get Involved

The Pallets team depends on you, the community, to help keep our projects sustainable. Whether you report issues, write documentation, create patches, or answer questions, we appreciate all the help you provide. Star the project on GitHub to show support, and watch the repository to see discussions and pull requests as they happen.

We accept donations through the Python Software Foundation in order to support our efforts to maintain the projects and grow the community. Click here to donate.

Click 7.0 Released

written by David Lord on 2018-09-25 in Releases

The Pallets team is pleased to release Click 7.0. Thank you to everyone who contributed online and in person at the PyCon US 2018 sprint! With the help of the community as well as some new maintainers, we've managed to resolve hundreds of long standing issues and pull requests.

Due to the length of time since the last release, there are a significant number of new features and fixes. Check out the changelog for a list of all code changes and links to the relevant issues. Changes include:

  • Shell autocompletion has improved in a number of areas.
    • Native ZSH completion was added, and supports its enhanced parameter documentation.
    • The choice type can be completed.
    • Completion correctly handles chained commands, spaces, defaults, and partial completions.
    • Parameters can provide a callback to customize completion.
  • On Windows click.echo can now output more than 16k characters in one call. On Windows 7, a 64k limit on binary stream output is also worked around.
  • click.getchar returns Unicode on Windows.
  • When piping input and output, more cases of closed pipes are detected and handled instead of raising errors.
  • The CliRunner used for testing separates stdout and stderr.
  • New DateTime and FloatRange parameter types.
  • Flags to mark a parameter as hidden or deprecated.
  • Numerouse improvements and fixes to i/o, help, parameters, and testing.

Read the Docs

Click is the first Pallets project to move its docs to Read the Docs. Our projects currently use a custom builder and hosting, but this became too difficult with limited maintainer time. Thank you to everyone at RTD who helped with the transition!

The new URL for the docs is https://click.palletsprojects.com/. The old http://click.pocoo.org/ domain will redirect to the new one while we continue to migrate, but will eventually go away. Please use the new URL going forward.

Click's docs use a custom Sphinx theme and extensions. As part of the move, these were extracted to a separate Python package. Install Pallets-Sphinx-Themes to use Click's theme when writing extensions for a more cohesive look.

Install or Upgrade

Install from PyPI with pip:

pip install -U Click

Get Involved

Click and the Pallets team depends on you, the community. Whether you report issues, write documentation, create patches, or answer questions, we appreciate all the help you provide. Star the project on GitHub to show support, and watch the repository to see discussions and pull requests as they happen.

We now accept donations through the Python Software Foundation in order to support our efforts to maintain the projects and grow the community. Click here to donate.