web.py 0.21 released

1 view

Skip to first unread message

Aaron Swartz

unread,

May 28, 2007, 3:06:24 PM5/28/07

to we...@googlegroups.com

web.py 0.21 is finally out.

http://webpy.org/web.py-0.21.tar.gz

One important change is that web.py applications are now more secure
against HTTP response splitting attacks (see
http://en.wikipedia.org/wiki/HTTP_response_splitting); web.py raises
an error if you try to use web.header with a header that contains
newline characters. It's recommended everyone upgrade to get this
protection, but otherwise it's pretty easy to add yourself. Just add:

# protection against HTTP response splitting attack
if '\n' in hdr or '\r' in hdr or '\n' in value or '\r' in value:
raise ValueError, 'invalid characters in header'

to the top of webapi.header.

Here are the other changes noted by Anand (let us know if we missed any):

* support for cheetah template reloading
* support for form validation
* new `form.File`
* new `web.url`
* fix rendering issues with hidden and button inputs
* fix 2.3 incompatability with `numify`
* fix multiple headers with same name
* fix web.redirect issues when homepath is not /
* new CherryPy wsgi server
* new nested transactions
* new sqlliteral

Reply all

Reply to author

Forward

0 new messages