web.py 0.21 released
Aaron Swartz
http://webpy.org/web.py-0.21.tar.gz
One important change is that web.py applications are now more secure
against HTTP response splitting attacks (see
http://en.wikipedia.org/wiki/HTTP_response_splitting); web.py raises
an error if you try to use web.header with a header that contains
newline characters. It's recommended everyone upgrade to get this
protection, but otherwise it's pretty easy to add yourself. Just add:
# protection against HTTP response splitting attack
if '\n' in hdr or '\r' in hdr or '\n' in value or '\r' in value:
raise ValueError, 'invalid characters in header'
to the top of webapi.header.
Here are the other changes noted by Anand (let us know if we missed any):
* support for cheetah template reloading
* support for form validation
* new `form.File`
* new `web.url`
* fix rendering issues with hidden and button inputs
* fix 2.3 incompatability with `numify`
* fix multiple headers with same name
* fix web.redirect issues when homepath is not /
* new CherryPy wsgi server
* new nested transactions
* new sqlliteral