Permalink
Commits on Nov 12, 2010
  1. WSGIHeaderDict API is now finite:

    defnull committed Nov 12, 2010
     - Direct read-only access to environ. It's a wrapper, not a copy.
     - All keys and values are native strings.
     - Non-Native strings are de- or encoded using 'latin1'.
     - All keys are titled and therefore case-insensitive.
     - The .raw(key) method may be used to recieve the original value.
  2. Added tests for WSGIHeaderDict.

    defnull committed Oct 29, 2010
Commits on Nov 11, 2010
  1. Security fix: cookie_decode() vulnerability to statistical timing att…

    defnull committed Nov 5, 2010
    …acks.
    
    This vulnerability reduces the amount of time required to guess a valid
    signature for a forged cookie. Only applications that use the secure-cookie
    feature are affected.
    
    Detail: Prior to this patch, the transmitted signature and the calculated
    (valid) signature were compared using the python '==' operator. The runtime of
    this operation depends on the length of a common string prefix. The time
    difference is barely measurable for a single request, but it exists. An attacker
    could send a large amounts of request with different signatures, measure the
    time for each request and statistically determine which signature is most likely
    to have a valid prefix. On a fast network, this can drastically reduce the time
    required to guess a valid signature for a forged cookie.
Commits on Nov 10, 2010
  1. Response.delete_cookie() called Response.set_cookie() with wrong para…

    defnull committed Nov 10, 2010
    …meters. Added test cases.
Commits on Nov 5, 2010
  1. Docs fix

    apheage committed Nov 5, 2010
Commits on Oct 25, 2010
Commits on Oct 9, 2010
  1. docs: Added to changelog.

    defnull committed Oct 9, 2010
Commits on Oct 7, 2010
Commits on Oct 6, 2010
  1. More docstrings.

    defnull committed Sep 21, 2010
Commits on Sep 30, 2010
  1. Bug in Sphinx latex builder.

    defnull committed Sep 30, 2010
  2. Missing doc templates.

    defnull committed Sep 30, 2010
Commits on Sep 25, 2010
  1. Prior to this patch, one can't use a socket with FlupFCGIServer

    Ian Davis committed with defnull Sep 25, 2010
    (because bindAddress is hard-coded as the host & port) and any other
    options that are passed in are ignored.  This fixes both issues.
Commits on Sep 22, 2010
Commits on Sep 20, 2010
  1. Docstrings.

    defnull committed Sep 20, 2010
Commits on Sep 14, 2010
  1. fix: JSON support for GAE (Python 2.5 and django installed) (Issue #98)

    defnull committed Sep 14, 2010
    Thanks to 'Kraken' :)
Commits on Sep 13, 2010
  1. Improved server test cases.

    defnull committed Sep 13, 2010
  2. fix: "Template args not passed from view() to template() properly " (…

    defnull committed Sep 13, 2010
    …issue #97)
    
    Thanks joegester
Commits on Sep 4, 2010
Commits on Sep 2, 2010
  1. typos

    defnull committed Sep 2, 2010
  2. fix: Response.set_cookie() with a secret should always create a secur…

    defnull committed Sep 2, 2010
    …e cookie.
    
    fix: Renaming a secure cookies should not be possible.
    docs: Improved API documentation on secure cookies.
  3. handle empty secure cookie

    kylefritz committed with defnull Sep 2, 2010
Commits on Aug 31, 2010
Commits on Aug 27, 2010
  1. The Request.headers dict is now guaranteed to contain native strings …

    defnull committed Aug 27, 2010
    …(bytes or unicode) based on
    
    the running python version. If the WSGI environment contains non-native strings, these are
    de- or encoded using 'utf8' (default) or 'latin1' (fallback). This API will remain stable even
    on WSGI spec changes, if possible. If you need the unmodified value, call Request.headers.raw(key).
Commits on Aug 26, 2010
  1. docs: Changelog

    defnull committed Aug 26, 2010