There was a packaging error for 2.8. It included files not intended
to be released which broke the 'ptl' package. This release repairs
that error and includes a small change to random session tokens.
Our previous 64-bit values should still be more than secure
for web applications but recommended best practice is currently
128-bit. We use URL-safe base64 encoding so the length of
the tokens is only a bit longer.
Since stat.st_mtime is a float in linux, _load_pyc will almost always
recompile the ptl files. Here's a patch to make the logic follow
compile.c in python.
Use chunked transfer encoding if there is no content length
available and it's supported by the protocol (i.e. HTTP 1.1).
Stream responses without a length can now be compressed.
Only mess with the _q_exports attribute if the export()
and subdir() decorators have been used. This will hopefull
avoid any backwards compatibility surprises.
Mention the export() decorator. Simplify the explaination of
the mini demo. Suggest starting the server using python -m
<module> since that avoids platform dependant paths. Explain
how to make simple_server listen on a public interface. Include
the latest docutils stylesheet.
Introduce the errors.format_page() function and use it to generate
all HTML pages produced by Quixote. It provides a single location
to "monkey-patch" if applications want to customize the look of the
pages. Improve the wording of the messages on some of the error
pages. Provide some basic CSS rules to make the pages look a little
more modern. Use the HTML 5 doctype.
By default, only allow GET, HEAD, and POST. Allowed methods
can be set by the ALLOWED_METHODS config. All methods can
be allowed by setting ALLOWED_METHODS to None.
Pass a reference to the form object to widgets. Use
Form.is_submitted() to check if form has been submitted. This
allows query strings to be provided to forms with a POST method
while preventing them from erroneously parsing themselves.
Previously the query string would cause them to think the form
was submitted.
Some clients and middleware expect that the body is always consumed.
Previous to this change, raising a PublishError exception (for
example) could result in a response being sent without the body
being consumed. Requiring the application code to ensure that the
body is always consumed seems burdensome. Using a temporary file
or StringIO object seems simplest and should not significantly
affect performance.
The Expires header is sufficient for HTTP 1.0 but for HTTP 1.1 we
must add a must-revalidate directive. Clients and proxies are
allowed to ignore Expires in certain cases and use stale pages (RFC
2616 sections 13.1.5 and 14.9.4).
Based on a suggestion from Emmanuel Dreyfus <manu@netbsd.org>, add
the SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY options.
Setting them to true will cause the corresponding flag to be set
on the session cookie.
Currently HTTPRequest only checks whether the HTTPS environment
variable has a value of 'on', but other possible positive values are
'1' (as set by mod_wsgi) and 'yes'.
Neil Schemenauer
Patrik Simons
Hamish Lawson