Removed support for null-bytes in the path when making a request for a file
against a static_view. Whille null-bytes are allowed by the HTTP
specification, due to the handling of null-bytes potentially leading to
security vulnerabilities it is no longer supported.
This fixes a security vulnerability that is present due to a bug in Python
3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an
index.html one directory up from the static views path.
Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue.
Backward Incompatibilities
Requests to a static_view are no longer allowed to contain a null-byte in any
part of the path segment.
.. _changes_2.0.1:
2.0.1 (2023-01-29)
Add support for Python 3.10 and 3.11.
Copy __name__ from decorated attribute when using
pyramid.decorator.reify.
See Pylons/pyramid#3660
Fix method signatures in docs for
pyramid.config.Configurator.add_static_view and
pyramid.config.Configurator.override_asset.
See Pylons/pyramid#3699
Remove obsolete stackframe hack used in Python 3.5.0 when showing
configurator conflict errors.
See Pylons/pyramid#3700
Fix an error when injecting certain objects into the pshell env due to
the use of !=.
See Pylons/pyramid#3704
Pyramid drops support for l*gettext() methods in the i18n module.
These have been deprecated in Python's gettext module since 3.8, and
removed in Python 3.11. They also shouldn't be used at all on Python 3.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the all-dependencies group with 5 updates:
23.1.0
23.2.0
4.1.1
4.1.2
16.2.2
16.2.3
2.0
2.0.2
1.13
1.14
Updates
attrs
from 23.1.0 to 23.2.0Commits
Updates
bcrypt
from 4.1.1 to 4.1.2Commits
b9223e6
Try building py39 wheels to see if that helps with reinitialization errors (#...5049783
Bump syn from 2.0.40 to 2.0.41 in /src/_bcrypt (#696)642d070
Bump syn from 2.0.39 to 2.0.40 in /src/_bcrypt (#693)8b44a10
Bump libc from 0.2.150 to 0.2.151 in /src/_bcrypt (#692)951cc64
Bump once_cell from 1.18.0 to 1.19.0 in /src/_bcrypt (#690)7377c6d
Bump actions/setup-python from 4.8.0 to 5.0.0 (#689)61b3203
Bump actions/setup-python from 4.7.1 to 4.8.0 (#688)1c3159a
Fixed wheels for older versions of macOS (#687)1a41437
Update README.rst (#682)Updates
kinto
from 16.2.2 to 16.2.3Release notes
Sourced from kinto's releases.
Changelog
Sourced from kinto's changelog.
Commits
1c23ba6
Prepare 16.2.3 (#3313)f845d16
Bump sphinx-rtd-theme from 1.3.0 to 2.0.0 (#3311)4e671d7
Bump bcrypt from 4.0.1 to 4.1.1 (#3312)11ab6cf
Bump sentry-sdk from 1.37.1 to 1.38.0 (#3310)bcfc498
Bump tox from 4.11.3 to 4.11.4 (#3309)bf4e4e8
Bump sentry-sdk from 1.35.0 to 1.37.1 (#3307)79bc6dc
Bump wheel from 0.41.3 to 0.42.0 (#3306)622e3ea
Back to development: 16.3.0Updates
pyramid
from 2.0 to 2.0.2Changelog
Sourced from pyramid's changelog.
... (truncated)
Commits
2bb8eab
prep 2.0.2f438547
fix rtd format80f288a
add readthedocs.yamld1cbbcf
fix lint1352ca8
Merge branch 'backport-jp_exploit_fix' into 2.0-branch8dc51af
update changelog for 2.0.2538a706
appease linteraca5337
appease linter6623dfc
re-add integration tests (bad merge) and add integration test for nulbyte che...2b74cc2
add integration testsUpdates
python-rapidjson
from 1.13 to 1.14Changelog
Sourced from python-rapidjson's changelog.
Commits
5381845
Release 1.1465d494a
Update CHANGES.rst65a9851
Merge PR #195c15bea5
Merge PR #194cf5c792
fix: dock use docker on mac775783b
152: add osx arm64 wheel build59ed984
Bump actions/setup-python from 4 to 5cb3362b
Bump deadsnakes/action from 3.0.1 to 3.1.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show