path: root/docs/news.txt

News
====

.. contents::

0.9.5
-----

* Fixed a security vulnerability in ``paste.urlparser``'s StaticURLParser
  and PkgResourcesParser where, with some servers, you could escape
  the document root.

* Significantly improved ``paste.httpserver``'s (egg:Paste#http)
  performance. It now uses a thread pool: previously it created a new
  thread for every request. To revert back to the old, slower behavior,
  set:

  use_threadpool = false

  in the [server:main] section of the config file.

* More control of where the output of ``paste.debug.prints`` goes.

* Added a warning to ``paste.wsgilib.add_close`` if the upstream
  app_iter consumer doesn't call the ``app_iter.close()`` method.

* Fixed ``testapp.post(params={})``

* Fixed ``paste.translogger.TransLogger`` to log to the Apache combined
  log format as advertised.

* Fixed ``paste.urlparser`` classes to handle quoted characters (e.g.
  %20) in URL paths.

* Changed ``paste.session`` to allow manipulating a session for the
  first time after ``start_response`` is called.

* Added ``paste.wsgilib.add_start_close`` which calls a function just
  before returning the first chunk of the app_iter.

* Changed ``paste.urlmap`` so that it matches domain-specific mappings
  before domain-neutral mappings.

* Fixed IE 6 potentially receiving the following ``"400 Bad Request"``
  error on file downloads:
  'Please check your system clock.
   According to this server, the time provided in the
   If-Modified-Since header is in the future.'

* Added a 'no' keyword argument to ``TestResponse.mustcontain``, so
  you can assert that a response does contain some strings at the same
  time that you assert that a response *does not* contain other
  strings, like::

    res = app.get('/')
    res.mustcontain('this must be there',
                    no=['error', 'unexpected'])

* Fixed ``fileapp.FileApp`` to pay attention to the ``If-None-Match``
  header, which does ETag matching; before only ``If-Modified-Since``
  was supported, even though an ``ETag`` header was being sent; in
  particular Firefox would then only send ``If-None-Match`` and so
  conditional requests never worked.

* Changed usage of ``paste.request.MultiDict`` to
  ``paste.util.multidict``, particularly in ``paste.wsgiwrappers``
  where ``request.GET`` returns a new style of dictionary interface.

* Be more careful in ``paste.request.parse_formvars`` not to let 
  the ``cgi`` module read from ``wsgi.input`` when there are no
  parsable variables in the input (based on ``CONTENT_TYPE``).

0.9.4
-----

* This released was lost in a tragic clerical accident.

0.9.3
-----

* 0.9.2 Included a version of MochiKit that was no longer compatible with
  evalexception; 0.9.3 reverts to a previous version.

* Change wsgi.run_once=False for ``paste.httpserver``

* Added entry points for debug apps

0.9.2
-----

* Fix in paste.urlmap when connecting with host:port.

* Added ``/_debug/summary`` to evalexception, which gives a
  JSON-formatted list of all the exceptions in memory.

0.9.1
-----

* A fix for paste.errordocument, when doing an internal redirect from 
  a POST request (the request is rewritten as a GET request)

0.9
---

* Added `paste.request.WSGIRequest
  <class-paste.request.WSGIRequest.html>`_, a request object that
  wraps the WSGI environment.

* Added `paste.registry <module-paste.registry.html>`_, which is
  middleware for registering threadlocal objects in a request.

* Avoid annoying warning from paste.recursive

* ``paste.httpserver`` now removes HTTPServer's transaction logging,
  which was doing a reverse DNS lookup.

* Added ``has_session`` to ``paste.session``

* Allow for conditional ``paste.wsgilib.intercept_output`` which
  should be slightly faster (and streamable) compared to doing the
  condition manually.

* Added entry point for `paste.proxy <module-paste.proxy.html>`_, plus
  improvements from Brad Clements (support path in target, filter
  request methods)

* Added `paste.pony <module-paste.pony.html>`_ so pony power can be
  added to any WSGI application.

* Added port matching to ``paste.urlmap``.

0.5
---

* Added `paste.auth.auth_tkt <module-paste.auth.auth_tkt.html>`_

* Added `paste.auth.grantip <module-paste.auth.grantip.html>`_

0.4.1
-----

* Some bug fixes to the `built-in HTTP server
  <module-paste.httpserver.html>`_.

* Experimental `paste.progress <module-paste.progress.html>`_
  middleware for tracking upload progress

* Some tweaking of how `paste.reload <module-paste.reload.html>`_
  works, especially with respect to shutdown.

0.4
---

* Fixed up paste documentation (especially for new packages/modules)

* Added `paste.auth <module-paste.auth.html>`_ package for authentication
  related WSGI middle-ware components:

  - ``basic`` and ``digest`` HTTP authentication as described by RFC 2617

  - support for Yale's Central Authentication System (``cas``)

  - ``open_id`` supports single sign-on originally developed for
    LiveJournal (see http://openid.net)

  - ``cookie`` digitally signs cookies to record the current
    authenticated user (``REMOTE_USER``), session identifier
    (``REMOTE_SESSION``), and other WSGI entries in the ``environ``.

  - a ``form`` module (to be used with ``cookie`` or an equivalent)
    provides a simple HTML based form authentication.

  - the ``multi`` module is an *experimental* mechanism for choosing
    an authentication mechanism based on the WSGI ``environ``

* Added `paste.httpserver <module-paste.httpserver.html>`_ module which
  provides a very simple WSGI server built upon python's
  ``BaseHTTPServer``; this server has support for several features:

  - support for SSL connections via OpenSSL

  - support for HTTP/1.1 ``100 Continue`` messages as required by the
    WSGI specification (many HTTP server implementations don't do this)

  - implemented as a Mix-In so that it can be used with other
    more enchanted versions of ``BaseHTTPServer``

  - support for 'Keep-Alive' (standard in HTTP/1.1) by either providing
    a content-length or closing a connection if one is not available

* Improved the `paste.httpexceptions <module-paste.httpexceptions.html>`_
  module:

  - added missing exception objects, and better descriptions

  - fixed several bugs in how exceptions are caught and propagated

  - usage as a ``wsgi_application()`` enables exceptions to be
    returned without throwing or catching the error

  - support for plain/text messages for text-only clients such as
    curl, python's urllib, or Microsoft Excel

  - allows customization of the HTML template for higher-level frameworks

* Added `paste.httpheaders <module-paste.httpheaders.html>`_ module
  to provide a uniform mechanism to access/update standard HTTP headers
  in a WSGI ``environ`` and ``response_headers`` collection; it includes
  specific support for:

  - providing "common" header names and sorting them as suggested
    by RFC 2616

  - validated support for ``Cache-Control`` header construction

  - validated support for ``Content-Disposition`` header construction

  - parsing of ``If-Modified-Since`` and other date oriented headers

  - parsing of Range header for partial-content delivery

  - composition of HTTP/1.1 digest ``Authorization`` responses

* Improved `paste.fileapp <module-paste.fileapp.html>`_ to support:

  - static in-memory resources

  - incremental downloading of files from disk

  - responding to 'Range' requests to handle partial downloads

  - allowing cache settings to be easily provided; including
    support for HTTP/1.0 'Expires' and HTTP/1.1 'Cache-Control'

* Added an *experimental* `paste.transaction
  <module-paste.transaction.html>`_ module for handling
  commit/rollback of standard DBAPI database connections

* Added a `paste.util.datetimeutil <module-paste.util.datetimeutil.html>`_
  module for parsing standard date/time user-generated text values

* Added a `debug <module-paste.debug.html>`_ package, which includes:

  - previous top-level modules ``prints``, ``profile``,
    ``wdg_validate`` and ``doctest_webapp``

  - a ``testserver`` module suitable to test HTTP socket
    connections via ``py.test``

* Re-factored `paste.wsgilib <module-paste.wsgilib.html>`_ into
  several other modules:

  - functions regarding header manipulation moved to
    `paste.response <module-paste.response.html>`_

  - functions regarding cookies and arguments moved to
    `paste.request <module-paste.request.html>`_

* Significant improvements to ``wsgiutils.wsgilib`` module:

  - added a ``dump_environ`` application to help debugging

  - fixes to ``raw_interactive`` to comply with WSGI specifications

  - ``raw_interactive`` now logs all 5xx exceptions and sets HTTP_HOST

* Added an argument ``no_profile`` to
  `paste.debug.profile.profile_decorator
  <module-paste.debug.profile.html#profile_decorator>`_; if that
  option is false, then don't profile the function at all.

* Changed `paste.lint <module-paste.lint.html>`_ to check that the
  status contains a message (e.g., ``"404 Not Found"`` instead of just
  ``"404"``).  Check that environmental variables
  ``HTTP_CONTENT_TYPE`` and ``HTTP_CONTENT_LENGTH`` are no present.
  Made unknown ``REQUEST_METHOD`` a warning (not an error).

* Added parameter ``cwd`` to `TestFileEnvironment.run
  <class-paste.fixture.TestFileEnvironment.html#run>`_

* `paste.fixture.TestApp <class-paste.fixture.TestApp.html>`_:

  - Form filling code (use ``response.forms[0]`` to get a `form object
    <class-paste.fixture.Form.html>`_)

  - Added `click method
    <class-paste.fixture.TestResponse.html#click>`_.

  - Better attribute errors.

  - You can force set hidden fields using
    ``form.fields[name].force_value(value)`` (normally setting the
    value of a hidden field is an error).

  - Frameworks can now add custom attributes to the response object.

* ``paste.wsgilib.capture_output`` is deprecated in favor of
  `paste.wsgilib.intercept_output
  <module-paste.wsgilib.html#intercept_output>`_

* Remove use of exceptions in `paste.cascade.Cascade
  <class-paste.cascade.Cascade.html>`_, which causes weird effects in
  some cases.  Generally we aren't using exceptions internally now,
  only return status codes.  Also in cascade, be careful to keep
  cascaded requests from sharing the same environment.

* ``paste.wsgilib.error_response`` is deprecated
  (`paste.httpexceptions <module-paste.httpexceptions.html>`_ replaces
  this with exception's ``.wsgi_application`` method).

* Moved ``paste.login`` to the attic, since `paste.auth
  <module-paste.auth.html>`_ pretty much replaces it.

* `paste.urlparser <module-paste.urlparser.html>`_ improvements:

  - Added an application `urlparser.StaticURLParser
    <class-paste.urlparser.StaticURLParser.html>`_ for serving static
    files.

  - Added an application `urlparser.PkgResourcesParser
    <class-paste.urlparser.PkgResourcesParser.html>`_ for serving static
    files found with ``pkg_resources`` (e.g., out of zipped Eggs).

  - Be less picky about ambiguous filenames when using `URLParser
    <class-paste.urlparser.URLParser.html>`_; if an exact file match
    exists, use that.  (``file.gif.bak`` would cause a request for
    ``file.gif`` to be ambiguous before)

  - Now looks for a ``.wsgi_application`` attribute when serving
    Python files/modules, as a general hook for returning a WSGI
    application version of an object.

* The `ErrorMiddleware
  <class-paste.exceptions.errormiddleware.ErrorMiddleware.html>`_:

  - Returns trimmed-down exceptions if there is a ``_`` GET variable
    in the request (which is meant to signal an XMLHttpRequest).
    Exceptions displayed in this context are best when they are smaller
    and easier to display.

  - Includes a text version of the traceback, for easier
    copy-and-paste.

  - Avoid printing exceptions to ``wsgi.errors`` if they are already
    displayed elsewhere (at least by default).

  - Highlight Python code.

* Use ``pkg_resources.declare_namespace`` so that there are less
  problems about confusing the ``paste`` package that is provided by
  Paste, Paste Script, Paste Deploy, and Paste WebKit.  Before you
  could get one of these at random if you didn't use
  ``pkg_resources.require`` first.

* Cleaned up use of ``exc_info`` argument in ``start_response`` calls
  (both accepting and producing), in a variety of places.