You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain.
Werkzeug <= 2.2.2 will parse the cookie =__Host-test=bad as __Host-test=bad. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.
Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting.
The Request.max_content_length setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.
Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON .
This was previously reported as GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as CON.txt.html or trailing spaces. It also missed some additional special names.
send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
Werkzeug's safe_join function allows Windows device names as filenames if when preceded by other path segments.
This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL.
send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
safe_join on Windows does not allow more special device names, regardless
of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7
The multipart form parser handles a \r\n sequence at a chunk boundary.
This fixes the previous attempt, which caused incorrect content lengths.
:issue:3065 :issue:3077
Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075
safe_join on Windows does not allow special device names. This prevents
reading from these when using send_from_directory. secure_filename
already prevented writing to these. :ghsa:hgf8-39gv-g3f2
The debugger pin fails after 10 attempts instead of 11. :pr:3020
The multipart form parser handles a \r\n sequence at a chunk boundary.
:issue:3065
Improve CPU usage during Watchdog reloader. :issue:3054
Request.json annotation is more accurate. :issue:3067
Traceback rendering handles when the line number is beyond the available
source lines. :issue:3044
HTTPException.get_response annotation and doc better conveys the
distinction between WSGI and sans-IO responses. :issue:3056
Initial data passed to MultiDict and similar interfaces only accepts list, tuple, or set when passing multiple values. It had been
changed to accept any Collection, but this matched types that should be
treated as single values, such as bytes. :issue:2994
When the Host header is not set and Request.host falls back to the
WSGI SERVER_NAME value, if that value is an IPv6 address it is wrapped
in [] to match the Host header. :issue:2993
Request.max_form_memory_size defaults to 500kB instead of unlimited.
Non-file form fields over this size will cause a RequestEntityTooLarge
error. :issue:2964
OrderedMultiDict and ImmutableOrderedMultiDict are deprecated.
Use MultiDict and ImmutableMultiDict instead. :issue:2968
Behavior of properties on request.cache_control and response.cache_control has been significantly adjusted.
Dict values are always str | None. Setting properties will convert
the value to a string. Setting a property to False is equivalent to
setting it to None. Getting typed properties will return None if
conversion raises ValueError, rather than the string. :issue:2980
max_age is None if present without a value, rather than -1.
:issue:2980
no_cache is a boolean for requests, it is True instead of "*" when present. It remains a string for responses. :issue:2980
max_stale is True if present without a value, rather
than "*". :issue:2980
no_transform is a boolean. Previously it was mistakenly always None. :issue:2881
min_fresh is None if present without a value, rather than "*". :issue:2881
private is True if present without a value, rather than "*".
:issue:2980
Added the must_understand property. :issue:2881
Added the stale_while_revalidate, and stale_if_error
properties. :issue:2948
Type annotations more accurately reflect the values. :issue:2881
Support Cookie CHIPS (Partitioned Cookies). :issue:2797
Restore behavior where parsing multipart/x-www-form-urlencoded data with
invalid UTF-8 bytes in the body results in no form data parsed rather than a
413 error. :issue:2930
Improve parse_options_header performance when parsing unterminated
quoted string values. :issue:2904
Debugger pin auth is synchronized across threads/processes when tracking
failed entries. :issue:2916
Dev server handles unexpected SSLEOFError due to issue in Python < 3.13.
:issue:2926
Debugger pin auth works when the URL already contains a query string.
:issue:2918
Only allow localhost, .localhost, 127.0.0.1, or the specified
hostname when running the dev server, to make debugger requests. Additional
hosts can be added by using the debugger middleware directly. The debugger
UI makes requests using the full URL rather than only the path.
:ghsa:2g68-c3qc-8985
Make reloader more robust when "" is in sys.path. :pr:2823
Better TLS cert format with adhoc dev certs. :pr:2891
Inform Python < 3.12 how to handle itms-services URIs correctly, rather
than using an overly-broad workaround in Werkzeug that caused some redirect
URIs to be passed on without encoding. :issue:2828
Type annotation for Rule.endpoint and other uses of endpoint is Any. :issue:2836
Make reloader more robust when "" is in sys.path. :pr:2823
Deprecate the __version__ attribute. Use feature detection, or importlib.metadata.version("werkzeug"), instead. :issue:2770
generate_password_hash uses scrypt by default. :issue:2769
Add the "werkzeug.profiler" item to the WSGI environ dictionary
passed to ProfilerMiddleware's filename_format function. It contains
the elapsed and time values for the profiled request. :issue:2775
Explicitly marked the PathConverter as non path isolating. :pr:2784
Fix handling of invalid base64 values in Authorization.from_header. :issue:2717
The debugger escapes the exception message in the page title. :pr:2719
When binding routing.Map, a long IDNA server_name with a port does not fail
encoding. :issue:2700
iri_to_uri shows a deprecation warning instead of an error when passing bytes.
:issue:2708
When parsing numbers in HTTP request headers such as Content-Length, only ASCII
digits are accepted rather than any format that Python's int and float
accept. :issue:2716
Passing bytes where strings are expected is deprecated, as well as the charset
and errors parameters in many places. Anywhere that was annotated, documented,
or tested to accept bytes shows a warning. Removing this artifact of the transition
from Python 2 to 3 removes a significant amount of overhead in instance checks and
encoding cycles. In general, always work with UTF-8, the modern HTML, URL, and HTTP
standards all strongly recommend this. :issue:2602
Deprecate the werkzeug.urls module, except for the uri_to_iri and iri_to_uri functions. Use the urllib.parse library instead. :issue:2600
Update which characters are considered safe when using percent encoding in URLs,
based on the WhatWG URL Standard. :issue:2601
Update which characters are considered safe when using percent encoding for Unicode
filenames in downloads. :issue:2598
Deprecate the safe_conversion parameter of iri_to_uri. The Location
header is converted to IRI using the same process as everywhere else. :issue:2609
Deprecate werkzeug.wsgi.make_line_iter and make_chunk_iter. :pr:2613
Use modern packaging metadata with pyproject.toml instead of setup.cfg.
:pr:2574
Request.get_json() will raise a 415 Unsupported Media Type error if the Content-Type header is not application/json, instead of a generic 400.
:issue:2550
A URL converter's part_isolating defaults to False if its regex contains
a /. :issue:2582
A custom converter's regex can have capturing groups without breaking the router.
:pr:2596
The reloader can pick up arguments to python like -X dev, and does not
require heuristics to determine how to reload the command. Only available
on Python >= 3.10. :issue:2589
The Watchdog reloader ignores file opened events. Bump the minimum version of
Watchdog to 2.3.0. :issue:2603
When using a Unix socket for the development server, the path can start with a dot.
:issue:2595
Increase default work factor for PBKDF2 to 600,000 iterations. :issue:2611
parse_options_header is 2-3 times faster. It conforms to :rfc:9110, some
invalid parts that were previously accepted are now ignored. :issue:1628
The is_filename parameter to unquote_header_value is deprecated. :pr:2614
Deprecate the extra_chars parameter and passing bytes to quote_header_value,
the allow_token parameter to dump_header, and the cls parameter and
passing bytes to parse_dict_header. :pr:2618
Improve parse_accept_header implementation. Parse according to :rfc:9110.
Discard items with invalid q values. :issue:1623
quote_header_value quotes the empty string. :pr:2618
dump_options_header skips None values rather than using a bare key.
:pr:2618
dump_header and dump_options_header will not quote a value if the key ends
with an asterisk *.
parse_dict_header will decode values with charsets. :pr:2618
Refactor the Authorization and WWWAuthenticate header data structures.
:issue:1769, :pr:2619
Both classes have type, parameters, and token attributes. The token attribute supports auth schemes that use a single opaque token rather
than key=value parameters, such as Bearer.
Neither class is a dict anymore, although they still implement getting,
setting, and deleting auth[key] and auth.key syntax, as well as auth.get(key) and key in auth.
Both classes have a from_header class method. parse_authorization_header
and parse_www_authenticate_header are deprecated.
The methods WWWAuthenticate.set_basic and set_digest are deprecated.
Instead, an instance should be created and assigned to response.www_authenticate.
A list of instances can be assigned to response.www_authenticate to set
multiple header values. However, accessing the property only returns the first
instance.
Refactor parse_cookie and dump_cookie. :pr:2637
parse_cookie is up to 40% faster, dump_cookie is up to 60% faster.
Passing bytes to parse_cookie and dump_cookie is deprecated. The dump_cookiecharset parameter is deprecated.
dump_cookie allows domain values that do not include a dot ., and
strips off a leading dot.
dump_cookie does not set path="/" unnecessarily by default.
Refactor the test client cookie implementation. :issue:1060, 1680
The cookie_jar attribute is deprecated. http.cookiejar is no longer used
for storage.
Domain and path matching is used when sending cookies in requests. The domain and path parameters default to localhost and /.
Added a get_cookie method to inspect cookies.
Cookies have decoded_key and decoded_value attributes to match what the
app sees rather than the encoded values a client would see.
The first positional server_name parameter to set_cookie and delete_cookie is deprecated. Use the domain parameter instead.
Other parameters to delete_cookie besides domain, path, and value are deprecated.
If request.max_content_length is set, it is checked immediately when accessing
the stream, and while reading from the stream in general, rather than only during
form parsing. :issue:1513
The development server, which must not be used in production, will exhaust the
request stream up to 10GB or 1000 reads. This allows clients to see a 413 error if max_content_length is exceeded, instead of a "connection reset" failure.
:pr:2620
The development server discards header keys that contain underscores _, as they
are ambiguous with dashes - in WSGI. :pr:2622
secure_filename looks for more Windows reserved file names. :pr:2623
Update type annotation for best_match to make default parameter clearer.
:issue:2625
The Mapcharset parameter and Request.url_charset property are
deprecated. Percent encoding in URLs must always represent UTF-8 bytes. Invalid
bytes are left percent encoded rather than replaced. :issue:2602
The Request.charset, Request.encoding_errors, Response.charset, and Client.charset attributes are deprecated. Request and response data must always
use UTF-8. :issue:2602
Header values that have charset information only allow ASCII, UTF-8, and ISO-8859-1.
:pr:2614, 2641
Update type annotation for ProfilerMiddlewarestream parameter.
:issue:2642
Use postponed evaluation of annotations. :pr:2644
The development server escapes ASCII control characters in decoded URLs before
logging the request to the terminal. :pr:2652
The FormDataParserparse_functions attribute and get_parse_func method,
and the invalid application/x-url-encoded content type, are deprecated.
:pr:2653
generate_password_hash supports scrypt. Plain hash methods are deprecated, only
scrypt and pbkdf2 are supported. :issue:2654
Ensure that URL rules using path converters will redirect with strict slashes when
the trailing slash is missing. :issue:2533
Type signature for get_json specifies that return type is not optional when silent=False. :issue:2508
parse_content_range_header returns None for a value like bytes */-1
where the length is invalid, instead of raising an AssertionError. :issue:2531
Address remaining ResourceWarning related to the socket used by run_simple.
Remove prepare_socket, which now happens when creating the server. :issue:2421
Update pre-existing headers for multipart/form-data requests with the test
client. :issue:2549
Fix handling of header extended parameters such that they are no longer quoted.
:issue:2529
LimitedStream.read works correctly when wrapping a stream that may not return
the requested size in one read call. :issue:2558
A cookie header that starts with = is treated as an empty key and discarded,
rather than stripping the leading ==.
Specify a maximum number of multipart parts, default 1000, after which a RequestEntityTooLarge exception is raised on parsing. This mitigates a DoS
attack where a larger number of form/file parts would result in disproportionate
resource use.
Fix router to restore the 2.1 strict_slashes == False behaviour
whereby leaf-requests match branch rules and vice
versa. :pr:2489
Fix router to identify invalid rules rather than hang parsing them,
and to correctly parse / within converter arguments. :pr:2489
Update subpackage imports in :mod:werkzeug.routing to use the import as syntax for explicitly re-exporting public attributes.
:pr:2493
Parsing of some invalid header characters is more robust. :pr:2494
When starting the development server, a warning not to use it in a
production deployment is always shown. :issue:2480
LocalProxy.__wrapped__ is always set to the wrapped object when
the proxy is unbound, fixing an issue in doctest that would cause it
to fail. :issue:2485
Address one ResourceWarning related to the socket used by run_simple. :issue:2421
Deprecated get_script_name, get_query_string, peek_path_info, pop_path_info, and extract_path_info. :pr:2461
Remove previously deprecated code. :pr:2461
Add MarkupSafe as a dependency and use it to escape values when
rendering HTML. :issue:2419
Added the werkzeug.debug.preserve_context mechanism for
restoring context-local data for a request when running code in the
debug console. :pr:2439
Fix compatibility with Python 3.11 by ensuring that end_lineno
and end_col_offset are present on AST nodes. :issue:2425
Add a new faster URL matching router based on a state machine. If a custom converter
needs to match a / it must set the class variable part_isolating = False.
:pr:2433
Fix branch leaf path masking branch paths when strict-slashes is
disabled. :issue:1074
Names within options headers are always converted to lowercase. This
matches :rfc:6266 that the case is not relevant. :issue:2442
AnyConverter validates the value passed for it when building
URLs. :issue:2388
The debugger shows enhanced error locations in tracebacks in Python
3.11. :issue:2407
Added Sans-IO is_resource_modified and parse_cookie functions
based on WSGI versions. :issue:2408
Using gevent or eventlet requires greenlet>=1.0 or PyPy>=7.3.7. werkzeug.locals and contextvars will not work correctly with
older versions. :pr:2278
Remove previously deprecated code. :pr:2276
Remove the non-standard shutdown function from the WSGI
environ when running the development server. See the docs for
alternatives.
Request and response mixins have all been merged into the Request and Response classes.
The user agent parser and the useragents module is removed.
The user_agent module provides an interface that can be
subclassed to add a parser, such as ua-parser. By default it
only stores the whole string.
The test client returns TestResponse instances and can no
longer be treated as a tuple. All data is available as
properties on the response.
Remove locals.get_ident and related thread-local code from locals, it no longer makes sense when moving to a
contextvars-based implementation.
Remove the python -m werkzeug.serving CLI.
The has_key method on some mapping datastructures; use key in data instead.
Request.disable_data_descriptor is removed, pass shallow=True instead.
Remove the no_etag parameter from Response.freeze().
Remove the HTTPException.wrap class method.
Remove the cookie_date function. Use http_date instead.
Remove the pbkdf2_hex, pbkdf2_bin, and safe_str_cmp
functions. Use equivalents in hashlib and hmac modules
instead.
Remove the Href class.
Remove the HTMLBuilder class.
Remove the invalidate_cached_property function. Use del obj.attr instead.
Remove bind_arguments and validate_arguments. Use
:meth:Signature.bind and :func:inspect.signature instead.
Remove detect_utf_encoding, it's built-in to json.loads.
Remove format_string, use :class:string.Template instead.
Remove escape and unescape. Use MarkupSafe instead.
The multiple parameter of parse_options_header is
deprecated. :pr:2357
Rely on :pep:538 and :pep:540 to handle decoding file names
with the correct filesystem encoding. The filesystem module is
removed. :issue:1760
Default values passed to Headers are validated the same way
values added later are. :issue:1608
Setting CacheControl int properties, such as max_age, will
convert the value to an int. :issue:2230
Always use socket.fromfd when restarting the dev server.
:pr:2287
When passing a dict of URL values to Map.build, list values do
not filter out None or collapse to a single value. Passing a MultiDict does collapse single items. This undoes a previous
change that made it difficult to pass a list, or None values in
a list, to custom URL converters. :issue:2249
run_simple shows instructions for dealing with "address already
in use" errors, including extra instructions for macOS. :pr:2321
Extend list of characters considered always safe in URLs based on
:rfc:3986. :issue:2319
Optimize the stat reloader to avoid watching unnecessary files in
more cases. The watchdog reloader is still recommended for
performance and accuracy. :issue:2141
The development server uses Transfer-Encoding: chunked for
streaming responses when it is configured for HTTP/1.1.
:issue:2090, 1327, :pr:2091
The development server uses HTTP/1.1, which enables keep-alive
connections and chunked streaming responses, when threaded or processes is enabled. :pr:2323
cached_property works for classes with __slots__ if a
corresponding _cache_{name} slot is added. :pr:2332
Refactor the debugger traceback formatter to use Python's built-in traceback module as much as possible. :issue:1753
The TestResponse.text property is a shortcut for r.get_data(as_text=True), for convenient testing against text
instead of bytes. :pr:2337
safe_join ensures that the path remains relative if the trusted
directory is the empty string. :pr:2349
Percent-encoded newlines (%0a), which are decoded by WSGI
servers, are considered when routing instead of terminating the
match early. :pr:2350
The test client doesn't set duplicate headers for CONTENT_LENGTH
and CONTENT_TYPE. :pr:2348
append_slash_redirect handles PATH_INFO with internal
slashes. :issue:1972, :pr:2338
The default status code for append_slash_redirect is 308 instead
of 301. This preserves the request body, and matches a previous
change to strict_slashes in routing. :issue:2351
Fix ValueError: I/O operation on closed file. with the test
client when following more than one redirect. :issue:2353
Response.autocorrect_location_header is disabled by default.
The Location header URL will remain relative, and exclude the
scheme and domain, by default. :issue:2352
Request.get_json() will raise a 400 BadRequest error if the Content-Type header is not application/json. This makes a
very common source of confusion more visible. :issue:2339
Type annotation for Response.make_conditional, HTTPException.get_response, and Map.bind_to_environ accepts Request in addition to WSGIEnvironment for the first
parameter. :pr:2290
Fix type annotation for Request.user_agent_class. :issue:2273
Accessing LocalProxy.__class__ and __doc__ on an unbound
proxy returns the fallback value instead of a method object.
:issue:2188
Redirects with the test client set RAW_URI and REQUEST_URI
correctly. :issue:2151
Deprecate :func:utils.format_string, use :class:string.Template
instead. :issue:1756
Deprecate :func:utils.bind_arguments and
:func:utils.validate_arguments, use :meth:Signature.bind and
:func:inspect.signature instead. :issue:1757
Deprecate :class:utils.HTMLBuilder. :issue:1761
Deprecate :func:utils.escape and :func:utils.unescape, use
MarkupSafe instead. :issue:1758
Deprecate the undocumented python -m werkzeug.serving CLI.
:issue:1834
Deprecate the environ["werkzeug.server.shutdown"] function
that is available when running the development server. :issue:1752
Deprecate the useragents module and the built-in user agent
parser. Use a dedicated parser library instead by subclassing user_agent.UserAgent and setting Request.user_agent_class.
:issue:2078
Remove the unused, internal posixemulation module. :issue:1759
All datetime values are timezone-aware with tzinfo=timezone.utc. This applies to anything using http.parse_date: Request.date, .if_modified_since, .if_unmodified_since; Response.date, .expires, .last_modified, .retry_after; parse_if_range_header, and IfRange.date. When comparing values, the other values must also
be aware, or these values must be made naive. When passing
parameters or setting attributes, naive values are still assumed to
be in UTC. :pr:2040
Merge all request and response wrapper mixin code into single Request and Response classes. Using the mixin classes is no
longer necessary and will show a deprecation warning. Checking isinstance or issubclass against BaseRequest and BaseResponse will show a deprecation warning and check against Request or Response instead. :issue:1963
JSON support no longer uses simplejson if it's installed. To use
another JSON module, override Request.json_module and Response.json_module. :pr:1766
Response.get_json() no longer caches the result, and the cache parameter is removed. :issue:1698
Response.freeze() generates an ETag header if one is not
set. The no_etag parameter (which usually wasn't visible
anyway) is no longer used. :issue:1963
Add a url_scheme argument to :meth:~routing.MapAdapter.build
to override the bound scheme. :pr:1721
Passing an empty list as a query string parameter to build()
won't append an unnecessary ?. Also drop any number of None
items in a list. :issue:1992
When passing a Headers object to a test client method or EnvironBuilder, multiple values for a key are joined into one
comma separated value. This matches the HTTP spec on multi-value
headers. :issue:1655
Setting Response.status and status_code uses identical
parsing and error checking. :issue:1658, :pr:1728
MethodNotAllowed and RequestedRangeNotSatisfiable take a response kwarg, consistent with other HTTP errors. :pr:1748
The response generated by :exc:~exceptions.Unauthorized produces
one WWW-Authenticate header per value in www_authenticate,
rather than joining them into a single value, to improve
interoperability with browsers and other clients. :pr:1755
If parse_authorization_header can't decode the header value, it
returns None instead of raising a UnicodeDecodeError.
:issue:1816
The debugger no longer uses jQuery. :issue:1807
The test client includes the query string in REQUEST_URI and RAW_URI. :issue:1781
Switch the parameter order of default_stream_factory to match
the order used when calling it. :pr:1085
Add send_file function to generate a response that serves a
file. Adapted from Flask's implementation. :issue:265, :pr:1850
Add send_from_directory function to safely serve an untrusted
path within a trusted directory. Adapted from Flask's
implementation. :issue:1880
send_file takes download_name, which is passed even if as_attachment=False by using Content-Disposition: inline. download_name replaces Flask's attachment_filename.
:issue:1869
send_file sets conditional=True and max_age=None by
default. Cache-Control is set to no-cache if max_age is
not set, otherwise public. This tells browsers to validate
conditional requests instead of using a timed cache. max_age=None replaces Flask's cache_timeout=43200.
:issue:1882
send_file can be called with etag="string" to set a custom
ETag instead of generating one. etag replaces Flask's add_etags. :issue:1868
send_file sets the Content-Encoding header if an encoding is
returned when guessing mimetype from download_name.
:pr:3896
Update the defaults used by generate_password_hash. Increase
PBKDF2 iterations to 260000 from 150000. Increase salt length to 16
from 8. Use secrets module to generate salt. :pr:1935
The reloader doesn't crash if sys.stdin is somehow None.
:pr:1915
Add arguments to delete_cookie to match set_cookie and the
attributes modern browsers expect. :pr:1889
utils.cookie_date is deprecated, use utils.http_date
instead. The value for Set-Cookie expires is no longer "-"
delimited. :pr:2040
Use request.headers instead of request.environ to look up
header attributes. :pr:1808
The test Client request methods (client.get, etc.) always
return an instance of TestResponse. In addition to the normal
behavior of Response, this class provides request with the
request that produced the response, and history to track
intermediate responses when follow_redirects is used.
:issue:763, 1894
The test Client request methods takes an auth parameter to
add an Authorization header. It can be an Authorization
object or a (username, password) tuple for Basic auth.
:pr:1809
Calling response.close() on a response from the test Client
will close the request input stream. This matches file behavior
and can prevent a ResourceWarning in some cases. :issue:1785
EnvironBuilder.from_environ decodes values encoded for WSGI, to
avoid double encoding the new values. :pr:1959
The default stat reloader will watch Python files under
non-system/virtualenv sys.path entries, which should contain
most user code. It will also watch all Python files under
directories given in extra_files. :pr:1945
The reloader ignores __pycache__ directories again. :pr:1945
run_simple takes exclude_patterns a list of fnmatch
patterns that will not be scanned by the reloader. :issue:1333
Cookie names are no longer unquoted. This was against :rfc:6265
and potentially allowed setting __Secure prefixed cookies.
:pr:1965
Fix some word matches for user agent platform when the word can be a
substring. :issue:1923
The development server logs ignored SSL errors. :pr:1967
Temporary files for form data are opened in rb+ instead of wb+ mode for better compatibility with some libraries.
:issue:1961
Use SHA-1 instead of MD5 for generating ETags and the debugger pin,
and in some tests. MD5 is not available in some environments, such
as FIPS 140. This may invalidate some caches since the ETag will be
different. :issue:1897
Add Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy response header properties.
:pr:2008
run_simple tries to show a valid IP address when binding to all
addresses, instead of 0.0.0.0 or ::. It also warns about not
running the development server in production in this case.
:issue:1964
Colors in the development server log are displayed if Colorama is
installed on Windows. For all platforms, style support no longer
requires Click. :issue:1832
A range request for an empty file (or other data with length 0) will
return a 200 response with the empty file instead of a 416 error.
:issue:1937
New sans-IO base classes for Request and Response have been
extracted to contain all the behavior that is not WSGI or IO
dependent. These are not a public API, they are part of an ongoing
refactor to let ASGI frameworks use Werkzeug. :pr:2005
Parsing multipart/form-data has been refactored to use sans-io
patterns. This should also make parsing forms with large binary file
uploads significantly faster. :issue:1788, 875
LocalProxy matches the current Python data model special
methods, including all r-ops, in-place ops, and async. __class__
is proxied, so the proxy will look like the object in more cases,
including isinstance. Use issubclass(type(obj), LocalProxy)
to check if an object is actually a proxy. :issue:1754
Local uses ContextVar on Python 3.7+ instead of threading.local. :pr:1778
request.values does not include form for GET requests (even
though GET bodies are undefined). This prevents bad caching proxies
from caching form data instead of query strings. :pr:2037
The development server adds the underlying socket to environ as werkzeug.socket. This is non-standard and specific to the dev
server, other servers may expose this under their own key. It is
useful for handling a WebSocket upgrade request. :issue:2052
URL matching assumes websocket=True mode for WebSocket upgrade
requests. :issue:2052
Updated UserAgentParser to handle more cases. :issue:1971
werzeug.DechunkedInput.readinto will not read beyond the size of
the buffer. :issue:2021
Fix connection reset when exceeding max content size. :pr:2051
pbkdf2_hex, pbkdf2_bin, and safe_str_cmp are deprecated. hashlib and hmac provide equivalents. :pr:2083
invalidate_cached_property is deprecated. Use del obj.name
instead. :pr:2084
Href is deprecated. Use werkzeug.routing instead.
:pr:2085
Request.disable_data_descriptor is deprecated. Create the
request with shallow=True instead. :pr:2085
HTTPException.wrap is deprecated. Create a subclass manually
instead. :pr:2085
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
If you want to rebase/retry this PR, check this box
Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
This PR contains the following updates:
==1.0.1→==3.1.6GitHub Vulnerability Alerts
CVE-2023-25577
Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses
request.data,request.form,request.files, orrequest.get_data(parse_form_data=False), it can cause unexpectedly high resource usage.This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
CVE-2023-23934
Browsers may allow "nameless" cookies that look like
=valueinstead ofkey=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like=__Host-test=badfor another subdomain.Werkzeug <= 2.2.2 will parse the cookie
=__Host-test=badas__Host-test=bad. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.CVE-2023-46136
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
CVE-2024-34069
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
CVE-2024-49766
On Python < 3.11 on Windows,
os.path.isabs()does not catch UNC paths like//server/share. Werkzeug'ssafe_join()relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.CVE-2024-49767
Applications using Werkzeug to parse
multipart/form-datarequests are vulnerable to resource exhaustion. A specially crafted form body can bypass theRequest.max_form_memory_sizesetting.The
Request.max_content_lengthsetting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.CVE-2025-66221
Werkzeug's
safe_joinfunction allows path segments with Windows device names. On Windows, there are special device names such asCON,AUX, etc that are implicitly present and readable in every directory.send_from_directoryusessafe_jointo safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.CVE-2026-21860
Werkzeug's
safe_joinfunction allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such asCON,AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such asCON.txt, or trailing spaces such asCON.This was previously reported as GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as
CON.txt.htmlor trailing spaces. It also missed some additional special names.send_from_directoryusessafe_jointo safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.CVE-2026-27199
Werkzeug's
safe_joinfunction allows Windows device names as filenames if when preceded by other path segments.This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that
safe_joinaccepts paths with multiple segments, such asexample/NUL.send_from_directoryusessafe_jointo safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.Release Notes
pallets/werkzeug (Werkzeug)
v3.1.6Compare Source
Released 2026-02-19
safe_joinon Windows does not allow special devices names inmulti-segment paths. :ghsa:
29vq-49wr-vm6xv3.1.5Compare Source
Released 2026-01-08
safe_joinon Windows does not allow more special device names, regardlessof extension or surrounding spaces. :ghsa:
87hc-h4r5-73f7\r\nsequence at a chunk boundary.This fixes the previous attempt, which caused incorrect content lengths.
:issue:
3065:issue:3077AttributeErrorwhen initializingDebuggedApplicationwithpin_security=False. :issue:3075v3.1.4Compare Source
Released 2025-11-28
safe_joinon Windows does not allow special device names. This preventsreading from these when using
send_from_directory.secure_filenamealready prevented writing to these. :ghsa:
hgf8-39gv-g3f23020\r\nsequence at a chunk boundary.:issue:
30653054Request.jsonannotation is more accurate. :issue:3067source lines. :issue:
3044HTTPException.get_responseannotation and doc better conveys thedistinction between WSGI and sans-IO responses. :issue:
3056v3.1.3Compare Source
Released 2024-11-08
MultiDictand similar interfaces only acceptslist,tuple, orsetwhen passing multiple values. It had beenchanged to accept any
Collection, but this matched types that should betreated as single values, such as
bytes. :issue:2994Hostheader is not set andRequest.hostfalls back to theWSGI
SERVER_NAMEvalue, if that value is an IPv6 address it is wrappedin
[]to match theHostheader. :issue:2993v3.1.2Compare Source
Released 2024-11-04
TypeConversionDict.getto allow thetypeparameter to be a callable. :issue:
2988Headersdoes not inherit fromMutableMapping, as it is does notexactly match that interface. :issue:
2989v3.1.1Compare Source
Released 2024-11-01
str(Request.headers)to always appear empty.:issue:
2985v3.1.0Compare Source
Released 2024-10-31
Drop support for Python 3.8. :pr:
2966Remove previously deprecated code. :pr:
2967Request.max_form_memory_sizedefaults to 500kB instead of unlimited.Non-file form fields over this size will cause a
RequestEntityTooLargeerror. :issue:
2964OrderedMultiDictandImmutableOrderedMultiDictare deprecated.Use
MultiDictandImmutableMultiDictinstead. :issue:2968Behavior of properties on
request.cache_controlandresponse.cache_controlhas been significantly adjusted.str | None. Setting properties will convertthe value to a string. Setting a property to
Falseis equivalent tosetting it to
None. Getting typed properties will returnNoneifconversion raises
ValueError, rather than the string. :issue:2980max_ageisNoneif present without a value, rather than-1.:issue:
2980no_cacheis a boolean for requests, it isTrueinstead of"*"when present. It remains a string for responses. :issue:2980max_staleisTrueif present without a value, ratherthan
"*". :issue:2980no_transformis a boolean. Previously it was mistakenly alwaysNone. :issue:2881min_freshisNoneif present without a value, rather than"*". :issue:2881privateisTrueif present without a value, rather than"*".:issue:
2980must_understandproperty. :issue:2881stale_while_revalidate, andstale_if_errorproperties. :issue:
29482881Support Cookie CHIPS (Partitioned Cookies). :issue:
2797Add 421
MisdirectedRequestHTTP exception. :issue:2850Increase default work factor for PBKDF2 to 1,000,000 iterations.
:issue:
2969Inline annotations for
datastructures, removing stub files.:issue:
2970MultiDict.getlistcatchesTypeErrorin addition toValueErrorwhen doing type conversion. :issue:
2976Implement
|and|=operators forMultiDict,Headers, andCallbackDict, and disallow|=on immutable types. :issue:2977v3.0.6Compare Source
Released 2024-10-25
max_form_memory_sizeis applied when parsing large non-filefields. :ghsa:
q34m-jh98-gwm2safe_joincatches certain paths on Windows that were not caught byntpath.isabson Python < 3.11. :ghsa:f9vj-2wh5-fj8jv3.0.5Compare Source
Released 2024-10-24
294529522955SharedDataMiddleware. :issue:2958UID does not have an associated name. :issue:
2957v3.0.4Compare Source
Released 2024-08-21
multipart/x-www-form-urlencodeddata withinvalid UTF-8 bytes in the body results in no form data parsed rather than a
413 error. :issue:
2930parse_options_headerperformance when parsing unterminatedquoted string values. :issue:
2904failed entries. :issue:
2916SSLEOFErrordue to issue in Python < 3.13.:issue:
2926:issue:
2918v3.0.3Compare Source
Released 2024-05-05
localhost,.localhost,127.0.0.1, or the specifiedhostname when running the dev server, to make debugger requests. Additional
hosts can be added by using the debugger middleware directly. The debugger
UI makes requests using the full URL rather than only the path.
:ghsa:
2g68-c3qc-8985""is insys.path. :pr:2823adhocdev certs. :pr:2891itms-servicesURIs correctly, ratherthan using an overly-broad workaround in Werkzeug that caused some redirect
URIs to be passed on without encoding. :issue:
2828Rule.endpointand other uses ofendpointisAny. :issue:2836""is insys.path. :pr:2823v3.0.2Compare Source
Released 2024-04-01
merge_slashestoFalseresults inNotFoundforrepeated-slash requests against single slash routes. :issue:
2834TypeErrorinTypeConversionDict.get()to matchValueError. :issue:2843response_wrappertype check in test client. :issue:2831MultiPartParser.parsemore precise.:issue:
28402822v3.0.1Compare Source
Released 2023-10-24
v3.0.0Compare Source
Released 2023-09-30
2768__version__attribute. Use feature detection, orimportlib.metadata.version("werkzeug"), instead. :issue:2770generate_password_hashuses scrypt by default. :issue:2769"werkzeug.profiler"item to the WSGIenvirondictionarypassed to
ProfilerMiddleware'sfilename_formatfunction. It containsthe
elapsedandtimevalues for the profiled request. :issue:27752784v2.3.8Compare Source
Released 2023-11-08
attacks.
v2.3.7Compare Source
Released 2023-08-14
flit_coreinstead ofsetuptoolsas build backend.27342761273427402750Acceptqvalue can be a float without a decimal part. :issue:2751v2.3.6Compare Source
Released 2023-06-08
FileStorage.content_lengthdoes not fail if the form data did not provide avalue. :issue:
2726v2.3.5Compare Source
Released 2023-06-07
2704Authorization.from_header. :issue:27172719routing.Map, a long IDNAserver_namewith a port does not failencoding. :issue:
2700iri_to_urishows a deprecation warning instead of an error when passing bytes.:issue:
2708Content-Length, only ASCIIdigits are accepted rather than any format that Python's
intandfloataccept. :issue:
2716v2.3.4Compare Source
Released 2023-05-08
Authorization.from_headerandWWWAuthenticate.from_headerdetects tokensthat end with base64 padding (
=). :issue:2685warnings.catch_warnings. :issue:2690max_form_partsrestriction from standard form data parsing and only useif for multipart content. :pr:
2694Responsewill avoid converting theLocationheader in some cases to preserveinvalid URL schemes like
itms-services. :issue:2691v2.3.3Compare Source
Released 2023-05-01
parsing speed. :issue:
2658, 2675Pathattribute is set to/by default again, to prevent clientsfrom falling back to RFC 6265's
default-pathbehavior. :issue:2672, 2679v2.3.2Compare Source
Released 2023-04-28
Expiresattribute correctly in the test client. :issue:2669max_content_lengthcan only be enforced on streaming requests if the serversets
wsgi.input_terminated. :issue:2668v2.3.1Compare Source
Released 2023-04-27
26572659pyifiles fordatastructurestype annotations. :issue:2660AuthorizationandWWWAuthenticateobjects can be compared for equality.:issue:
2665v2.3.0Compare Source
Released 2023-04-25
Drop support for Python 3.7. :pr:
2648Remove previously deprecated code. :pr:
2592Passing bytes where strings are expected is deprecated, as well as the
charsetand
errorsparameters in many places. Anywhere that was annotated, documented,or tested to accept bytes shows a warning. Removing this artifact of the transition
from Python 2 to 3 removes a significant amount of overhead in instance checks and
encoding cycles. In general, always work with UTF-8, the modern HTML, URL, and HTTP
standards all strongly recommend this. :issue:
2602Deprecate the
werkzeug.urlsmodule, except for theuri_to_iriandiri_to_urifunctions. Use theurllib.parselibrary instead. :issue:2600Update which characters are considered safe when using percent encoding in URLs,
based on the WhatWG URL Standard. :issue:
2601Update which characters are considered safe when using percent encoding for Unicode
filenames in downloads. :issue:
2598Deprecate the
safe_conversionparameter ofiri_to_uri. TheLocationheader is converted to IRI using the same process as everywhere else. :issue:
2609Deprecate
werkzeug.wsgi.make_line_iterandmake_chunk_iter. :pr:2613Use modern packaging metadata with
pyproject.tomlinstead ofsetup.cfg.:pr:
2574Request.get_json()will raise a415 Unsupported Media Typeerror if theContent-Typeheader is notapplication/json, instead of a generic 400.:issue:
2550A URL converter's
part_isolatingdefaults toFalseif itsregexcontainsa
/. :issue:2582A custom converter's regex can have capturing groups without breaking the router.
:pr:
2596The reloader can pick up arguments to
pythonlike-X dev, and does notrequire heuristics to determine how to reload the command. Only available
on Python >= 3.10. :issue:
2589The Watchdog reloader ignores file opened events. Bump the minimum version of
Watchdog to 2.3.0. :issue:
2603When using a Unix socket for the development server, the path can start with a dot.
:issue:
2595Increase default work factor for PBKDF2 to 600,000 iterations. :issue:
2611parse_options_headeris 2-3 times faster. It conforms to :rfc:9110, someinvalid parts that were previously accepted are now ignored. :issue:
1628The
is_filenameparameter tounquote_header_valueis deprecated. :pr:2614Deprecate the
extra_charsparameter and passing bytes toquote_header_value,the
allow_tokenparameter todump_header, and theclsparameter andpassing bytes to
parse_dict_header. :pr:2618Improve
parse_accept_headerimplementation. Parse according to :rfc:9110.Discard items with invalid
qvalues. :issue:1623quote_header_valuequotes the empty string. :pr:2618dump_options_headerskipsNonevalues rather than using a bare key.:pr:
2618dump_headeranddump_options_headerwill not quote a value if the key endswith an asterisk
*.parse_dict_headerwill decode values with charsets. :pr:2618Refactor the
AuthorizationandWWWAuthenticateheader data structures.:issue:
1769, :pr:2619type,parameters, andtokenattributes. Thetokenattribute supports auth schemes that use a single opaque token ratherthan
key=valueparameters, such asBearer.dictanymore, although they still implement getting,setting, and deleting
auth[key]andauth.keysyntax, as well asauth.get(key)andkey in auth.from_headerclass method.parse_authorization_headerand
parse_www_authenticate_headerare deprecated.WWWAuthenticate.set_basicandset_digestare deprecated.Instead, an instance should be created and assigned to
response.www_authenticate.response.www_authenticateto setmultiple header values. However, accessing the property only returns the first
instance.
Refactor
parse_cookieanddump_cookie. :pr:2637parse_cookieis up to 40% faster,dump_cookieis up to 60% faster.parse_cookieanddump_cookieis deprecated. Thedump_cookiecharsetparameter is deprecated.dump_cookieallowsdomainvalues that do not include a dot., andstrips off a leading dot.
dump_cookiedoes not setpath="/"unnecessarily by default.Refactor the test client cookie implementation. :issue:
1060, 1680cookie_jarattribute is deprecated.http.cookiejaris no longer usedfor storage.
domainandpathparameters default tolocalhostand/.get_cookiemethod to inspect cookies.decoded_keyanddecoded_valueattributes to match what theapp sees rather than the encoded values a client would see.
server_nameparameter toset_cookieanddelete_cookieis deprecated. Use thedomainparameter instead.delete_cookiebesidesdomain,path, andvalueare deprecated.If
request.max_content_lengthis set, it is checked immediately when accessingthe stream, and while reading from the stream in general, rather than only during
form parsing. :issue:
1513The development server, which must not be used in production, will exhaust the
request stream up to 10GB or 1000 reads. This allows clients to see a 413 error if
max_content_lengthis exceeded, instead of a "connection reset" failure.:pr:
2620The development server discards header keys that contain underscores
_, as theyare ambiguous with dashes
-in WSGI. :pr:2622secure_filenamelooks for more Windows reserved file names. :pr:2623Update type annotation for
best_matchto makedefaultparameter clearer.:issue:
2625Multipart parser handles empty fields correctly. :issue:
2632The
Mapcharsetparameter andRequest.url_charsetproperty aredeprecated. Percent encoding in URLs must always represent UTF-8 bytes. Invalid
bytes are left percent encoded rather than replaced. :issue:
2602The
Request.charset,Request.encoding_errors,Response.charset, andClient.charsetattributes are deprecated. Request and response data must alwaysuse UTF-8. :issue:
2602Header values that have charset information only allow ASCII, UTF-8, and ISO-8859-1.
:pr:
2614, 2641Update type annotation for
ProfilerMiddlewarestreamparameter.:issue:
2642Use postponed evaluation of annotations. :pr:
2644The development server escapes ASCII control characters in decoded URLs before
logging the request to the terminal. :pr:
2652The
FormDataParserparse_functionsattribute andget_parse_funcmethod,and the invalid
application/x-url-encodedcontent type, are deprecated.:pr:
2653generate_password_hashsupports scrypt. Plain hash methods are deprecated, onlyscrypt and pbkdf2 are supported. :issue:
2654v2.2.3Compare Source
Released 2023-02-14
the trailing slash is missing. :issue:
2533get_jsonspecifies that return type is not optional whensilent=False. :issue:2508parse_content_range_headerreturnsNonefor a value likebytes */-1where the length is invalid, instead of raising an
AssertionError. :issue:2531ResourceWarningrelated to the socket used byrun_simple.Remove
prepare_socket, which now happens when creating the server. :issue:2421multipart/form-datarequests with the testclient. :issue:
2549:issue:
2529LimitedStream.readworks correctly when wrapping a stream that may not returnthe requested size in one
readcall. :issue:2558=is treated as an empty key and discarded,rather than stripping the leading
==.RequestEntityTooLargeexception is raised on parsing. This mitigates a DoSattack where a larger number of form/file parts would result in disproportionate
resource use.
v2.2.2Compare Source
Released 2022-08-08
strict_slashes == Falsebehaviourwhereby leaf-requests match branch rules and vice
versa. :pr:
2489and to correctly parse
/within converter arguments. :pr:2489werkzeug.routingto use theimport assyntax for explicitly re-exporting public attributes.:pr:
24932494production deployment is always shown. :issue:
2480LocalProxy.__wrapped__is always set to the wrapped object whenthe proxy is unbound, fixing an issue in doctest that would cause it
to fail. :issue:
2485ResourceWarningrelated to the socket used byrun_simple. :issue:2421v2.2.1Compare Source
Released 2022-07-27
/path/will match a rule/pathif strictslashes mode is disabled for the rule. :issue:
2467i.e.
/2dfdoes not match/<int>. :pr:2470before more complex ones. :issue:
2471ValidationErrorto be importable fromwerkzeug.routing. :issue:2465v2.2.0Compare Source
Released 2022-07-23
get_script_name,get_query_string,peek_path_info,pop_path_info, andextract_path_info. :pr:24612461rendering HTML. :issue:
2419werkzeug.debug.preserve_contextmechanism forrestoring context-local data for a request when running code in the
debug console. :pr:
2439end_linenoand
end_col_offsetare present on AST nodes. :issue:2425needs to match a
/it must set the class variablepart_isolating = False.:pr:
2433disabled. :issue:
1074matches :rfc:
6266that the case is not relevant. :issue:2442AnyConvertervalidates the value passed for it when buildingURLs. :issue:
23883.11. :issue:
2407is_resource_modifiedandparse_cookiefunctionsbased on WSGI versions. :issue:
2408get_content_lengthfunction. :pr:24152450FileStorageacceptsos.PathLike. :pr:2418v2.1.2Compare Source
Released 2022-04-28
Transfer-Encoding: chunkedfor 1xx, 204, 304, and HEAD responses. :issue:
2375<!doctype html>and<html lang=en>. :issue:2390cache_controlattributes toFalse.:issue:
2379keep-aliveconnections in the development server, whichare not supported sufficiently by Python's
http.server.:issue:
2397v2.1.1Compare Source
Released 2022-04-01
ResponseCacheControl.s_maxageconverts its value to an int, likemax_age. :issue:2364v2.1.0Compare Source
Released 2022-03-28
Drop support for Python 3.6. :pr:
2277Using gevent or eventlet requires greenlet>=1.0 or PyPy>=7.3.7.
werkzeug.localsandcontextvarswill not work correctly witholder versions. :pr:
2278Remove previously deprecated code. :pr:
2276shutdownfunction from the WSGIenviron when running the development server. See the docs for
alternatives.
RequestandResponseclasses.useragentsmodule is removed.The
user_agentmodule provides an interface that can besubclassed to add a parser, such as ua-parser. By default it
only stores the whole string.
TestResponseinstances and can nolonger be treated as a tuple. All data is available as
properties on the response.
locals.get_identand related thread-local code fromlocals, it no longer makes sense when moving to acontextvars-based implementation.
python -m werkzeug.servingCLI.has_keymethod on some mapping datastructures; usekey in datainstead.Request.disable_data_descriptoris removed, passshallow=Trueinstead.no_etagparameter fromResponse.freeze().HTTPException.wrapclass method.cookie_datefunction. Usehttp_dateinstead.pbkdf2_hex,pbkdf2_bin, andsafe_str_cmpfunctions. Use equivalents in
hashlibandhmacmodulesinstead.
Hrefclass.HTMLBuilderclass.invalidate_cached_propertyfunction. Usedel obj.attrinstead.bind_argumentsandvalidate_arguments. Use:meth:
Signature.bindand :func:inspect.signatureinstead.detect_utf_encoding, it's built-in tojson.loads.format_string, use :class:string.Templateinstead.escapeandunescape. Use MarkupSafe instead.The
multipleparameter ofparse_options_headerisdeprecated. :pr:
2357Rely on :pep:
538and :pep:540to handle decoding file nameswith the correct filesystem encoding. The
filesystemmodule isremoved. :issue:
1760Default values passed to
Headersare validated the same wayvalues added later are. :issue:
1608Setting
CacheControlint properties, such asmax_age, willconvert the value to an int. :issue:
2230Always use
socket.fromfdwhen restarting the dev server.:pr:
2287When passing a dict of URL values to
Map.build, list values donot filter out
Noneor collapse to a single value. Passing aMultiDictdoes collapse single items. This undoes a previouschange that made it difficult to pass a list, or
Nonevalues ina list, to custom URL converters. :issue:
2249run_simpleshows instructions for dealing with "address alreadyin use" errors, including extra instructions for macOS. :pr:
2321Extend list of characters considered always safe in URLs based on
:rfc:
3986. :issue:2319Optimize the stat reloader to avoid watching unnecessary files in
more cases. The watchdog reloader is still recommended for
performance and accuracy. :issue:
2141The development server uses
Transfer-Encoding: chunkedforstreaming responses when it is configured for HTTP/1.1.
:issue:
2090, 1327, :pr:2091The development server uses HTTP/1.1, which enables keep-alive
connections and chunked streaming responses, when
threadedorprocessesis enabled. :pr:2323cached_propertyworks for classes with__slots__if acorresponding
_cache_{name}slot is added. :pr:2332Refactor the debugger traceback formatter to use Python's built-in
tracebackmodule as much as possible. :issue:1753The
TestResponse.textproperty is a shortcut forr.get_data(as_text=True), for convenient testing against textinstead of bytes. :pr:
2337safe_joinensures that the path remains relative if the trusteddirectory is the empty string. :pr:
2349Percent-encoded newlines (
%0a), which are decoded by WSGIservers, are considered when routing instead of terminating the
match early. :pr:
2350The test client doesn't set duplicate headers for
CONTENT_LENGTHand
CONTENT_TYPE. :pr:2348append_slash_redirecthandlesPATH_INFOwith internalslashes. :issue:
1972, :pr:2338The default status code for
append_slash_redirectis 308 insteadof 301. This preserves the request body, and matches a previous
change to
strict_slashesin routing. :issue:2351Fix
ValueError: I/O operation on closed file.with the testclient when following more than one redirect. :issue:
2353Response.autocorrect_location_headeris disabled by default.The
Locationheader URL will remain relative, and exclude thescheme and domain, by default. :issue:
2352Request.get_json()will raise a 400BadRequesterror if theContent-Typeheader is notapplication/json. This makes avery common source of confusion more visible. :issue:
2339v2.0.3Compare Source
Released 2022-02-07
ProxyFixsupports IPv6 addresses. :issue:2262Response.make_conditional,HTTPException.get_response, andMap.bind_to_environacceptsRequestin addition toWSGIEnvironmentfor the firstparameter. :pr:
2290Request.user_agent_class. :issue:2273LocalProxy.__class__and__doc__on an unboundproxy returns the fallback value instead of a method object.
:issue:
2188RAW_URIandREQUEST_URIcorrectly. :issue:
2151v2.0.2Compare Source
Released 2021-10-05
Connectionheader when routingWebSocket requests. :issue:
21312150MultiDict.updateto accept iterablevalues :pr:
2142merge_slash=Truefor
Rule.match. :issue:2157CombinedMultiDict.to_dictwithflat=Falseconsiders allcomponent dicts when building value lists. :issue:
2189send_fileonly sets a detectedContent-Encodingifas_attachmentis disabled to avoid browsers savingdecompressed
.tar.gzfiles. :issue:2149TypeConversionDict.getto not return anOptionalvalue if bothdefaultandtypeare notNone. :issue:2169Iterable[RuleFactory]instead ofIterable[Rule]for therulesparameter. :issue:2183FileStorage.__getattr__:issue:
2155SameSiteset toStrictinstead of
Noneto be compatible with modern browser security.:issue:
2156IO[bytes]andIO[str]instead ofBinaryIOandTextIOfor wider type compatibility.:issue:
21302158greenlet versions. :pr:
2212CallbackDict, because it is notutilizing a bound TypeVar. :issue:
22352237not expand on click for very long tracebacks. :pr:
2239not have a traceback, such as from
ProcessPoolExecutor.:issue:
2217v2.0.1Compare Source
Released 2021-05-17
send_filemax_agecallable. Don'tpass
pathlib.Pathtomax_age. :issue:2119imports in user projects. :issue:
21222123cached_propertyis generic over its return type, propertiesdecorated with it report the correct type. :issue:
2113characters. :issue:
2125headers.getwith a stringdefault will always return a string. :issue:
2128HTTPException.descriptionis not a string,get_descriptionwill convert it to a string. :issue:2115v2.0.0Compare Source
Released 2021-05-11
1693utils.format_string, use :class:string.Templateinstead. :issue:
1756utils.bind_argumentsand:func:
utils.validate_arguments, use :meth:Signature.bindand:func:
inspect.signatureinstead. :issue:1757utils.HTMLBuilder. :issue:1761utils.escapeand :func:utils.unescape, useMarkupSafe instead. :issue:
1758python -m werkzeug.servingCLI.:issue:
1834environ["werkzeug.server.shutdown"]functionthat is available when running the development server. :issue:
1752useragentsmodule and the built-in user agentparser. Use a dedicated parser library instead by subclassing
user_agent.UserAgentand settingRequest.user_agent_class.:issue:
2078posixemulationmodule. :issue:1759datetimevalues are timezone-aware withtzinfo=timezone.utc. This applies to anything usinghttp.parse_date:Request.date,.if_modified_since,.if_unmodified_since;Response.date,.expires,.last_modified,.retry_after;parse_if_range_header, andIfRange.date. When comparing values, the other values must alsobe aware, or these values must be made naive. When passing
parameters or setting attributes, naive values are still assumed to
be in UTC. :pr:
2040RequestandResponseclasses. Using the mixin classes is nolonger necessary and will show a deprecation warning. Checking
isinstanceorissubclassagainstBaseRequestandBaseResponsewill show a deprecation warning and check againstRequestorResponseinstead. :issue:1963another JSON module, override
Request.json_moduleandResponse.json_module. :pr:1766Response.get_json()no longer caches the result, and thecacheparameter is removed. :issue:1698Response.freeze()generates anETagheader if one is notset. The
no_etagparameter (which usually wasn't visibleanyway) is no longer used. :issue:
1963url_schemeargument to :meth:~routing.MapAdapter.buildto override the bound scheme. :pr:
1721build()won't append an unnecessary
?. Also drop any number ofNoneitems in a list. :issue:
1992Headersobject to a test client method orEnvironBuilder, multiple values for a key are joined into onecomma separated value. This matches the HTTP spec on multi-value
headers. :issue:
1655Response.statusandstatus_codeuses identicalparsing and error checking. :issue:
1658, :pr:1728MethodNotAllowedandRequestedRangeNotSatisfiabletake aresponsekwarg, consistent with other HTTP errors. :pr:1748~exceptions.Unauthorizedproducesone
WWW-Authenticateheader per value inwww_authenticate,rather than joining them into a single value, to improve
interoperability with browsers and other clients. :pr:
1755parse_authorization_headercan't decode the header value, itreturns
Noneinstead of raising aUnicodeDecodeError.:issue:
18161807REQUEST_URIandRAW_URI. :issue:1781default_stream_factoryto matchthe order used when calling it. :pr:
1085send_filefunction to generate a response that serves afile. Adapted from Flask's implementation. :issue:
265, :pr:1850send_from_directoryfunction to safely serve an untrustedpath within a trusted directory. Adapted from Flask's
implementation. :issue:
1880send_filetakesdownload_name, which is passed even ifas_attachment=Falseby usingContent-Disposition: inline.download_namereplaces Flask'sattachment_filename.:issue:
1869send_filesetsconditional=Trueandmax_age=Nonebydefault.
Cache-Controlis set tono-cacheifmax_ageisnot set, otherwise
public. This tells browsers to validateconditional requests instead of using a timed cache.
max_age=Nonereplaces Flask'scache_timeout=43200.:issue:
1882send_filecan be called withetag="string"to set a customETag instead of generating one.
etagreplaces Flask'sadd_etags. :issue:1868send_filesets theContent-Encodingheader if an encoding isreturned when guessing
mimetypefromdownload_name.:pr:
3896generate_password_hash. IncreasePBKDF2 iterations to 260000 from 150000. Increase salt length to 16
from 8. Use
secretsmodule to generate salt. :pr:1935sys.stdinis somehowNone.:pr:
1915delete_cookieto matchset_cookieand theattributes modern browsers expect. :pr:
1889utils.cookie_dateis deprecated, useutils.http_dateinstead. The value for
Set-Cookie expiresis no longer "-"delimited. :pr:
2040request.headersinstead ofrequest.environto look upheader attributes. :pr:
1808Clientrequest methods (client.get, etc.) alwaysreturn an instance of
TestResponse. In addition to the normalbehavior of
Response, this class providesrequestwith therequest that produced the response, and
historyto trackintermediate responses when
follow_redirectsis used.:issue:
763, 1894Clientrequest methods takes anauthparameter toadd an
Authorizationheader. It can be anAuthorizationobject or a
(username, password)tuple forBasicauth.:pr:
1809response.close()on a response from the testClientwill close the request input stream. This matches file behavior
and can prevent a
ResourceWarningin some cases. :issue:1785EnvironBuilder.from_environdecodes values encoded for WSGI, toavoid double encoding the new values. :pr:
1959non-system/virtualenv
sys.pathentries, which should containmost user code. It will also watch all Python files under
directories given in
extra_files. :pr:1945__pycache__directories again. :pr:1945run_simpletakesexclude_patternsa list offnmatchpatterns that will not be scanned by the reloader. :issue:
13336265and potentially allowed setting
__Secureprefixed cookies.:pr:
1965substring. :issue:
19231967rb+instead ofwb+mode for better compatibility with some libraries.:issue:
1961and in some tests. MD5 is not available in some environments, such
as FIPS 140. This may invalidate some caches since the ETag will be
different. :issue:
1897Cross-Origin-Opener-PolicyandCross-Origin-Embedder-Policyresponse header properties.:pr:
2008run_simpletries to show a valid IP address when binding to alladdresses, instead of
0.0.0.0or::. It also warns about notrunning the development server in production in this case.
:issue:
1964installed on Windows. For all platforms, style support no longer
requires Click. :issue:
1832return a 200 response with the empty file instead of a 416 error.
:issue:
1937RequestandResponsehave beenextracted to contain all the behavior that is not WSGI or IO
dependent. These are not a public API, they are part of an ongoing
refactor to let ASGI frameworks use Werkzeug. :pr:
2005multipart/form-datahas been refactored to use sans-iopatterns. This should also make parsing forms with large binary file
uploads significantly faster. :issue:
1788, 875LocalProxymatches the current Python data model specialmethods, including all r-ops, in-place ops, and async.
__class__is proxied, so the proxy will look like the object in more cases,
including
isinstance. Useissubclass(type(obj), LocalProxy)to check if an object is actually a proxy. :issue:
1754LocalusesContextVaron Python 3.7+ instead ofthreading.local. :pr:1778request.valuesdoes not includeformfor GET requests (eventhough GET bodies are undefined). This prevents bad caching proxies
from caching form data instead of query strings. :pr:
2037environaswerkzeug.socket. This is non-standard and specific to the devserver, other servers may expose this under their own key. It is
useful for handling a WebSocket upgrade request. :issue:
2052websocket=Truemode for WebSocket upgraderequests. :issue:
2052UserAgentParserto handle more cases. :issue:1971werzeug.DechunkedInput.readintowill not read beyond the size ofthe buffer. :issue:
20212051pbkdf2_hex,pbkdf2_bin, andsafe_str_cmpare deprecated.hashlibandhmacprovide equivalents. :pr:2083invalidate_cached_propertyis deprecated. Usedel obj.nameinstead. :pr:
2084Hrefis deprecated. Usewerkzeug.routinginstead.:pr:
2085Request.disable_data_descriptoris deprecated. Create therequest with
shallow=Trueinstead. :pr:2085HTTPException.wrapis deprecated. Create a subclass manuallyinstead. :pr:
2085Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.