Hello community, here is the log from the commit of package python-WebOb for openSUSE:Factory checked in at 2020-03-12 22:58:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-WebOb (Old) and /work/SRC/openSUSE:Factory/.python-WebOb.new.3160 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-WebOb" Thu Mar 12 22:58:56 2020 rev:29 rq:783693 version:1.8.6 Changes: -------- --- /work/SRC/openSUSE:Factory/python-WebOb/python-WebOb.changes 2019-01-21 10:47:28.276230676 +0100 +++ /work/SRC/openSUSE:Factory/.python-WebOb.new.3160/python-WebOb.changes 2020-03-12 22:59:10.187011384 +0100 @@ -1,0 +2,8 @@ +Wed Mar 11 08:52:29 UTC 2020 - Dirk Mueller <[email protected]> + +- update to 1.8.6: + - The SameSite value now includes a new option named "None", this is a new + change that was introduced in + https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 + +------------------------------------------------------------------- Old: ---- WebOb-1.8.5.tar.gz New: ---- WebOb-1.8.6.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-WebOb.spec ++++++ --- /var/tmp/diff_new_pack.MNU0Fg/_old 2020-03-12 22:59:11.147011767 +0100 +++ /var/tmp/diff_new_pack.MNU0Fg/_new 2020-03-12 22:59:11.163011773 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-WebOb # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python Name: python-WebOb -Version: 1.8.5 +Version: 1.8.6 Release: 0 Summary: WSGI request and response object License: MIT ++++++ WebOb-1.8.5.tar.gz -> WebOb-1.8.6.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WebOb-1.8.5/CHANGES.txt new/WebOb-1.8.6/CHANGES.txt --- old/WebOb-1.8.5/CHANGES.txt 2019-01-03 20:38:55.000000000 +0100 +++ new/WebOb-1.8.6/CHANGES.txt 2020-01-22 05:49:00.000000000 +0100 @@ -1,3 +1,36 @@ +1.8.6 (2020-01-21) +------------------ + +Experimental Features +~~~~~~~~~~~~~~~~~~~~~ + +- The SameSite value now includes a new option named "None", this is a new + change that was introduced in + https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 + + Please be aware that older clients are incompatible with this change: + https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does + not enable SameSite on cookies by default, so there is no backwards + incompatible change here. + + See https://github.com/Pylons/webob/issues/406 + +- Validation of SameSite values can be disabled by toggling a module flag. This + is in anticipation of future changes in evolving cookie standards. + The discussion in https://github.com/Pylons/webob/pull/407 (which initially + expanded the allowed options) notes the sudden change to browser cookie + implementation details may happen again. + + In May 2019, Google announced a new model for privacy controls in their + browsers, which affected the list of valid options for the SameSite attribute + of cookies. In late 2019, the company began to roll out these changes to their + browsers to force developer adoption of the new specification. + See https://www.chromium.org/updates/same-site and + https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more + details on this change. + + See https://github.com/Pylons/webob/pull/409 + 1.8.5 (2019-01-03) ------------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WebOb-1.8.5/PKG-INFO new/WebOb-1.8.6/PKG-INFO --- old/WebOb-1.8.5/PKG-INFO 2019-01-03 20:40:18.000000000 +0100 +++ new/WebOb-1.8.6/PKG-INFO 2020-01-22 06:22:51.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: WebOb -Version: 1.8.5 +Version: 1.8.6 Summary: WSGI request and response object Home-page: http://webob.org/ Author: Ian Bicking @@ -44,6 +44,39 @@ WebOb was authored by Ian Bicking and is currently maintained by the `Pylons Project <https://pylonsproject.org/>`_ and a team of contributors. + 1.8.6 (2020-01-21) + ------------------ + + Experimental Features + ~~~~~~~~~~~~~~~~~~~~~ + + - The SameSite value now includes a new option named "None", this is a new + change that was introduced in + https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 + + Please be aware that older clients are incompatible with this change: + https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does + not enable SameSite on cookies by default, so there is no backwards + incompatible change here. + + See https://github.com/Pylons/webob/issues/406 + + - Validation of SameSite values can be disabled by toggling a module flag. This + is in anticipation of future changes in evolving cookie standards. + The discussion in https://github.com/Pylons/webob/pull/407 (which initially + expanded the allowed options) notes the sudden change to browser cookie + implementation details may happen again. + + In May 2019, Google announced a new model for privacy controls in their + browsers, which affected the list of valid options for the SameSite attribute + of cookies. In late 2019, the company began to roll out these changes to their + browsers to force developer adoption of the new specification. + See https://www.chromium.org/updates/same-site and + https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more + details on this change. + + See https://github.com/Pylons/webob/pull/409 + 1.8.5 (2019-01-03) ------------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WebOb-1.8.5/docs/experimental/samesite.txt new/WebOb-1.8.6/docs/experimental/samesite.txt --- old/WebOb-1.8.5/docs/experimental/samesite.txt 2017-11-20 23:30:48.000000000 +0100 +++ new/WebOb-1.8.6/docs/experimental/samesite.txt 2020-01-22 05:46:18.000000000 +0100 @@ -1,3 +1,5 @@ +.. _samesiteexp: + Same-site Cookies ================= @@ -9,5 +11,13 @@ WebOb provides support for setting the ``SameSite`` attribute in its cookie APIs, using the ``samesite`` keyword argument. +In `Incrementally Better Cookies +<https://tools.ietf.org/html/draft-west-cookie-incrementalism-00>`_ the +standard was altered to add an additional option for the ``SameSite`` +attribute. This new option has `known incompatible clients +<https://www.chromium.org/updates/same-site/incompatible-clients>`_, please be +aware that WebOb does not attempt to sniff the user agent to know if setting +the ``SameSite`` attribute to ``None`` will cause compatibility issues. + Please refer to the API documentation for :func:`webob.cookies.make_cookie` and :class:`webob.cookies.CookieProfile` for the keyword arguments. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WebOb-1.8.5/setup.py new/WebOb-1.8.6/setup.py --- old/WebOb-1.8.5/setup.py 2019-01-03 20:39:04.000000000 +0100 +++ new/WebOb-1.8.6/setup.py 2020-01-22 05:52:08.000000000 +0100 @@ -25,7 +25,7 @@ setup( name='WebOb', - version='1.8.5', + version='1.8.6', description="WSGI request and response object", long_description=README + '\n\n' + CHANGES, classifiers=[ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WebOb-1.8.5/src/WebOb.egg-info/PKG-INFO new/WebOb-1.8.6/src/WebOb.egg-info/PKG-INFO --- old/WebOb-1.8.5/src/WebOb.egg-info/PKG-INFO 2019-01-03 20:40:18.000000000 +0100 +++ new/WebOb-1.8.6/src/WebOb.egg-info/PKG-INFO 2020-01-22 06:22:51.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: WebOb -Version: 1.8.5 +Version: 1.8.6 Summary: WSGI request and response object Home-page: http://webob.org/ Author: Ian Bicking @@ -44,6 +44,39 @@ WebOb was authored by Ian Bicking and is currently maintained by the `Pylons Project <https://pylonsproject.org/>`_ and a team of contributors. + 1.8.6 (2020-01-21) + ------------------ + + Experimental Features + ~~~~~~~~~~~~~~~~~~~~~ + + - The SameSite value now includes a new option named "None", this is a new + change that was introduced in + https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 + + Please be aware that older clients are incompatible with this change: + https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does + not enable SameSite on cookies by default, so there is no backwards + incompatible change here. + + See https://github.com/Pylons/webob/issues/406 + + - Validation of SameSite values can be disabled by toggling a module flag. This + is in anticipation of future changes in evolving cookie standards. + The discussion in https://github.com/Pylons/webob/pull/407 (which initially + expanded the allowed options) notes the sudden change to browser cookie + implementation details may happen again. + + In May 2019, Google announced a new model for privacy controls in their + browsers, which affected the list of valid options for the SameSite attribute + of cookies. In late 2019, the company began to roll out these changes to their + browsers to force developer adoption of the new specification. + See https://www.chromium.org/updates/same-site and + https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more + details on this change. + + See https://github.com/Pylons/webob/pull/409 + 1.8.5 (2019-01-03) ------------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WebOb-1.8.5/src/webob/cookies.py new/WebOb-1.8.6/src/webob/cookies.py --- old/WebOb-1.8.5/src/webob/cookies.py 2019-01-03 20:24:19.000000000 +0100 +++ new/WebOb-1.8.6/src/webob/cookies.py 2020-01-22 05:46:01.000000000 +0100 @@ -30,6 +30,11 @@ _marker = object() +# Module flag to handle validation of SameSite attributes +# See the documentation for ``make_cookie`` for more information. +SAMESITE_VALIDATION = True + + class RequestCookies(MutableMapping): _cache_key = 'webob._parsed_cookies' @@ -240,8 +245,10 @@ def serialize_samesite(v): v = bytes_(v) - if v.lower() not in (b"strict", b"lax"): - raise ValueError("SameSite must be 'Strict' or 'Lax'") + if SAMESITE_VALIDATION: + if v.lower() not in (b"strict", b"lax", b"none"): + raise ValueError("SameSite must be 'strict', 'lax', or 'none'") + return v @@ -287,8 +294,14 @@ if self.httponly: add(b'HttpOnly') if self.samesite: - add(b'SameSite=' + self.samesite) - return native_(b'; '.join(result), 'ascii') + if not self.secure and self.samesite.lower() == b"none": + raise ValueError( + "Incompatible cookie attributes: " + "when the samesite equals 'none', then the secure must be True" + ) + add(b"SameSite=" + self.samesite) + + return native_(b"; ".join(result), "ascii") __str__ = serialize @@ -440,7 +453,8 @@ def make_cookie(name, value, max_age=None, path='/', domain=None, secure=False, httponly=False, comment=None, samesite=None): - """ Generate a cookie value. + """ + Generate a cookie value. ``name`` The name of the cookie. @@ -470,8 +484,30 @@ Set a comment on the cookie. Default: ``None`` ``samesite`` - The 'SameSite' attribute of the cookie, can be either ``"Strict"``, - ``"Lax"``, or ``None``. + The 'SameSite' attribute of the cookie, can be either ``"strict"``, + ``"lax"``, ``"none"``, or ``None``. By default, WebOb will validate the + value to ensure it conforms to the allowable options in the various draft + RFC's that exist. + + To disable this check and send headers that are experimental or introduced + in a future RFC, set the module flag ``SAMESITE_VALIDATION`` to a + false value like: + + .. code:: + + import webob.cookies + webob.cookies.SAMESITE_VALIDATION = False + + ck = webob.cookies.make_cookie(cookie_name, value, samesite='future') + + .. danger:: + + This feature has known compatibility issues with various user agents, + and is not yet an accepted RFC. It is therefore considered + experimental and subject to change. + + For more information please see :ref:`Experimental: SameSite Cookies + <samesiteexp>` """ # We are deleting the cookie, override max_age and expires @@ -674,8 +710,11 @@ session cookie. Default: ``False``. ``samesite`` - The 'SameSite' attribute of the cookie, can be either ``b"Strict"``, - ``b"Lax"``, or ``None``. + The 'SameSite' attribute of the cookie, can be either ``b"strict"``, + ``b"lax"``, ``b"none"``, or ``None``. + + For more information please see the ``samesite`` documentation in + :meth:`webob.cookies.make_cookie` ``path`` The path used for the session cookie. Default: ``'/'``. @@ -912,8 +951,8 @@ session cookie. Default: ``False``. ``samesite`` - The 'SameSite' attribute of the cookie, can be either ``b"Strict"``, - ``b"Lax"``, or ``None``. + The 'SameSite' attribute of the cookie, can be either ``b"strict"``, + ``b"lax"``, ``b"none"``, or ``None``. ``path`` The path used for the session cookie. Default: ``'/'``. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WebOb-1.8.5/src/webob/request.py new/WebOb-1.8.6/src/webob/request.py --- old/WebOb-1.8.5/src/webob/request.py 2019-01-03 20:24:19.000000000 +0100 +++ new/WebOb-1.8.6/src/webob/request.py 2020-01-22 05:47:15.000000000 +0100 @@ -308,7 +308,7 @@ environ_getter('CONTENT_LENGTH', None, '14.13'), parse_int_safe, serialize_int, 'int') remote_user = environ_getter('REMOTE_USER', None) - remote_host = environ_getter('REMOTE_HOST', None, '4.1.9') + remote_host = environ_getter('REMOTE_HOST', None) remote_addr = environ_getter('REMOTE_ADDR', None) query_string = environ_getter('QUERY_STRING', '') server_name = environ_getter('SERVER_NAME') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WebOb-1.8.5/src/webob/response.py new/WebOb-1.8.6/src/webob/response.py --- old/WebOb-1.8.5/src/webob/response.py 2019-01-03 20:24:19.000000000 +0100 +++ new/WebOb-1.8.6/src/webob/response.py 2020-01-22 05:40:19.000000000 +0100 @@ -998,7 +998,7 @@ A string representing the ``SameSite`` attribute of the cookie or ``None``. If samesite is ``None`` no ``SameSite`` value will be sent - in the cookie. Should only be ``"Strict"`` or ``"Lax"``. + in the cookie. Should only be ``"strict"``, ``"lax"``, or ``"none"``. ``comment`` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WebOb-1.8.5/tests/test_cookies.py new/WebOb-1.8.6/tests/test_cookies.py --- old/WebOb-1.8.5/tests/test_cookies.py 2019-01-03 20:24:19.000000000 +0100 +++ new/WebOb-1.8.6/tests/test_cookies.py 2020-01-22 05:44:42.000000000 +0100 @@ -87,6 +87,47 @@ c[b"foo"].samesite = b"Lax" assert c.serialize() == "foo=bar; SameSite=Lax" +def test_cookie_samesite_none(): + c = cookies.Cookie() + c[b"foo"] = b"bar" + c[b"foo"].samesite = b"None" + c[b"foo"].secure = True + assert c.serialize() == "foo=bar; secure; SameSite=None" + +def test_cookie_samesite_none_not_secure(): + c = cookies.Cookie() + c[b"foo"] = b"bar" + c[b"foo"].samesite = b"None" + with pytest.raises(ValueError): + c.serialize() + +def test_cookie_samesite_future__default(): + # ensure default behavior when unsupported values are provided + c = cookies.Cookie() + with pytest.raises(ValueError) as excinfo: + c[b"foo"] = b"bar" + c[b"foo"].samesite = b"Future" + c.serialize() + assert excinfo.value.args[0] == "SameSite must be 'strict', 'lax', or 'none'" + + +def test_cookie_samesite_future__monkeypatched(monkeypatch): + # disable validation so future args pass + monkeypatch.setattr(cookies, "SAMESITE_VALIDATION", False) + c = cookies.Cookie() + c[b"foo"] = b"bar" + c[b"foo"].samesite = b"Future" + assert c.serialize() == "foo=bar; SameSite=Future" + + # ensure we can toggle it to True and re-achieve default behavior... + monkeypatch.setattr(cookies, "SAMESITE_VALIDATION", True) + with pytest.raises(ValueError) as excinfo: + c[b"foo"] = b"bar" + c[b"foo"].samesite = b"Future" + c.serialize() + assert excinfo.value.args[0] == "SameSite must be 'strict', 'lax', or 'none'" + + def test_cookie_reserved_keys(): c = cookies.Cookie('dismiss-top=6; CP=null*; $version=42; a=42') assert '$version' not in c @@ -113,6 +154,7 @@ def test_serialize_samesite(): assert cookies.serialize_samesite(b"Lax") == b"Lax" assert cookies.serialize_samesite(b"Strict") == b"Strict" + assert cookies.serialize_samesite(b"None") == b"None" with pytest.raises(ValueError): cookies.serialize_samesite(b"SomethingElse") @@ -450,9 +492,12 @@ assert 'test_cookie=value' in cookie assert 'Path=/foo/bar/baz' in cookie - @pytest.mark.parametrize("samesite", ["Strict", "Lax"]) + @pytest.mark.parametrize("samesite", ["Strict", "Lax", "None"]) def test_make_cookie_samesite(self, samesite): - cookie = self.makeOne('test_cookie', 'value', samesite=samesite) + cookie = self.makeOne("test_cookie", "value", samesite=samesite, secure=True) + + assert "test_cookie=value" in cookie + assert "SameSite=" + samesite in cookie assert 'test_cookie=value' in cookie assert 'SameSite=' + samesite in cookie @@ -667,17 +712,17 @@ for cookie in ret: assert '; HttpOnly' in cookie[1] - @pytest.mark.parametrize("samesite", [b"Strict", b"Lax"]) + @pytest.mark.parametrize("samesite", [b"Strict", b"Lax", b"None"]) def test_with_samesite_bytes(self, samesite): - cookie = self.makeOne(samesite=samesite) + cookie = self.makeOne(samesite=samesite, secure=True) ret = cookie.get_headers("test") for cookie in ret: assert "; SameSite=" + samesite.decode('ascii') in cookie[1] - @pytest.mark.parametrize("samesite", ["Strict", "Lax"]) + @pytest.mark.parametrize("samesite", ["Strict", "Lax", "None"]) def test_with_samesite(self, samesite): - cookie = self.makeOne(samesite=samesite) + cookie = self.makeOne(samesite=samesite, secure=True) ret = cookie.get_headers("test") for cookie in ret:
