support a standard api for parsing media types by mmerickel · Pull Request #376 · Pylons/webob

mmerickel · 2018-09-13T03:49:45Z

No description provided.

mmerickel · 2018-10-02T07:14:04Z

This is ready for review. I can remove the specificity stuff from AcceptOffer if desired... it's not used anywhere but isn't really hurting anything and the conceptual ordering is used in a lot of places. I chose to not add a separate PR for a bug fix with acceptable_offers where Accept: */* did not match a range-based offer.

stevepiercy

LGTM.

see the multitude of reasons in Pylons/pyramid#3326 the short answer is that they are fundamentally broken in that media ranges cannot properly match against any accept header with q=0 content

mmerickel · 2018-10-10T02:02:29Z

This PR now incorporates #378 and removes media range support from parse_offer and subsequently acceptable_offers. I would recommend merging #378 first and then reviewing this PR afterward.

support a standard api for parsing media types

Bumps [webob](https://github.com/Pylons/webob) from 1.8.7 to 1.8.8. <details> <summary>Changelog</summary> Sourced from <a href="https://github.com/Pylons/webob/blob/main/CHANGES.txt">webob's changelog</a>. <blockquote> <h2>Unreleased</h2> Security Fix <pre><code> - The use of WebOb's Response object to redirect a request to a new location can lead to an open redirect if the Location header is not a full URI. See <a href="https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3">https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3</a> and CVE-2024-42353 Thanks to Sara Gao for the report (This fix was released in WebOb 1.8.8) Feature <pre><code> - Rename &quot;master&quot; git branch to &quot;main&quot; - Add support for Python 3.12. - Add Request.remote_host, exposing REMOTE_HOST environment variable. - Added ``acceptparse.Accept.parse_offer`` to codify what types of offers are compatible with ``acceptparse.AcceptValidHeader.acceptable_offers``, ``acceptparse.AcceptMissingHeader.acceptable_offers``, and ``acceptparse.AcceptInvalidHeader.acceptable_offers``. This API also normalizes the offer with lowercased type/subtype and parameter names. See Pylons/webob#376 and Pylons/webob#379 Compatibility </code></pre> Backwards Incompatibilities <pre><code> - Drop support for Python 2.7, 3.4, 3.5, 3.6, and 3.7. Experimental Features </code></pre> <ul> <li> The SameSite value now includes a new option named "None", this is a new change that was introduced in <a href="https://tools.ietf.org/html/draft-west-cookie-incrementalism-00">https://tools.ietf.org/html/draft-west-cookie-incrementalism-00</a> Please be aware that older clients are incompatible with this change: </tr></table> </code></pre> </li> </ul> </blockquote> ... (truncated) </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Pylons/webob/commit/f2bdd835d6ca1884b5e03e7778f5ede1737f8bc7"><code>f2bdd83</code></a> Merge commit from fork</li> <li><a href="https://github.com/Pylons/webob/commit/913fa2cbbfca0f394716ac30c6f910b461f3e8f6"><code>913fa2c</code></a> Update CHANGES.txt</li> <li><a href="https://github.com/Pylons/webob/commit/f2e92f3c42d889dd74ffd07ab85d5b6a6c32a5d5"><code>f2e92f3</code></a> WebOb version revised to 1.8.8</li> <li><a href="https://github.com/Pylons/webob/commit/a06856a9a3e0a01b469dc66d0ed8474711a4b5d9"><code>a06856a</code></a> Build the latest version from tox</li> <li><a href="https://github.com/Pylons/webob/commit/819f43c911d377ca9ebc15146772b0c918eb7e5a"><code>819f43c</code></a> Add MANIFEST.in to build source tarball</li> <li><a href="https://github.com/Pylons/webob/commit/411df96de2c661d6e9566f2bd2a12ea17d89d97b"><code>411df96</code></a> s/isAlive/is_alive/</li> <li><a href="https://github.com/Pylons/webob/commit/5ae9b5d2f472dfa62536b04e78eaaa2b1e153e7e"><code>5ae9b5d</code></a> Update for newer versions of tox/sphinx</li> <li><a href="https://github.com/Pylons/webob/commit/2a2da92b9fd2268ff3d4d5293b2fcdacad0fc859"><code>2a2da92</code></a> Support for Python 2.7 requires an old version of virtualenv</li> <li><a href="https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b"><code>f689bcf</code></a> Add fix for open redirect</li> <li>See full diff in <a href="https://github.com/Pylons/webob/compare/1.8.7...1.8.8">compare view</a></li> </ul> </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=webob&package-manager=pip&previous-version=1.8.7&new-version=1.8.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/canonical/hwcert-errbot/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [webob](https://github.com/Pylons/webob) from 1.8.9 to 1.8.10. <details> <summary>Changelog</summary> Sourced from <a href="https://github.com/Pylons/webob/blob/main/CHANGES.txt">webob's changelog</a>. <blockquote> <h2>Unreleased</h2> Security Fix <pre><code> - The use of WebOb's Response object to redirect a request to a new location can lead to an open redirect if the Location header is not a full URI. See <a href="https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3">https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3</a> and CVE-2024-42353 Thanks to Sara Gao for the report (This fix was released in WebOb 1.8.8) <ul> <li> The fix for CVE-2024-42353 was incomplete: a Location value containing ASCII tab, carriage return, or line feed characters between consecutive slashes could still be interpreted as a protocol-relative URL by <code>urllib.parse.urljoin</code> on Python 3.10+, allowing an open redirect. See <a href="https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95">https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95</a> Thanks to Caleb Brown of Google for the report. (Thix fix was released in WebOb 1.8.10) </li> </ul> Feature <pre><code> - Rename &quot;master&quot; git branch to &quot;main&quot; - Add support for Python 3.12. - Add support for Python 3.13. - Add support for Python 3.14. - Add Request.remote_host, exposing REMOTE_HOST environment variable. - Added ``acceptparse.Accept.parse_offer`` to codify what types of offers are compatible with ``acceptparse.AcceptValidHeader.acceptable_offers``, ``acceptparse.AcceptMissingHeader.acceptable_offers``, and ``acceptparse.AcceptInvalidHeader.acceptable_offers``. This API also normalizes the offer with lowercased type/subtype and parameter names. See Pylons/webob#376 and Pylons/webob#379 Compatibility </code></pre>  </blockquote> ... (truncated) </details> <details> <summary>Commits</summary> <ul> <li><a href="Pylons/webob@b240857958df492ef71bb00fb4b5365ecd92480a"><code>b240857</code></a> Merge commit from fork</li> <li><a href="Pylons/webob@57d78a3950a78a2d45cebefb477ad672165a15d9"><code>57d78a3</code></a> Release 1.8.10</li> <li><a href="Pylons/webob@228fb77a8be61c006d6c20d9df9fd7c840b1cc9a"><code>228fb77</code></a> Backport of 7121e8c from main to fix test suite on Python &gt;=3.10 which got a ...</li> <li><a href="Pylons/webob@21c1c582bff83dc6f95fdb055e31a36db6d26e89"><code>21c1c58</code></a> Fix open redirect issue due to changes made in cPython &gt;=3.10</li> <li><a href="Pylons/webob@5e52ea46a171fbebcb04a70b2a6a0803fdcca0eb"><code>5e52ea4</code></a> Allow docs to build again</li> <li>See full diff in <a href="Pylons/webob@1.8.9...1.8.10">compare view</a></li> </ul> </details> </code></pre> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=webob&package-manager=pip&previous-version=1.8.9&new-version=1.8.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ROCm/rocm-libraries/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bump webob from 1.8.9 to 1.8.10 in /shared/tensile/docs/sphinx (#8069) Bumps [webob](https://github.com/Pylons/webob) from 1.8.9 to 1.8.10. <details> <summary>Changelog</summary> Sourced from <a href="https://github.com/Pylons/webob/blob/main/CHANGES.txt">webob's changelog</a>. <blockquote> <h2>Unreleased</h2> Security Fix <pre><code> - The use of WebOb's Response object to redirect a request to a new location can lead to an open redirect if the Location header is not a full URI. See <a href="https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3">https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3</a> and CVE-2024-42353 Thanks to Sara Gao for the report (This fix was released in WebOb 1.8.8) <ul> <li> The fix for CVE-2024-42353 was incomplete: a Location value containing ASCII tab, carriage return, or line feed characters between consecutive slashes could still be interpreted as a protocol-relative URL by <code>urllib.parse.urljoin</code> on Python 3.10+, allowing an open redirect. See <a href="https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95">https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95</a> Thanks to Caleb Brown of Google for the report. (Thix fix was released in WebOb 1.8.10) </li> </ul> Feature <pre><code> - Rename &quot;master&quot; git branch to &quot;main&quot; - Add support for Python 3.12. - Add support for Python 3.13. - Add support for Python 3.14. - Add Request.remote_host, exposing REMOTE_HOST environment variable. - Added ``acceptparse.Accept.parse_offer`` to codify what types of offers are compatible with ``acceptparse.AcceptValidHeader.acceptable_offers``, ``acceptparse.AcceptMissingHeader.acceptable_offers``, and ``acceptparse.AcceptInvalidHeader.acceptable_offers``. This API also normalizes the offer with lowercased type/subtype and parameter names. See Pylons/webob#376 and Pylons/webob#379 Compatibility </code></pre>  </blockquote> ... (truncated) </details> <details> <summary>Commits</summary> <ul> <li><a href="Pylons/webob@b240857958df492ef71bb00fb4b5365ecd92480a"><code>b240857</code></a> Merge commit from fork</li> <li><a href="Pylons/webob@57d78a3950a78a2d45cebefb477ad672165a15d9"><code>57d78a3</code></a> Release 1.8.10</li> <li><a href="Pylons/webob@228fb77a8be61c006d6c20d9df9fd7c840b1cc9a"><code>228fb77</code></a> Backport of 7121e8c from main to fix test suite on Python &gt;=3.10 which got a ...</li> <li><a href="Pylons/webob@21c1c582bff83dc6f95fdb055e31a36db6d26e89"><code>21c1c58</code></a> Fix open redirect issue due to changes made in cPython &gt;=3.10</li> <li><a href="Pylons/webob@5e52ea46a171fbebcb04a70b2a6a0803fdcca0eb"><code>5e52ea4</code></a> Allow docs to build again</li> <li>See full diff in <a href="Pylons/webob@1.8.9...1.8.10">compare view</a></li> </ul> </details> </code></pre> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=webob&package-manager=pip&previous-version=1.8.9&new-version=1.8.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end)

support a standard api for parsing media types

d150f9f

mmerickel force-pushed the accept-parse-offer branch from a3a878c to d150f9f Compare September 13, 2018 04:04

digitalresistor approved these changes Sep 24, 2018

View reviewed changes

Comment thread src/webob/acceptparse.py

mmerickel added 2 commits September 25, 2018 23:17

return a named tuple

9d361a4

more clearly define specificity constants

8e1cccb

mmerickel force-pushed the accept-parse-offer branch from 206b6c5 to 8e1cccb Compare September 27, 2018 05:07

mmerickel added 2 commits October 2, 2018 01:55

use Accept.parse_offer to be consistent across the codebase

258295d

further simplify

ce6eff4

mmerickel added 2 commits October 2, 2018 02:16

fix comment

869d8af

update changelog

14442df

mmerickel mentioned this pull request Oct 2, 2018

Overhaul HTTP Accept (mime type) handling in Pyramid Pylons/pyramid#3326

Merged

stevepiercy reviewed Oct 2, 2018

View reviewed changes

Comment thread src/webob/acceptparse.py Outdated

mmerickel added 2 commits October 9, 2018 20:34

Merge branch 'fix-warnings' into accept-parse-offer

ab13441

remove media range support for offers

d0d538f

see the multitude of reasons in Pylons/pyramid#3326 the short answer is that they are fundamentally broken in that media ranges cannot properly match against any accept header with q=0 content

Merge branch 'master' into accept-parse-offer

9c9c7fe

digitalresistor merged commit 1fa8a4e into Pylons:master Oct 10, 2018

digitalresistor added a commit that referenced this pull request Oct 15, 2018

Backport pull request #376

70ab88b

support a standard api for parsing media types

This was referenced Jan 31, 2025

Bump webob from 1.8.7 to 1.8.8 in /lib/poseidon_cli faucetsdn/poseidon#2961

Merged

Bump webob from 1.8.7 to 1.8.8 amazon-science/GNP#3

Open

This was referenced Feb 17, 2025

Bump webob from 1.4.1 to 1.8.8 yyjinlong/nova#2

Open

Bump webob from 1.8.7 to 1.8.8 easierdata/chesapeake_mhw#6

Open

dependabot Bot mentioned this pull request Mar 6, 2025

Bump webob from 1.8.7 to 1.8.8 mnemosyne-proj/mnemosyne#296

Open

dependabot Bot mentioned this pull request Mar 20, 2025

Bump webob from 1.8.6 to 1.8.8 in /backend nashirj/LAHacks2020#7

Closed

This was referenced Apr 7, 2025

Bump the pip group in /bbone/bbmaster with 4 updates hsri-pf9/pf9-du#1

Open

Bump webob from 1.8.7 to 1.8.8 jmgk-dev/circus_records#12

Merged

dependabot Bot mentioned this pull request Apr 18, 2025

Bump webob from 1.8.7 to 1.8.8 in /docs KLMatlock/jwtoxide#19

Merged

dependabot Bot mentioned this pull request May 17, 2025

Bump the pip group across 1 directory with 6 updates bsweger/data-act-broker-backend#1

Open

This was referenced Jun 13, 2025

Bump webob from 1.8.7 to 1.8.8 CenturyHSProgramming/single-html-page-project#20

Merged

build(deps): bump webob from 1.8.7 to 1.8.8 CenturyHSTech/My-Website-Project#20

Merged

dependabot Bot mentioned this pull request Aug 17, 2025

Bump the pip group across 1 directory with 5 updates tberlok/paicos#93

Merged

dependabot Bot mentioned this pull request Oct 22, 2025

Bump webob from 1.0.8 to 1.8.8 OpenGov-OpenData/ckanext-security#16

Closed

dependabot Bot mentioned this pull request Nov 21, 2025

Bump webob from 1.8.6 to 1.8.8 in /server jporter-dev/codewords#76

Open

dependabot Bot mentioned this pull request Dec 10, 2025

Bump the pip group across 1 directory with 2 updates IvanAnishchuk/django-test-project#11

Open

dependabot Bot mentioned this pull request Mar 25, 2026

Bump the pip group across 1 directory with 2 updates joffcrabtree/coldsweat#1

Open

dependabot Bot mentioned this pull request Apr 16, 2026

Bump the pip group across 1 directory with 3 updates ineedaspo1/Kotti#1

Open

This was referenced Apr 24, 2026

Bump webob from 1.0.8 to 1.8.8 in /r2 in the pip group across 1 directory feureau/reddit#1

Open

Bump webob from 1.8.6 to 1.8.8 in /semantics jcolag/Notoboto#20

Merged

This was referenced May 17, 2026

Bump webob from 1.2b3 to 1.8.8 in /testing/mozharness fatman2021/gecko-dev#313

Merged

Bump the pip group across 1 directory with 8 updates lawgimenez/firefox-ios#7

Open

dependabot Bot mentioned this pull request Jun 1, 2026

Bump webob from 1.6.1 to 1.8.8 date-lab/topospec#4

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

support a standard api for parsing media types#376

support a standard api for parsing media types#376
digitalresistor merged 10 commits into
Pylons:masterfrom
mmerickel:accept-parse-offer

mmerickel commented Sep 13, 2018

Uh oh!

Uh oh!

mmerickel commented Oct 2, 2018

Uh oh!

stevepiercy left a comment

Uh oh!

Uh oh!

mmerickel commented Oct 10, 2018 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

mmerickel commented Sep 13, 2018

Uh oh!

Uh oh!

mmerickel commented Oct 2, 2018

Uh oh!

stevepiercy left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

mmerickel commented Oct 10, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

mmerickel commented Oct 10, 2018 •

edited

Loading