Update to py-flask-0.12.3

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Update to py-flask-0.12.3

Daniel Jakots-3
Hi,

2 days ago flask released two new versions, 0.12.3 and 1.0.0. They
both includes a security fix:

> Flask previously decoded incoming JSON bytes using the content type
> of the request. Although JSON should only be encoded as UTF-8, Flask
> was more lenient. However, Python includes non-text related encodings
> that could result in unexpected memory use by a request.
>
> Flask will now detect the encoding of incoming JSON data as one of
> the supported UTF encodings, and will not allow arbitrary encodings
> from the request.

0.12.3 has less differences with our version so I'd like to go for it
first and then a bit later move to 1.0.0 (deps need to be updated
first).

To create the docs it needs a new requirement and I'm not sure it's
really worth it so I simply removed them. We can also get rid of the
patches.

Comments? OK?
I'll probably commit it to -stable as well.

Cheers,
Daniel

py-flask.diff (15K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Update to py-flask-0.12.3

Daniel Jakots-3
On Sat, 28 Apr 2018 11:45:51 +0200, Daniel Jakots <[hidden email]>
wrote:

> We can also get rid of the patches.

New patch with the cvs rm -f


py-flask.diff (17K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Update to py-flask-0.12.3

Klemens Nanni-2
In reply to this post by Daniel Jakots-3
On Sat, Apr 28, 2018 at 11:45:51AM +0200, Daniel Jakots wrote:

> 2 days ago flask released two new versions, 0.12.3 and 1.0.0. They
> both includes a security fix:
>
> > Flask previously decoded incoming JSON bytes using the content type
> > of the request. Although JSON should only be encoded as UTF-8, Flask
> > was more lenient. However, Python includes non-text related encodings
> > that could result in unexpected memory use by a request.
> >
> > Flask will now detect the encoding of incoming JSON data as one of
> > the supported UTF encodings, and will not allow arbitrary encodings
> > from the request.
>
> 0.12.3 has less differences with our version so I'd like to go for it
> first and then a bit later move to 1.0.0 (deps need to be updated
> first).
>
> To create the docs it needs a new requirement and I'm not sure it's
> really worth it so I simply removed them. We can also get rid of the
> patches.
>
> Comments? OK?
> I'll probably commit it to -stable as well.
I'm fine with this to do the security update but would like to see
them back in the package starting with 1.0.0 again.

One test fails, did it pass previously? See test.log attached.

        2 failed, 392 passed, 3 skipped, 1 error in 11.69 seconds

So OK kn for your second 0.12.3 update diff.

flask-test.log (3K) Download Attachment