On Sat, Apr 28, 2018 at 11:45:51AM +0200, Daniel Jakots wrote:
> 2 days ago flask released two new versions, 0.12.3 and 1.0.0. They
> both includes a security fix:
>
> > Flask previously decoded incoming JSON bytes using the content type
> > of the request. Although JSON should only be encoded as UTF-8, Flask
> > was more lenient. However, Python includes non-text related encodings
> > that could result in unexpected memory use by a request.
> >
> > Flask will now detect the encoding of incoming JSON data as one of
> > the supported UTF encodings, and will not allow arbitrary encodings
> > from the request.
>
> 0.12.3 has less differences with our version so I'd like to go for it
> first and then a bit later move to 1.0.0 (deps need to be updated
> first).
>
> To create the docs it needs a new requirement and I'm not sure it's
> really worth it so I simply removed them. We can also get rid of the
> patches.
>
> Comments? OK?
> I'll probably commit it to -stable as well.
I'm fine with this to do the security update but would like to see
them back in the package starting with 1.0.0 again.
One test fails, did it pass previously? See test.log attached.
2 failed, 392 passed, 3 skipped, 1 error in 11.69 seconds
So OK kn for your second 0.12.3 update diff.
cd /tmp/pobj/py-flask-0.12.3-python3/Flask-0.12.3 && LC_ALL=C.UTF-8
/usr/local/bin/python3.6 -m pytest tests
============================= test session starts ==============================
platform openbsd6 -- Python 3.6.5, pytest-3.1.2, py-1.4.34, pluggy-0.4.0
benchmark: 3.0.0 (defaults: timer=time.perf_counter disable_gc=False
min_rounds=5 min_time=5.00us max_time=1.00s calibration_precision=10
warmup=False warmup_iterations=100000)
rootdir: /tmp/pobj/py-flask-0.12.3-python3/Flask-0.12.3, inifile: setup.cfg
plugins: xdist-1.16.0, httpbin-0.2.3, cov-2.5.1, benchmark-3.0.0
collected 397 items
tests/test_appctx.py ............
tests/test_basic.py
................E...................................................................................
tests/test_blueprints.py ..............................
tests/test_cli.py ..........
tests/test_config.py ................
tests/test_deprecations.py ..
tests/test_ext.py .............F
tests/test_helpers.py
.............................................................................................................................
tests/test_instance_config.py ...........s
tests/test_regression.py ..F
tests/test_reqctx.py .......ss
tests/test_signals.py .......
tests/test_subclassing.py .
tests/test_templating.py ..............................
tests/test_testing.py ...............
tests/test_user_error_handler.py ....
tests/test_views.py ........
==================================== ERRORS ====================================
_________________ ERROR at teardown of test_session_expiration _________________
recwarn = WarningsRecorder(record=True)
@pytest.yield_fixture(autouse=True)
def catch_deprecation_warnings(recwarn):
yield
gc.collect()
> assert not recwarn.list
E assert not [<warnings.WarningMessage object at 0x11c6139bb2e8>]
E + where [<warnings.WarningMessage object at 0x11c6139bb2e8>] =
WarningsRecorder(record=True).list
tests/conftest.py:134: AssertionError
=================================== FAILURES ===================================
___________________________ test_no_error_swallowing ___________________________
flaskext_broken = None
def test_no_error_swallowing(flaskext_broken):
with pytest.raises(ImportError) as excinfo:
import flask.ext.broken
> assert excinfo.type is ImportError
E AssertionError: assert <class 'ModuleNotFoundError'> is ImportError
E + where <class 'ModuleNotFoundError'> = <ExceptionInfo
ModuleNotFoundError tblen=4>.type
tests/test_ext.py:183: AssertionError
________________________________ test_aborting _________________________________
def test_aborting():
class Foo(Exception):
whatever = 42
app = flask.Flask(__name__)
app.testing = True
@app.errorhandler(Foo)
def handle_foo(e):
return str(e.whatever)
@app.route('/')
def index():
raise flask.abort(flask.redirect(flask.url_for('test')))
@app.route('/test')
def test():
raise Foo()
with app.test_client() as c:
rv = c.get('/')
> assert rv.headers['Location'] == 'http://localhost/test'
E AssertionError: assert '/test' == 'http://localhost/test'
E - /test
E + http://localhost/test
tests/test_regression.py:100: AssertionError
========== 2 failed, 392 passed, 3 skipped, 1 error in 11.69 seconds ===========
*** Error 1 in . (Makefile:45 'do-test')
