Paste 1.1 --------- This release includes a security fix, fixing a situation where you could escape the root when serving static files and running the Paste HTTP server publicly. If you used other WSGI servers or used the Paste HTTP server behind Apache this does not effect you. For an update of Paste 1.0 that includes *only* the security fix, use "easy_install Paste==1.0.1"
What Is Paste? -------------- URL: http://pythonpaste.org Install: easy_install Paste PasteScript PasteDeploy News: http://pythonpaste.org/news.html http://pythonpaste.org/script/news.html http://pythonpaste.org/deploy/news.html Paste is a set of WSGI components, each of which can be used in isolation. But used together they form an unstoppable force. Team WSGI, unite! These components let you do things like create applications that proxy to other websites, mount multiple applications under different prefixes, catch exceptions and interactively inspect the environment, and much more. Paste Deploy is a configuration system for these components. Paste Script is a jack of all trades that builds new project file layouts, runs WSGI server stacks, and does application deployment. Interesting News ---------------- Paste ~~~~~ * Security fix for paste.urlparser.StaticURLParser. The problem allowed escaping the root (and reading files) when used with paste.httpserver (this does not effect other servers, and does not apply when proxying requests from Apache to paste.httpserver). * paste.httpserver and paste.fixture.TestApp url-unquote SCRIPT_NAME and PATH_INFO, as specified in the CGI spec. Thanks to Jon Nelson for pointing out both these issues. * paste.registry now works within the EvalException interactive debugger. * Added a __traceback_decorator__ magic local variable, to allow arbitrary manipulation of the output of paste.exceptions.collector before formatting. * Added unicorn power to paste.pony (from Chad Whitacre) * For paste.httpserver SSL support: add support loading an explicit certificate context, and using ssl_pem='*' create an unsigned SSL certificate (from Jason Kirtland). Paste Script ~~~~~~~~~~~~ * Allow variable assignments at the end of paster serve, like paster serve http_port=80; then you can use %(http_port)s in your config files (requires up-to-date Paste Deploy). Paste Deploy ~~~~~~~~~~~~ * Really nothing interesting. -- Ian Bicking | [EMAIL PROTECTED] | http://blog.ianbicking.org _______________________________________________ Web-SIG mailing list [email protected] Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
