[Web-SIG] Paste 1.1

Ian Bicking ianb at colorstudy.com
Mon Dec 18 06:06:54 CET 2006 

Paste 1.1
---------

This release includes a security fix, fixing a situation where you
could escape the root when serving static files and running the Paste
HTTP server publicly.  If you used other WSGI servers or used the
Paste HTTP server behind Apache this does not effect you.  For an
update of Paste 1.0 that includes *only* the security fix, use
"easy_install Paste==1.0.1"

What Is Paste?
--------------

URL:     http://pythonpaste.org
Install: easy_install Paste PasteScript PasteDeploy
News: http://pythonpaste.org/news.html
       http://pythonpaste.org/script/news.html
       http://pythonpaste.org/deploy/news.html

Paste is a set of WSGI components, each of which can be used in
isolation.  But used together they form an unstoppable force.  Team
WSGI, unite!

These components let you do things like create applications that proxy
to other websites, mount multiple applications under different
prefixes, catch exceptions and interactively inspect the environment,
and much more.

Paste Deploy is a configuration system for these components.  Paste
Script is a jack of all trades that builds new project file layouts,
runs WSGI server stacks, and does application deployment.

Interesting News
----------------

Paste
~~~~~

* Security fix for paste.urlparser.StaticURLParser.  The problem
   allowed escaping the root (and reading files) when used with
   paste.httpserver (this does not effect other servers, and does
   not apply when proxying requests from Apache to
   paste.httpserver).

* paste.httpserver and paste.fixture.TestApp url-unquote
   SCRIPT_NAME and PATH_INFO, as specified in the CGI spec.
   Thanks to Jon Nelson for pointing out both these issues.

* paste.registry now works within the EvalException
   interactive debugger.

* Added a __traceback_decorator__ magic local variable, to allow
   arbitrary manipulation of the output of
   paste.exceptions.collector before formatting.

* Added unicorn power to paste.pony (from Chad Whitacre)

* For paste.httpserver SSL support: add support loading an
   explicit certificate context, and using ssl_pem='*' create an
   unsigned SSL certificate (from Jason Kirtland).

Paste Script
~~~~~~~~~~~~

* Allow variable assignments at the end of paster serve, like
   paster serve http_port=80; then you can use %(http_port)s in
   your config files (requires up-to-date Paste Deploy).

Paste Deploy
~~~~~~~~~~~~

* Really nothing interesting.

-- 
Ian Bicking | ianb at colorstudy.com | http://blog.ianbicking.org

More information about the Web-SIG mailing list