Skip to content

Commit

Permalink
remove changes from changelog that have been released in 2.0.x
Browse files Browse the repository at this point in the history
  • Loading branch information
mmerickel committed Jan 29, 2024
1 parent ef8b250 commit b2457bb
Showing 1 changed file with 1 addition and 15 deletions.
16 changes: 1 addition & 15 deletions CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ unreleased
Features
--------

- Add support for Python 3.11 and 3.12.
- Add support for Python 3.12.

- Added HTTP 418 error code via `pyramid.httpexceptions.HTTPImATeapot`.
See https://github.com/Pylons/pyramid/pull/3667
Expand All @@ -31,17 +31,6 @@ Features
Bug Fixes
---------

- Removed support for null-bytes in the path when making a request for a file
against a static_view. Whille null-bytes are allowed by the HTTP
specification, due to the handling of null-bytes potentially leading to
security vulnerabilities it is no longer supported.

This fixes a security vulnerability that is present due to a bug in Python
3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an
``index.html`` one directory up from the static views path.

Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue.

- Fix issues where permissions may be checked on exception views. This is not
supposed to happen in normal circumstances.

Expand All @@ -62,9 +51,6 @@ Backward Incompatibilities

- Drop support for Python 3.6 and 3.7.

- Requests to a static_view are no longer allowed to contain a null-byte in any
part of the path segment.

- Drop support for l*gettext() methods in the i18n module.
These have been deprecated in Python's gettext module since 3.8, and
removed in Python 3.11.
Expand Down

0 comments on commit b2457bb

Please sign in to comment.