Merge branch 'main' into tcdict-pop

.github/workflows/pre-commit.yaml

@@ -0,0 +1,16 @@
+name: pre-commit
+on:
+  pull_request:
+  push:
+    branches: [main, '*.x']
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      with:
+        python-version: 3.x
+    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
+    - uses: pre-commit-ci/lite-action@9d882e7a565f7008d4faf128f27d1cb6503d4ebf # v1.0.2
+      if: ${{ !cancelled() }}

.github/workflows/publish.yaml

@@ -9,8 +9,8 @@ jobs:
     outputs:
       hash: ${{ steps.hash.outputs.hash }}
     steps:
-      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: '3.x'
           cache: pip
@@ -23,7 +23,7 @@ jobs:
       - name: generate hash
         id: hash
         run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           path: ./dist
   provenance:
@@ -44,7 +44,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       - name: create release
         run: >
           gh release create --draft --repo ${{ github.repository }}
@@ -63,11 +63,11 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
-      - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      - uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
         with:
           repository-url: https://test.pypi.org/legacy/
           packages-dir: artifact/
-      - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14
+      - uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
         with:
           packages-dir: artifact/

.github/workflows/tests.yaml

@@ -21,6 +21,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - {python: '3.13'}
           - {python: '3.12'}
           - {name: Windows, python: '3.12', os: windows-latest}
           - {name: Mac, python: '3.12', os: macos-latest}
@@ -30,8 +31,8 @@ jobs:
           - {python: '3.8'}
           - {name: PyPy, python: 'pypy-3.10', tox: pypy310}
     steps:
-      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: ${{ matrix.python }}
           allow-prereleases: true
@@ -42,8 +43,8 @@ jobs:
   typing:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: '3.x'
           cache: pip

.pre-commit-config.yaml

@@ -1,8 +1,6 @@
-ci:
-  autoupdate_schedule: monthly
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.3.5
+    rev: v0.6.2
     hooks:
       - id: ruff
       - id: ruff-format

CHANGES.rst

@@ -5,31 +5,73 @@ Version 3.1.0
 
 Unreleased
 
--  Support Cookie CHxIPS (Partitioned Cookies). :issue:`2797`
+-  Support Cookie CHIPS (Partitioned Cookies). :issue:`2797`
 -  Added ``TypeConversionDict.pop`` method. :issue:`2883`
+-   ``CacheControl.no_transform`` is a boolean when present. ``min_fresh`` is
+    ``None`` when not present. Added the ``must_understand`` attribute. Fixed
+    some typing issues on cache control. :issue:`2881`
+
+
+Version 3.0.4
+-------------
+
+Released 2024-08-21
+
+-   Restore behavior where parsing `multipart/x-www-form-urlencoded` data with
+    invalid UTF-8 bytes in the body results in no form data parsed rather than a
+    413 error. :issue:`2930`
+-   Improve ``parse_options_header`` performance when parsing unterminated
+    quoted string values. :issue:`2904`
+-   Debugger pin auth is synchronized across threads/processes when tracking
+    failed entries. :issue:`2916`
+-   Dev server handles unexpected `SSLEOFError` due to issue in Python < 3.13.
+    :issue:`2926`
+-   Debugger pin auth works when the URL already contains a query string.
+    :issue:`2918`
+
+
+Version 3.0.3
+-------------
+
+Released 2024-05-05
+
+-   Only allow ``localhost``, ``.localhost``, ``127.0.0.1``, or the specified
+    hostname when running the dev server, to make debugger requests. Additional
+    hosts can be added by using the debugger middleware directly. The debugger
+    UI makes requests using the full URL rather than only the path.
+    :ghsa:`2g68-c3qc-8985`
+-   Make reloader more robust when ``""`` is in ``sys.path``. :pr:`2823`
+-   Better TLS cert format with ``adhoc`` dev certs. :pr:`2891`
+-   Inform Python < 3.12 how to handle ``itms-services`` URIs correctly, rather
+    than using an overly-broad workaround in Werkzeug that caused some redirect
+    URIs to be passed on without encoding. :issue:`2828`
+-   Type annotation for ``Rule.endpoint`` and other uses of ``endpoint`` is
+    ``Any``. :issue:`2836`
+-   Make reloader more robust when ``""`` is in ``sys.path``. :pr:`2823`
+
 
 Version 3.0.2
 -------------
 
 Released 2024-04-01
 
--   Ensure setting merge_slashes to False results in NotFound for
+-   Ensure setting ``merge_slashes`` to ``False`` results in ``NotFound`` for
     repeated-slash requests against single slash routes. :issue:`2834`
--   Fix handling of TypeError in TypeConversionDict.get() to match
-    ValueErrors. :issue:`2843`
--   Fix response_wrapper type check in test client. :issue:`2831`
--   Make the return type of ``MultiPartParser.parse`` more
-    precise. :issue:`2840`
--   Raise an error if converter arguments cannot be
-    parsed. :issue:`2822`
+-   Fix handling of ``TypeError`` in ``TypeConversionDict.get()`` to match
+    ``ValueError``. :issue:`2843`
+-   Fix ``response_wrapper`` type check in test client. :issue:`2831`
+-   Make the return type of ``MultiPartParser.parse`` more precise.
+    :issue:`2840`
+-   Raise an error if converter arguments cannot be parsed. :issue:`2822`
+
 
 Version 3.0.1
 -------------
 
 Released 2023-10-24
 
--   Fix slow multipart parsing for large parts potentially enabling DoS
-    attacks.
+-   Fix slow multipart parsing for large parts potentially enabling DoS attacks.
+
 
 Version 3.0.0
 -------------

docs/conf.py

@@ -25,6 +25,7 @@
 extlinks = {
     "issue": ("https://github.com/pallets/werkzeug/issues/%s", "#%s"),
     "pr": ("https://github.com/pallets/werkzeug/pull/%s", "#%s"),
+    "ghsa": ("https://github.com/advisories/%s", "GHSA-%s"),
 }
 intersphinx_mapping = {
     "python": ("https://docs.python.org/3/", None),

docs/debug.rst

@@ -16,7 +16,8 @@ interactive debug console to execute code in any frame.
     The debugger allows the execution of arbitrary code which makes it a
     major security risk. **The debugger must never be used on production
     machines. We cannot stress this enough. Do not enable the debugger
-    in production.**
+    in production.** Production means anything that is not development,
+    and anything that is publicly accessible.
 
 .. note::
 
@@ -72,10 +73,9 @@ argument to get a detailed list of all the attributes it has.
 Debugger PIN
 ------------
 
-Starting with Werkzeug 0.11 the debug console is protected by a PIN.
-This is a security helper to make it less likely for the debugger to be
-exploited if you forget to disable it when deploying to production. The
-PIN based authentication is enabled by default.
+The debug console is protected by a PIN. This is a security helper to make it
+less likely for the debugger to be exploited if you forget to disable it when
+deploying to production. The PIN based authentication is enabled by default.
 
 The first time a console is opened, a dialog will prompt for a PIN that
 is printed to the command line. The PIN is generated in a stable way
@@ -92,6 +92,31 @@ intended to make it harder for an attacker to exploit the debugger.
 Never enable the debugger in production.**
 
 
+Allowed Hosts
+-------------
+
+The debug console will only be served if the request comes from a trusted host.
+If a request comes from a browser page that is not served on a trusted URL, a
+400 error will be returned.
+
+By default, ``localhost``, any ``.localhost`` subdomain, and ``127.0.0.1`` are
+trusted. ``run_simple`` will trust its ``hostname`` argument as well. To change
+this further, use the debug middleware directly rather than through
+``use_debugger=True``.
+
+.. code-block:: python
+
+    if os.environ.get("USE_DEBUGGER") in {"1", "true"}:
+        app = DebuggedApplication(app, evalex=True)
+        app.trusted_hosts = [...]
+
+    run_simple("localhost", 8080, app)
+
+**This feature is not meant to entirely secure the debugger. It is
+intended to make it harder for an attacker to exploit the debugger.
+Never enable the debugger in production.**
+
+
 Pasting Errors
 --------------
 

docs/quickstart.rst

@@ -9,7 +9,7 @@ understanding of :pep:`3333` (WSGI) and :rfc:`2616` (HTTP).
 
 
 WSGI Environment
-================
+----------------
 
 The WSGI environment contains all the information the user request transmits
 to the application.  It is passed to the WSGI application but you can also
@@ -33,7 +33,7 @@ access the form data besides parsing that data by hand.
 
 
 Enter Request
-=============
+-------------
 
 For access to the request data the :class:`Request` object is much more fun.
 It wraps the `environ` and provides a read-only access to the data from
@@ -112,7 +112,7 @@ The keys for the headers are of course case insensitive.
 
 
 Header Parsing
-==============
+--------------
 
 There is more.  Werkzeug provides convenient access to often used HTTP headers
 and other request data.
@@ -183,7 +183,7 @@ True
 
 
 Responses
-=========
+---------
 
 Response objects are the opposite of request objects.  They are used to send
 data back to the client.  In reality, response objects are nothing more than

pyproject.toml

@@ -79,9 +79,6 @@ strict = true
 module = [
     "colorama.*",
     "cryptography.*",
-    "eventlet.*",
-    "gevent.*",
-    "greenlet.*",
     "watchdog.*",
     "xprocess.*",
 ]
@@ -110,8 +107,12 @@ select = [
 ignore = [
     "E402",  # allow circular imports at end of file
 ]
-ignore-init-module-imports = true
 
 [tool.ruff.lint.isort]
 force-single-line = true
 order-by-type = false
+
+[tool.gha-update]
+tag-only = [
+    "slsa-framework/slsa-github-generator",
+]

requirements/build.txt

@@ -6,7 +6,7 @@
 #
 build==1.2.1
     # via -r build.in
-packaging==24.0
+packaging==24.1
     # via build
-pyproject-hooks==1.0.0
+pyproject-hooks==1.1.0
     # via build