{"id":1785,"library":"webob","title":"WebOb","description":"WebOb is a Python library that provides objects for HTTP requests and responses, specifically by wrapping the WSGI request environment and response status/headers/body. It offers many conveniences for parsing HTTP requests and forming HTTP responses, serving as a foundational component for various Python web frameworks. The library is currently at version 1.8.9 and is actively maintained by the Pylons Project, with a consistent release cadence addressing bugs and security fixes.","status":"active","version":"1.8.9","language":"en","source_language":"en","source_url":"https://github.com/Pylons/webob","tags":["web","wsgi","http","request","response","middleware"],"install":[{"cmd":"pip install webob","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Required for Python 3.13 compatibility.","package":"legacy-cgi","optional":false}],"imports":[{"symbol":"Request","correct":"from webob import Request"},{"symbol":"Response","correct":"from webob import Response"},{"note":"Common HTTP exceptions are available under webob.exc","symbol":"HTTPNotFound","correct":"from webob.exc import HTTPNotFound"}],"quickstart":{"code":"from webob import Request, Response\n\ndef application(environ, start_response):\n    request = Request(environ)\n    response = Response()\n\n    if request.path == '/':\n        response.status = '200 OK'\n        response.content_type = 'text/html'\n        response.text = '<h1>Hello, WebOb!</h1>'\n    else:\n        response.status = '404 Not Found'\n        response.content_type = 'text/plain'\n        response.text = 'Not Found'\n\n    return response(environ, start_response)\n\n# Example of how to 'run' a request for testing (not a full WSGI server)\nif __name__ == '__main__':\n    from wsgiref.simple_server import make_server\n    httpd = make_server('', 8000, application)\n    print('Serving on http://localhost:8000')\n    httpd.serve_forever()","lang":"python","description":"This quickstart demonstrates a minimal WSGI application using WebOb. It handles incoming requests, creates a Response object, and serves a simple 'Hello, WebOb!' page for the root path or a 'Not Found' error for other paths. The example includes a basic `wsgiref` server for local execution."},"warnings":[{"fix":"Update calls to `response.set_cookie(key=...)` to `response.set_cookie(name=...)`.","message":"The `Response.set_cookie` method's `key` parameter was renamed to `name`. Using `key` was deprecated in WebOb 1.5 and completely removed in 1.7.","severity":"breaking","affected_versions":">=1.7"},{"fix":"For text content, either provide `charset='UTF-8'` (or another suitable encoding) in the `Response` constructor, or use the `text` parameter instead of `body` (e.g., `Response(text='content')`).","message":"Setting a text `body` without explicitly specifying a `charset` in `Response` objects will raise a `TypeError` since WebOb 1.7. Previously, it might have silently defaulted.","severity":"breaking","affected_versions":">=1.7"},{"fix":"Ensure `response.status` is set to a valid HTTP status string (e.g., `'200 OK'`, `'404 Not Found'`).","message":"The `status` attribute of a `Response` object no longer accepts arbitrary strings (like `None None`) and now strictly requires a format matching `<integer status code> <explanation of status code>`. Invalid strings will raise a `ValueError`.","severity":"breaking","affected_versions":">=1.5, <1.7 (deprecation), >=1.7 (breaking change)"},{"fix":"Review and test existing code that relies on WebOb's Accept header parsing after upgrading to 1.8.0 or later. Refer to the official documentation for the new behavior.","message":"WebOb 1.8.0 introduced significant changes to Accept header handling (Accept, Accept-Charset, Accept-Encoding, Accept-Language), potentially breaking applications relying on previous parsing behaviors.","severity":"breaking","affected_versions":">=1.8.0"},{"fix":"Upgrade to WebOb 1.8.9 or later. Always validate user-provided redirect URLs to ensure they are full, absolute URIs and point to trusted domains before using them in `Response.location` or `Response.status = '302 Found'; response.headers['Location'] = ...`.","message":"A security vulnerability (CVE-2024-42353) in WebOb 1.8.8 and earlier can lead to an open redirect if `Response` objects are used to redirect to an unvalidated `Location` header, which is not a full URI.","severity":"security","affected_versions":"<1.8.9"},{"fix":"If explicitly setting `SameSite=None`, be aware of potential client incompatibilities. Consider the implications for older browser versions. Validation of `SameSite` values can be disabled via a module flag if needed for specific scenarios.","message":"The `SameSite` cookie attribute's 'None' value was introduced in WebOb 1.8.6. While WebOb doesn't enable `SameSite` by default, older clients may be incompatible with this new value, leading to unexpected cookie behavior.","severity":"gotcha","affected_versions":">=1.8.6"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}