WebOb

1.8.9 · active · verified Thu Apr 09

WebOb is a Python library that provides objects for HTTP requests and responses, specifically by wrapping the WSGI request environment and response status/headers/body. It offers many conveniences for parsing HTTP requests and forming HTTP responses, serving as a foundational component for various Python web frameworks. The library is currently at version 1.8.9 and is actively maintained by the Pylons Project, with a consistent release cadence addressing bugs and security fixes.

Warnings

breaking The `Response.set_cookie` method's `key` parameter was renamed to `name`. Using `key` was deprecated in WebOb 1.5 and completely removed in 1.7.
Fix: Update calls to `response.set_cookie(key=...)` to `response.set_cookie(name=...)`.
breaking Setting a text `body` without explicitly specifying a `charset` in `Response` objects will raise a `TypeError` since WebOb 1.7. Previously, it might have silently defaulted.
Fix: For text content, either provide `charset='UTF-8'` (or another suitable encoding) in the `Response` constructor, or use the `text` parameter instead of `body` (e.g., `Response(text='content')`).
breaking The `status` attribute of a `Response` object no longer accepts arbitrary strings (like `None None`) and now strictly requires a format matching `<integer status code> <explanation of status code>`. Invalid strings will raise a `ValueError`.
Fix: Ensure `response.status` is set to a valid HTTP status string (e.g., `'200 OK'`, `'404 Not Found'`).
breaking WebOb 1.8.0 introduced significant changes to Accept header handling (Accept, Accept-Charset, Accept-Encoding, Accept-Language), potentially breaking applications relying on previous parsing behaviors.
Fix: Review and test existing code that relies on WebOb's Accept header parsing after upgrading to 1.8.0 or later. Refer to the official documentation for the new behavior.
security A security vulnerability (CVE-2024-42353) in WebOb 1.8.8 and earlier can lead to an open redirect if `Response` objects are used to redirect to an unvalidated `Location` header, which is not a full URI.
Fix: Upgrade to WebOb 1.8.9 or later. Always validate user-provided redirect URLs to ensure they are full, absolute URIs and point to trusted domains before using them in `Response.location` or `Response.status = '302 Found'; response.headers['Location'] = ...`.
gotcha The `SameSite` cookie attribute's 'None' value was introduced in WebOb 1.8.6. While WebOb doesn't enable `SameSite` by default, older clients may be incompatible with this new value, leading to unexpected cookie behavior.
Fix: If explicitly setting `SameSite=None`, be aware of potential client incompatibilities. Consider the implications for older browser versions. Validation of `SameSite` values can be disabled via a module flag if needed for specific scenarios.

Install

pip install webob Install latest version

Imports

Request
```
from webob import Request
```
Response
```
from webob import Response
```
HTTPNotFound
```
from webob.exc import HTTPNotFound
```
Common HTTP exceptions are available under webob.exc

Quickstart

This quickstart demonstrates a minimal WSGI application using WebOb. It handles incoming requests, creates a Response object, and serves a simple 'Hello, WebOb!' page for the root path or a 'Not Found' error for other paths. The example includes a basic `wsgiref` server for local execution.

from webob import Request, Response

def application(environ, start_response):
    request = Request(environ)
    response = Response()

    if request.path == '/':
        response.status = '200 OK'
        response.content_type = 'text/html'
        response.text = '<h1>Hello, WebOb!</h1>'
    else:
        response.status = '404 Not Found'
        response.content_type = 'text/plain'
        response.text = 'Not Found'

    return response(environ, start_response)

# Example of how to 'run' a request for testing (not a full WSGI server)
if __name__ == '__main__':
    from wsgiref.simple_server import make_server
    httpd = make_server('', 8000, application)
    print('Serving on http://localhost:8000')
    httpd.serve_forever()

view raw JSON →