colander v1.7.0 Release Notes
Release Date: 2019-02-01 // about 5 years ago-
- ⚡️ The URL validator regex has been updated to no longer be vulnerable to a catastrophic backtracking that would have led to an infinite loop. See https://github.com/Pylons/colander/pull/323 and https://github.com/Pylons/colander/issues/290. With thanks to Przemek (https://github.com/p-m-k).
This does change the behaviour of the URL validator and it no longer supports
file://
URI scheme (https://tools.ietf.org/html/rfc8089). Users that wish to validatefile://
URI's should change their validator to usecolander.file_uri
instead.It has also dropped support for alternate schemes outside of http/ftp (and their secure equivelants). Please let us know if we need to relax this requirement.
CVE-ID: CVE-2017-18361
⚡️ The Email validator has been updated to use the same regular expression that is used by the WhatWG HTML specification, thereby increasing the email addresses that will validate correctly from web forms submitted. See https://github.com/Pylons/colander/pull/324 and https://github.com/Pylons/colander/issues/283
Number once again will allow you to serialize None to colander.null, this reverts an accidental revert. See https://github.com/Pylons/colander/issues/204#issuecomment-459556100
👍 Integer SchemaType now supports an optional
strict
mode that will validate that the number is an integer, rather than silently accepting floats and truncating. See https://github.com/Pylons/colander/pull/322 and https://github.com/Pylons/colander/issues/292