- Update to 1.7.0 (2019-02-01)
+ The URL validator regex has been updated to no longer be
vulnerable to a catastrophic backtracking that would have led to
an infinite loop.
See https://github.com/Pylons/colander/pull/323
and https://github.com/Pylons/colander/issues/290.
With thanks to Przemek (https://github.com/p-m-k).
+ This does change the behaviour of the URL validator and it no
longer supports file:// URI scheme
(https://tools.ietf.org/html/rfc8089). Users that wish to validate
file:// URI’s should change their validator to use
colander.file_uri instead.
+ It has also dropped support for alternate schemes outside of
http/ftp (and their secure equivelants). Please let us know if we
need to relax this requirement.
+ CVE-ID: CVE-2017-18361
+ The Email validator has been updated to use the same regular
expression that is used by the WhatWG HTML specification, thereby
increasing the email addresses that will validate correctly from
web forms submitted.
See https://github.com/Pylons/colander/pull/324
and https://github.com/Pylons/colander/issues/283
+ Number once again will allow you to serialize None to colander.null,
this reverts an accidental revert.
See https://github.com/Pylons/colander/issues/204#issuecomment-459556100
+ Integer SchemaType now supports an optional strict mode that will
validate that the number is an integer, rather than silently accepting
floats and truncating.
See https://github.com/Pylons/colander/pull/322
and https://github.com/Pylons/colander/issues/292