123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028 |
- # -*- coding: utf-8 -*-
- """
- werkzeug.wrappers
- ~~~~~~~~~~~~~~~~~
- The wrappers are simple request and response objects which you can
- subclass to do whatever you want them to do. The request object contains
- the information transmitted by the client (webbrowser) and the response
- object contains all the information sent back to the browser.
- An important detail is that the request object is created with the WSGI
- environ and will act as high-level proxy whereas the response object is an
- actual WSGI application.
- Like everything else in Werkzeug these objects will work correctly with
- unicode data. Incoming form data parsed by the response object will be
- decoded into an unicode object if possible and if it makes sense.
- :copyright: (c) 2014 by the Werkzeug Team, see AUTHORS for more details.
- :license: BSD, see LICENSE for more details.
- """
- from functools import update_wrapper
- from datetime import datetime, timedelta
- from warnings import warn
- from werkzeug.http import HTTP_STATUS_CODES, \
- parse_accept_header, parse_cache_control_header, parse_etags, \
- parse_date, generate_etag, is_resource_modified, unquote_etag, \
- quote_etag, parse_set_header, parse_authorization_header, \
- parse_www_authenticate_header, remove_entity_headers, \
- parse_options_header, dump_options_header, http_date, \
- parse_if_range_header, parse_cookie, dump_cookie, \
- parse_range_header, parse_content_range_header, dump_header, \
- parse_age, dump_age
- from werkzeug.urls import url_decode, iri_to_uri, url_join
- from werkzeug.formparser import FormDataParser, default_stream_factory
- from werkzeug.utils import cached_property, environ_property, \
- header_property, get_content_type
- from werkzeug.wsgi import get_current_url, get_host, \
- ClosingIterator, get_input_stream, get_content_length, _RangeWrapper
- from werkzeug.datastructures import MultiDict, CombinedMultiDict, Headers, \
- EnvironHeaders, ImmutableMultiDict, ImmutableTypeConversionDict, \
- ImmutableList, MIMEAccept, CharsetAccept, LanguageAccept, \
- ResponseCacheControl, RequestCacheControl, CallbackDict, \
- ContentRange, iter_multi_items
- from werkzeug._internal import _get_environ
- from werkzeug._compat import to_bytes, string_types, text_type, \
- integer_types, wsgi_decoding_dance, wsgi_get_bytes, \
- to_unicode, to_native, BytesIO
- def _run_wsgi_app(*args):
- """This function replaces itself to ensure that the test module is not
- imported unless required. DO NOT USE!
- """
- global _run_wsgi_app
- from werkzeug.test import run_wsgi_app as _run_wsgi_app
- return _run_wsgi_app(*args)
- def _warn_if_string(iterable):
- """Helper for the response objects to check if the iterable returned
- to the WSGI server is not a string.
- """
- if isinstance(iterable, string_types):
- warn(Warning('response iterable was set to a string. This appears '
- 'to work but means that the server will send the '
- 'data to the client char, by char. This is almost '
- 'never intended behavior, use response.data to assign '
- 'strings to the response object.'), stacklevel=2)
- def _assert_not_shallow(request):
- if request.shallow:
- raise RuntimeError('A shallow request tried to consume '
- 'form data. If you really want to do '
- 'that, set `shallow` to False.')
- def _iter_encoded(iterable, charset):
- for item in iterable:
- if isinstance(item, text_type):
- yield item.encode(charset)
- else:
- yield item
- def _clean_accept_ranges(accept_ranges):
- if accept_ranges is True:
- return "bytes"
- elif accept_ranges is False:
- return "none"
- elif isinstance(accept_ranges, text_type):
- return to_native(accept_ranges)
- raise ValueError("Invalid accept_ranges value")
- class BaseRequest(object):
- """Very basic request object. This does not implement advanced stuff like
- entity tag parsing or cache controls. The request object is created with
- the WSGI environment as first argument and will add itself to the WSGI
- environment as ``'werkzeug.request'`` unless it's created with
- `populate_request` set to False.
- There are a couple of mixins available that add additional functionality
- to the request object, there is also a class called `Request` which
- subclasses `BaseRequest` and all the important mixins.
- It's a good idea to create a custom subclass of the :class:`BaseRequest`
- and add missing functionality either via mixins or direct implementation.
- Here an example for such subclasses::
- from werkzeug.wrappers import BaseRequest, ETagRequestMixin
- class Request(BaseRequest, ETagRequestMixin):
- pass
- Request objects are **read only**. As of 0.5 modifications are not
- allowed in any place. Unlike the lower level parsing functions the
- request object will use immutable objects everywhere possible.
- Per default the request object will assume all the text data is `utf-8`
- encoded. Please refer to `the unicode chapter <unicode.txt>`_ for more
- details about customizing the behavior.
- Per default the request object will be added to the WSGI
- environment as `werkzeug.request` to support the debugging system.
- If you don't want that, set `populate_request` to `False`.
- If `shallow` is `True` the environment is initialized as shallow
- object around the environ. Every operation that would modify the
- environ in any way (such as consuming form data) raises an exception
- unless the `shallow` attribute is explicitly set to `False`. This
- is useful for middlewares where you don't want to consume the form
- data by accident. A shallow request is not populated to the WSGI
- environment.
- .. versionchanged:: 0.5
- read-only mode was enforced by using immutables classes for all
- data.
- """
- #: the charset for the request, defaults to utf-8
- charset = 'utf-8'
- #: the error handling procedure for errors, defaults to 'replace'
- encoding_errors = 'replace'
- #: the maximum content length. This is forwarded to the form data
- #: parsing function (:func:`parse_form_data`). When set and the
- #: :attr:`form` or :attr:`files` attribute is accessed and the
- #: parsing fails because more than the specified value is transmitted
- #: a :exc:`~werkzeug.exceptions.RequestEntityTooLarge` exception is raised.
- #:
- #: Have a look at :ref:`dealing-with-request-data` for more details.
- #:
- #: .. versionadded:: 0.5
- max_content_length = None
- #: the maximum form field size. This is forwarded to the form data
- #: parsing function (:func:`parse_form_data`). When set and the
- #: :attr:`form` or :attr:`files` attribute is accessed and the
- #: data in memory for post data is longer than the specified value a
- #: :exc:`~werkzeug.exceptions.RequestEntityTooLarge` exception is raised.
- #:
- #: Have a look at :ref:`dealing-with-request-data` for more details.
- #:
- #: .. versionadded:: 0.5
- max_form_memory_size = None
- #: the class to use for `args` and `form`. The default is an
- #: :class:`~werkzeug.datastructures.ImmutableMultiDict` which supports
- #: multiple values per key. alternatively it makes sense to use an
- #: :class:`~werkzeug.datastructures.ImmutableOrderedMultiDict` which
- #: preserves order or a :class:`~werkzeug.datastructures.ImmutableDict`
- #: which is the fastest but only remembers the last key. It is also
- #: possible to use mutable structures, but this is not recommended.
- #:
- #: .. versionadded:: 0.6
- parameter_storage_class = ImmutableMultiDict
- #: the type to be used for list values from the incoming WSGI environment.
- #: By default an :class:`~werkzeug.datastructures.ImmutableList` is used
- #: (for example for :attr:`access_list`).
- #:
- #: .. versionadded:: 0.6
- list_storage_class = ImmutableList
- #: the type to be used for dict values from the incoming WSGI environment.
- #: By default an
- #: :class:`~werkzeug.datastructures.ImmutableTypeConversionDict` is used
- #: (for example for :attr:`cookies`).
- #:
- #: .. versionadded:: 0.6
- dict_storage_class = ImmutableTypeConversionDict
- #: The form data parser that shoud be used. Can be replaced to customize
- #: the form date parsing.
- form_data_parser_class = FormDataParser
- #: Optionally a list of hosts that is trusted by this request. By default
- #: all hosts are trusted which means that whatever the client sends the
- #: host is will be accepted.
- #:
- #: This is the recommended setup as a webserver should manually be set up
- #: to only route correct hosts to the application, and remove the
- #: `X-Forwarded-Host` header if it is not being used (see
- #: :func:`werkzeug.wsgi.get_host`).
- #:
- #: .. versionadded:: 0.9
- trusted_hosts = None
- #: Indicates whether the data descriptor should be allowed to read and
- #: buffer up the input stream. By default it's enabled.
- #:
- #: .. versionadded:: 0.9
- disable_data_descriptor = False
- def __init__(self, environ, populate_request=True, shallow=False):
- self.environ = environ
- if populate_request and not shallow:
- self.environ['werkzeug.request'] = self
- self.shallow = shallow
- def __repr__(self):
- # make sure the __repr__ even works if the request was created
- # from an invalid WSGI environment. If we display the request
- # in a debug session we don't want the repr to blow up.
- args = []
- try:
- args.append("'%s'" % to_native(self.url, self.url_charset))
- args.append('[%s]' % self.method)
- except Exception:
- args.append('(invalid WSGI environ)')
- return '<%s %s>' % (
- self.__class__.__name__,
- ' '.join(args)
- )
- @property
- def url_charset(self):
- """The charset that is assumed for URLs. Defaults to the value
- of :attr:`charset`.
- .. versionadded:: 0.6
- """
- return self.charset
- @classmethod
- def from_values(cls, *args, **kwargs):
- """Create a new request object based on the values provided. If
- environ is given missing values are filled from there. This method is
- useful for small scripts when you need to simulate a request from an URL.
- Do not use this method for unittesting, there is a full featured client
- object (:class:`Client`) that allows to create multipart requests,
- support for cookies etc.
- This accepts the same options as the
- :class:`~werkzeug.test.EnvironBuilder`.
- .. versionchanged:: 0.5
- This method now accepts the same arguments as
- :class:`~werkzeug.test.EnvironBuilder`. Because of this the
- `environ` parameter is now called `environ_overrides`.
- :return: request object
- """
- from werkzeug.test import EnvironBuilder
- charset = kwargs.pop('charset', cls.charset)
- kwargs['charset'] = charset
- builder = EnvironBuilder(*args, **kwargs)
- try:
- return builder.get_request(cls)
- finally:
- builder.close()
- @classmethod
- def application(cls, f):
- """Decorate a function as responder that accepts the request as first
- argument. This works like the :func:`responder` decorator but the
- function is passed the request object as first argument and the
- request object will be closed automatically::
- @Request.application
- def my_wsgi_app(request):
- return Response('Hello World!')
- As of Werkzeug 0.14 HTTP exceptions are automatically caught and
- converted to responses instead of failing.
- :param f: the WSGI callable to decorate
- :return: a new WSGI callable
- """
- #: return a callable that wraps the -2nd argument with the request
- #: and calls the function with all the arguments up to that one and
- #: the request. The return value is then called with the latest
- #: two arguments. This makes it possible to use this decorator for
- #: both methods and standalone WSGI functions.
- from werkzeug.exceptions import HTTPException
- def application(*args):
- request = cls(args[-2])
- with request:
- try:
- resp = f(*args[:-2] + (request,))
- except HTTPException as e:
- resp = e.get_response(args[-2])
- return resp(*args[-2:])
- return update_wrapper(application, f)
- def _get_file_stream(self, total_content_length, content_type, filename=None,
- content_length=None):
- """Called to get a stream for the file upload.
- This must provide a file-like class with `read()`, `readline()`
- and `seek()` methods that is both writeable and readable.
- The default implementation returns a temporary file if the total
- content length is higher than 500KB. Because many browsers do not
- provide a content length for the files only the total content
- length matters.
- :param total_content_length: the total content length of all the
- data in the request combined. This value
- is guaranteed to be there.
- :param content_type: the mimetype of the uploaded file.
- :param filename: the filename of the uploaded file. May be `None`.
- :param content_length: the length of this file. This value is usually
- not provided because webbrowsers do not provide
- this value.
- """
- return default_stream_factory(
- total_content_length=total_content_length,
- content_type=content_type,
- filename=filename,
- content_length=content_length)
- @property
- def want_form_data_parsed(self):
- """Returns True if the request method carries content. As of
- Werkzeug 0.9 this will be the case if a content type is transmitted.
- .. versionadded:: 0.8
- """
- return bool(self.environ.get('CONTENT_TYPE'))
- def make_form_data_parser(self):
- """Creates the form data parser. Instantiates the
- :attr:`form_data_parser_class` with some parameters.
- .. versionadded:: 0.8
- """
- return self.form_data_parser_class(self._get_file_stream,
- self.charset,
- self.encoding_errors,
- self.max_form_memory_size,
- self.max_content_length,
- self.parameter_storage_class)
- def _load_form_data(self):
- """Method used internally to retrieve submitted data. After calling
- this sets `form` and `files` on the request object to multi dicts
- filled with the incoming form data. As a matter of fact the input
- stream will be empty afterwards. You can also call this method to
- force the parsing of the form data.
- .. versionadded:: 0.8
- """
- # abort early if we have already consumed the stream
- if 'form' in self.__dict__:
- return
- _assert_not_shallow(self)
- if self.want_form_data_parsed:
- content_type = self.environ.get('CONTENT_TYPE', '')
- content_length = get_content_length(self.environ)
- mimetype, options = parse_options_header(content_type)
- parser = self.make_form_data_parser()
- data = parser.parse(self._get_stream_for_parsing(),
- mimetype, content_length, options)
- else:
- data = (self.stream, self.parameter_storage_class(),
- self.parameter_storage_class())
- # inject the values into the instance dict so that we bypass
- # our cached_property non-data descriptor.
- d = self.__dict__
- d['stream'], d['form'], d['files'] = data
- def _get_stream_for_parsing(self):
- """This is the same as accessing :attr:`stream` with the difference
- that if it finds cached data from calling :meth:`get_data` first it
- will create a new stream out of the cached data.
- .. versionadded:: 0.9.3
- """
- cached_data = getattr(self, '_cached_data', None)
- if cached_data is not None:
- return BytesIO(cached_data)
- return self.stream
- def close(self):
- """Closes associated resources of this request object. This
- closes all file handles explicitly. You can also use the request
- object in a with statement which will automatically close it.
- .. versionadded:: 0.9
- """
- files = self.__dict__.get('files')
- for key, value in iter_multi_items(files or ()):
- value.close()
- def __enter__(self):
- return self
- def __exit__(self, exc_type, exc_value, tb):
- self.close()
- @cached_property
- def stream(self):
- """
- If the incoming form data was not encoded with a known mimetype
- the data is stored unmodified in this stream for consumption. Most
- of the time it is a better idea to use :attr:`data` which will give
- you that data as a string. The stream only returns the data once.
- Unlike :attr:`input_stream` this stream is properly guarded that you
- can't accidentally read past the length of the input. Werkzeug will
- internally always refer to this stream to read data which makes it
- possible to wrap this object with a stream that does filtering.
- .. versionchanged:: 0.9
- This stream is now always available but might be consumed by the
- form parser later on. Previously the stream was only set if no
- parsing happened.
- """
- _assert_not_shallow(self)
- return get_input_stream(self.environ)
- input_stream = environ_property('wsgi.input', """
- The WSGI input stream.
- In general it's a bad idea to use this one because you can easily read past
- the boundary. Use the :attr:`stream` instead.
- """)
- @cached_property
- def args(self):
- """The parsed URL parameters (the part in the URL after the question
- mark).
- By default an
- :class:`~werkzeug.datastructures.ImmutableMultiDict`
- is returned from this function. This can be changed by setting
- :attr:`parameter_storage_class` to a different type. This might
- be necessary if the order of the form data is important.
- """
- return url_decode(wsgi_get_bytes(self.environ.get('QUERY_STRING', '')),
- self.url_charset, errors=self.encoding_errors,
- cls=self.parameter_storage_class)
- @cached_property
- def data(self):
- """
- Contains the incoming request data as string in case it came with
- a mimetype Werkzeug does not handle.
- """
- if self.disable_data_descriptor:
- raise AttributeError('data descriptor is disabled')
- # XXX: this should eventually be deprecated.
- # We trigger form data parsing first which means that the descriptor
- # will not cache the data that would otherwise be .form or .files
- # data. This restores the behavior that was there in Werkzeug
- # before 0.9. New code should use :meth:`get_data` explicitly as
- # this will make behavior explicit.
- return self.get_data(parse_form_data=True)
- def get_data(self, cache=True, as_text=False, parse_form_data=False):
- """This reads the buffered incoming data from the client into one
- bytestring. By default this is cached but that behavior can be
- changed by setting `cache` to `False`.
- Usually it's a bad idea to call this method without checking the
- content length first as a client could send dozens of megabytes or more
- to cause memory problems on the server.
- Note that if the form data was already parsed this method will not
- return anything as form data parsing does not cache the data like
- this method does. To implicitly invoke form data parsing function
- set `parse_form_data` to `True`. When this is done the return value
- of this method will be an empty string if the form parser handles
- the data. This generally is not necessary as if the whole data is
- cached (which is the default) the form parser will used the cached
- data to parse the form data. Please be generally aware of checking
- the content length first in any case before calling this method
- to avoid exhausting server memory.
- If `as_text` is set to `True` the return value will be a decoded
- unicode string.
- .. versionadded:: 0.9
- """
- rv = getattr(self, '_cached_data', None)
- if rv is None:
- if parse_form_data:
- self._load_form_data()
- rv = self.stream.read()
- if cache:
- self._cached_data = rv
- if as_text:
- rv = rv.decode(self.charset, self.encoding_errors)
- return rv
- @cached_property
- def form(self):
- """The form parameters. By default an
- :class:`~werkzeug.datastructures.ImmutableMultiDict`
- is returned from this function. This can be changed by setting
- :attr:`parameter_storage_class` to a different type. This might
- be necessary if the order of the form data is important.
- Please keep in mind that file uploads will not end up here, but instead
- in the :attr:`files` attribute.
- .. versionchanged:: 0.9
- Previous to Werkzeug 0.9 this would only contain form data for POST
- and PUT requests.
- """
- self._load_form_data()
- return self.form
- @cached_property
- def values(self):
- """A :class:`werkzeug.datastructures.CombinedMultiDict` that combines
- :attr:`args` and :attr:`form`."""
- args = []
- for d in self.args, self.form:
- if not isinstance(d, MultiDict):
- d = MultiDict(d)
- args.append(d)
- return CombinedMultiDict(args)
- @cached_property
- def files(self):
- """:class:`~werkzeug.datastructures.MultiDict` object containing
- all uploaded files. Each key in :attr:`files` is the name from the
- ``<input type="file" name="">``. Each value in :attr:`files` is a
- Werkzeug :class:`~werkzeug.datastructures.FileStorage` object.
- It basically behaves like a standard file object you know from Python,
- with the difference that it also has a
- :meth:`~werkzeug.datastructures.FileStorage.save` function that can
- store the file on the filesystem.
- Note that :attr:`files` will only contain data if the request method was
- POST, PUT or PATCH and the ``<form>`` that posted to the request had
- ``enctype="multipart/form-data"``. It will be empty otherwise.
- See the :class:`~werkzeug.datastructures.MultiDict` /
- :class:`~werkzeug.datastructures.FileStorage` documentation for
- more details about the used data structure.
- """
- self._load_form_data()
- return self.files
- @cached_property
- def cookies(self):
- """A :class:`dict` with the contents of all cookies transmitted with
- the request."""
- return parse_cookie(self.environ, self.charset,
- self.encoding_errors,
- cls=self.dict_storage_class)
- @cached_property
- def headers(self):
- """The headers from the WSGI environ as immutable
- :class:`~werkzeug.datastructures.EnvironHeaders`.
- """
- return EnvironHeaders(self.environ)
- @cached_property
- def path(self):
- """Requested path as unicode. This works a bit like the regular path
- info in the WSGI environment but will always include a leading slash,
- even if the URL root is accessed.
- """
- raw_path = wsgi_decoding_dance(self.environ.get('PATH_INFO') or '',
- self.charset, self.encoding_errors)
- return '/' + raw_path.lstrip('/')
- @cached_property
- def full_path(self):
- """Requested path as unicode, including the query string."""
- return self.path + u'?' + to_unicode(self.query_string, self.url_charset)
- @cached_property
- def script_root(self):
- """The root path of the script without the trailing slash."""
- raw_path = wsgi_decoding_dance(self.environ.get('SCRIPT_NAME') or '',
- self.charset, self.encoding_errors)
- return raw_path.rstrip('/')
- @cached_property
- def url(self):
- """The reconstructed current URL as IRI.
- See also: :attr:`trusted_hosts`.
- """
- return get_current_url(self.environ,
- trusted_hosts=self.trusted_hosts)
- @cached_property
- def base_url(self):
- """Like :attr:`url` but without the querystring
- See also: :attr:`trusted_hosts`.
- """
- return get_current_url(self.environ, strip_querystring=True,
- trusted_hosts=self.trusted_hosts)
- @cached_property
- def url_root(self):
- """The full URL root (with hostname), this is the application
- root as IRI.
- See also: :attr:`trusted_hosts`.
- """
- return get_current_url(self.environ, True,
- trusted_hosts=self.trusted_hosts)
- @cached_property
- def host_url(self):
- """Just the host with scheme as IRI.
- See also: :attr:`trusted_hosts`.
- """
- return get_current_url(self.environ, host_only=True,
- trusted_hosts=self.trusted_hosts)
- @cached_property
- def host(self):
- """Just the host including the port if available.
- See also: :attr:`trusted_hosts`.
- """
- return get_host(self.environ, trusted_hosts=self.trusted_hosts)
- query_string = environ_property(
- 'QUERY_STRING', '', read_only=True,
- load_func=wsgi_get_bytes, doc='The URL parameters as raw bytestring.')
- method = environ_property(
- 'REQUEST_METHOD', 'GET', read_only=True,
- load_func=lambda x: x.upper(),
- doc="The request method. (For example ``'GET'`` or ``'POST'``).")
- @cached_property
- def access_route(self):
- """If a forwarded header exists this is a list of all ip addresses
- from the client ip to the last proxy server.
- """
- if 'HTTP_X_FORWARDED_FOR' in self.environ:
- addr = self.environ['HTTP_X_FORWARDED_FOR'].split(',')
- return self.list_storage_class([x.strip() for x in addr])
- elif 'REMOTE_ADDR' in self.environ:
- return self.list_storage_class([self.environ['REMOTE_ADDR']])
- return self.list_storage_class()
- @property
- def remote_addr(self):
- """The remote address of the client."""
- return self.environ.get('REMOTE_ADDR')
- remote_user = environ_property('REMOTE_USER', doc='''
- If the server supports user authentication, and the script is
- protected, this attribute contains the username the user has
- authenticated as.''')
- scheme = environ_property('wsgi.url_scheme', doc='''
- URL scheme (http or https).
- .. versionadded:: 0.7''')
- @property
- def is_xhr(self):
- """True if the request was triggered via a JavaScript XMLHttpRequest.
- This only works with libraries that support the ``X-Requested-With``
- header and set it to "XMLHttpRequest". Libraries that do that are
- prototype, jQuery and Mochikit and probably some more.
- .. deprecated:: 0.13
- ``X-Requested-With`` is not standard and is unreliable.
- """
- warn(DeprecationWarning(
- 'Request.is_xhr is deprecated. Given that the X-Requested-With '
- 'header is not a part of any spec, it is not reliable'
- ), stacklevel=2)
- return self.environ.get(
- 'HTTP_X_REQUESTED_WITH', ''
- ).lower() == 'xmlhttprequest'
- is_secure = property(lambda x: x.environ['wsgi.url_scheme'] == 'https',
- doc='`True` if the request is secure.')
- is_multithread = environ_property('wsgi.multithread', doc='''
- boolean that is `True` if the application is served by
- a multithreaded WSGI server.''')
- is_multiprocess = environ_property('wsgi.multiprocess', doc='''
- boolean that is `True` if the application is served by
- a WSGI server that spawns multiple processes.''')
- is_run_once = environ_property('wsgi.run_once', doc='''
- boolean that is `True` if the application will be executed only
- once in a process lifetime. This is the case for CGI for example,
- but it's not guaranteed that the execution only happens one time.''')
- class BaseResponse(object):
- """Base response class. The most important fact about a response object
- is that it's a regular WSGI application. It's initialized with a couple
- of response parameters (headers, body, status code etc.) and will start a
- valid WSGI response when called with the environ and start response
- callable.
- Because it's a WSGI application itself processing usually ends before the
- actual response is sent to the server. This helps debugging systems
- because they can catch all the exceptions before responses are started.
- Here a small example WSGI application that takes advantage of the
- response objects::
- from werkzeug.wrappers import BaseResponse as Response
- def index():
- return Response('Index page')
- def application(environ, start_response):
- path = environ.get('PATH_INFO') or '/'
- if path == '/':
- response = index()
- else:
- response = Response('Not Found', status=404)
- return response(environ, start_response)
- Like :class:`BaseRequest` which object is lacking a lot of functionality
- implemented in mixins. This gives you a better control about the actual
- API of your response objects, so you can create subclasses and add custom
- functionality. A full featured response object is available as
- :class:`Response` which implements a couple of useful mixins.
- To enforce a new type of already existing responses you can use the
- :meth:`force_type` method. This is useful if you're working with different
- subclasses of response objects and you want to post process them with a
- known interface.
- Per default the response object will assume all the text data is `utf-8`
- encoded. Please refer to `the unicode chapter <unicode.txt>`_ for more
- details about customizing the behavior.
- Response can be any kind of iterable or string. If it's a string it's
- considered being an iterable with one item which is the string passed.
- Headers can be a list of tuples or a
- :class:`~werkzeug.datastructures.Headers` object.
- Special note for `mimetype` and `content_type`: For most mime types
- `mimetype` and `content_type` work the same, the difference affects
- only 'text' mimetypes. If the mimetype passed with `mimetype` is a
- mimetype starting with `text/`, the charset parameter of the response
- object is appended to it. In contrast the `content_type` parameter is
- always added as header unmodified.
- .. versionchanged:: 0.5
- the `direct_passthrough` parameter was added.
- :param response: a string or response iterable.
- :param status: a string with a status or an integer with the status code.
- :param headers: a list of headers or a
- :class:`~werkzeug.datastructures.Headers` object.
- :param mimetype: the mimetype for the response. See notice above.
- :param content_type: the content type for the response. See notice above.
- :param direct_passthrough: if set to `True` :meth:`iter_encoded` is not
- called before iteration which makes it
- possible to pass special iterators through
- unchanged (see :func:`wrap_file` for more
- details.)
- """
- #: the charset of the response.
- charset = 'utf-8'
- #: the default status if none is provided.
- default_status = 200
- #: the default mimetype if none is provided.
- default_mimetype = 'text/plain'
- #: if set to `False` accessing properties on the response object will
- #: not try to consume the response iterator and convert it into a list.
- #:
- #: .. versionadded:: 0.6.2
- #:
- #: That attribute was previously called `implicit_seqence_conversion`.
- #: (Notice the typo). If you did use this feature, you have to adapt
- #: your code to the name change.
- implicit_sequence_conversion = True
- #: Should this response object correct the location header to be RFC
- #: conformant? This is true by default.
- #:
- #: .. versionadded:: 0.8
- autocorrect_location_header = True
- #: Should this response object automatically set the content-length
- #: header if possible? This is true by default.
- #:
- #: .. versionadded:: 0.8
- automatically_set_content_length = True
- #: Warn if a cookie header exceeds this size. The default, 4093, should be
- #: safely `supported by most browsers <cookie_>`_. A cookie larger than
- #: this size will still be sent, but it may be ignored or handled
- #: incorrectly by some browsers. Set to 0 to disable this check.
- #:
- #: .. versionadded:: 0.13
- #:
- #: .. _`cookie`: http://browsercookielimits.squawky.net/
- max_cookie_size = 4093
- def __init__(self, response=None, status=None, headers=None,
- mimetype=None, content_type=None, direct_passthrough=False):
- if isinstance(headers, Headers):
- self.headers = headers
- elif not headers:
- self.headers = Headers()
- else:
- self.headers = Headers(headers)
- if content_type is None:
- if mimetype is None and 'content-type' not in self.headers:
- mimetype = self.default_mimetype
- if mimetype is not None:
- mimetype = get_content_type(mimetype, self.charset)
- content_type = mimetype
- if content_type is not None:
- self.headers['Content-Type'] = content_type
- if status is None:
- status = self.default_status
- if isinstance(status, integer_types):
- self.status_code = status
- else:
- self.status = status
- self.direct_passthrough = direct_passthrough
- self._on_close = []
- # we set the response after the headers so that if a class changes
- # the charset attribute, the data is set in the correct charset.
- if response is None:
- self.response = []
- elif isinstance(response, (text_type, bytes, bytearray)):
- self.set_data(response)
- else:
- self.response = response
- def call_on_close(self, func):
- """Adds a function to the internal list of functions that should
- be called as part of closing down the response. Since 0.7 this
- function also returns the function that was passed so that this
- can be used as a decorator.
- .. versionadded:: 0.6
- """
- self._on_close.append(func)
- return func
- def __repr__(self):
- if self.is_sequence:
- body_info = '%d bytes' % sum(map(len, self.iter_encoded()))
- else:
- body_info = 'streamed' if self.is_streamed else 'likely-streamed'
- return '<%s %s [%s]>' % (
- self.__class__.__name__,
- body_info,
- self.status
- )
- @classmethod
- def force_type(cls, response, environ=None):
- """Enforce that the WSGI response is a response object of the current
- type. Werkzeug will use the :class:`BaseResponse` internally in many
- situations like the exceptions. If you call :meth:`get_response` on an
- exception you will get back a regular :class:`BaseResponse` object, even
- if you are using a custom subclass.
- This method can enforce a given response type, and it will also
- convert arbitrary WSGI callables into response objects if an environ
- is provided::
- # convert a Werkzeug response object into an instance of the
- # MyResponseClass subclass.
- response = MyResponseClass.force_type(response)
- # convert any WSGI application into a response object
- response = MyResponseClass.force_type(response, environ)
- This is especially useful if you want to post-process responses in
- the main dispatcher and use functionality provided by your subclass.
- Keep in mind that this will modify response objects in place if
- possible!
- :param response: a response object or wsgi application.
- :param environ: a WSGI environment object.
- :return: a response object.
- """
- if not isinstance(response, BaseResponse):
- if environ is None:
- raise TypeError('cannot convert WSGI application into '
- 'response objects without an environ')
- response = BaseResponse(*_run_wsgi_app(response, environ))
- response.__class__ = cls
- return response
- @classmethod
- def from_app(cls, app, environ, buffered=False):
- """Create a new response object from an application output. This
- works best if you pass it an application that returns a generator all
- the time. Sometimes applications may use the `write()` callable
- returned by the `start_response` function. This tries to resolve such
- edge cases automatically. But if you don't get the expected output
- you should set `buffered` to `True` which enforces buffering.
- :param app: the WSGI application to execute.
- :param environ: the WSGI environment to execute against.
- :param buffered: set to `True` to enforce buffering.
- :return: a response object.
- """
- return cls(*_run_wsgi_app(app, environ, buffered))
- def _get_status_code(self):
- return self._status_code
- def _set_status_code(self, code):
- self._status_code = code
- try:
- self._status = '%d %s' % (code, HTTP_STATUS_CODES[code].upper())
- except KeyError:
- self._status = '%d UNKNOWN' % code
- status_code = property(_get_status_code, _set_status_code,
- doc='The HTTP Status code as number')
- del _get_status_code, _set_status_code
- def _get_status(self):
- return self._status
- def _set_status(self, value):
- try:
- self._status = to_native(value)
- except AttributeError:
- raise TypeError('Invalid status argument')
- try:
- self._status_code = int(self._status.split(None, 1)[0])
- except ValueError:
- self._status_code = 0
- self._status = '0 %s' % self._status
- except IndexError:
- raise ValueError('Empty status argument')
- status = property(_get_status, _set_status, doc='The HTTP Status code')
- del _get_status, _set_status
- def get_data(self, as_text=False):
- """The string representation of the request body. Whenever you call
- this property the request iterable is encoded and flattened. This
- can lead to unwanted behavior if you stream big data.
- This behavior can be disabled by setting
- :attr:`implicit_sequence_conversion` to `False`.
- If `as_text` is set to `True` the return value will be a decoded
- unicode string.
- .. versionadded:: 0.9
- """
- self._ensure_sequence()
- rv = b''.join(self.iter_encoded())
- if as_text:
- rv = rv.decode(self.charset)
- return rv
- def set_data(self, value):
- """Sets a new string as response. The value set must either by a
- unicode or bytestring. If a unicode string is set it's encoded
- automatically to the charset of the response (utf-8 by default).
- .. versionadded:: 0.9
- """
- # if an unicode string is set, it's encoded directly so that we
- # can set the content length
- if isinstance(value, text_type):
- value = value.encode(self.charset)
- else:
- value = bytes(value)
- self.response = [value]
- if self.automatically_set_content_length:
- self.headers['Content-Length'] = str(len(value))
- data = property(get_data, set_data, doc='''
- A descriptor that calls :meth:`get_data` and :meth:`set_data`. This
- should not be used and will eventually get deprecated.
- ''')
- def calculate_content_length(self):
- """Returns the content length if available or `None` otherwise."""
- try:
- self._ensure_sequence()
- except RuntimeError:
- return None
- return sum(len(x) for x in self.iter_encoded())
- def _ensure_sequence(self, mutable=False):
- """This method can be called by methods that need a sequence. If
- `mutable` is true, it will also ensure that the response sequence
- is a standard Python list.
- .. versionadded:: 0.6
- """
- if self.is_sequence:
- # if we need a mutable object, we ensure it's a list.
- if mutable and not isinstance(self.response, list):
- self.response = list(self.response)
- return
- if self.direct_passthrough:
- raise RuntimeError('Attempted implicit sequence conversion '
- 'but the response object is in direct '
- 'passthrough mode.')
- if not self.implicit_sequence_conversion:
- raise RuntimeError('The response object required the iterable '
- 'to be a sequence, but the implicit '
- 'conversion was disabled. Call '
- 'make_sequence() yourself.')
- self.make_sequence()
- def make_sequence(self):
- """Converts the response iterator in a list. By default this happens
- automatically if required. If `implicit_sequence_conversion` is
- disabled, this method is not automatically called and some properties
- might raise exceptions. This also encodes all the items.
- .. versionadded:: 0.6
- """
- if not self.is_sequence:
- # if we consume an iterable we have to ensure that the close
- # method of the iterable is called if available when we tear
- # down the response
- close = getattr(self.response, 'close', None)
- self.response = list(self.iter_encoded())
- if close is not None:
- self.call_on_close(close)
- def iter_encoded(self):
- """Iter the response encoded with the encoding of the response.
- If the response object is invoked as WSGI application the return
- value of this method is used as application iterator unless
- :attr:`direct_passthrough` was activated.
- """
- if __debug__:
- _warn_if_string(self.response)
- # Encode in a separate function so that self.response is fetched
- # early. This allows us to wrap the response with the return
- # value from get_app_iter or iter_encoded.
- return _iter_encoded(self.response, self.charset)
- def set_cookie(self, key, value='', max_age=None, expires=None,
- path='/', domain=None, secure=False, httponly=False,
- samesite=None):
- """Sets a cookie. The parameters are the same as in the cookie `Morsel`
- object in the Python standard library but it accepts unicode data, too.
- A warning is raised if the size of the cookie header exceeds
- :attr:`max_cookie_size`, but the header will still be set.
- :param key: the key (name) of the cookie to be set.
- :param value: the value of the cookie.
- :param max_age: should be a number of seconds, or `None` (default) if
- the cookie should last only as long as the client's
- browser session.
- :param expires: should be a `datetime` object or UNIX timestamp.
- :param path: limits the cookie to a given path, per default it will
- span the whole domain.
- :param domain: if you want to set a cross-domain cookie. For example,
- ``domain=".example.com"`` will set a cookie that is
- readable by the domain ``www.example.com``,
- ``foo.example.com`` etc. Otherwise, a cookie will only
- be readable by the domain that set it.
- :param secure: If `True`, the cookie will only be available via HTTPS
- :param httponly: disallow JavaScript to access the cookie. This is an
- extension to the cookie standard and probably not
- supported by all browsers.
- :param samesite: Limits the scope of the cookie such that it will only
- be attached to requests if those requests are
- "same-site".
- """
- self.headers.add('Set-Cookie', dump_cookie(
- key,
- value=value,
- max_age=max_age,
- expires=expires,
- path=path,
- domain=domain,
- secure=secure,
- httponly=httponly,
- charset=self.charset,
- max_size=self.max_cookie_size,
- samesite=samesite
- ))
- def delete_cookie(self, key, path='/', domain=None):
- """Delete a cookie. Fails silently if key doesn't exist.
- :param key: the key (name) of the cookie to be deleted.
- :param path: if the cookie that should be deleted was limited to a
- path, the path has to be defined here.
- :param domain: if the cookie that should be deleted was limited to a
- domain, that domain has to be defined here.
- """
- self.set_cookie(key, expires=0, max_age=0, path=path, domain=domain)
- @property
- def is_streamed(self):
- """If the response is streamed (the response is not an iterable with
- a length information) this property is `True`. In this case streamed
- means that there is no information about the number of iterations.
- This is usually `True` if a generator is passed to the response object.
- This is useful for checking before applying some sort of post
- filtering that should not take place for streamed responses.
- """
- try:
- len(self.response)
- except (TypeError, AttributeError):
- return True
- return False
- @property
- def is_sequence(self):
- """If the iterator is buffered, this property will be `True`. A
- response object will consider an iterator to be buffered if the
- response attribute is a list or tuple.
- .. versionadded:: 0.6
- """
- return isinstance(self.response, (tuple, list))
- def close(self):
- """Close the wrapped response if possible. You can also use the object
- in a with statement which will automatically close it.
- .. versionadded:: 0.9
- Can now be used in a with statement.
- """
- if hasattr(self.response, 'close'):
- self.response.close()
- for func in self._on_close:
- func()
- def __enter__(self):
- return self
- def __exit__(self, exc_type, exc_value, tb):
- self.close()
- def freeze(self):
- """Call this method if you want to make your response object ready for
- being pickled. This buffers the generator if there is one. It will
- also set the `Content-Length` header to the length of the body.
- .. versionchanged:: 0.6
- The `Content-Length` header is now set.
- """
- # we explicitly set the length to a list of the *encoded* response
- # iterator. Even if the implicit sequence conversion is disabled.
- self.response = list(self.iter_encoded())
- self.headers['Content-Length'] = str(sum(map(len, self.response)))
- def get_wsgi_headers(self, environ):
- """This is automatically called right before the response is started
- and returns headers modified for the given environment. It returns a
- copy of the headers from the response with some modifications applied
- if necessary.
- For example the location header (if present) is joined with the root
- URL of the environment. Also the content length is automatically set
- to zero here for certain status codes.
- .. versionchanged:: 0.6
- Previously that function was called `fix_headers` and modified
- the response object in place. Also since 0.6, IRIs in location
- and content-location headers are handled properly.
- Also starting with 0.6, Werkzeug will attempt to set the content
- length if it is able to figure it out on its own. This is the
- case if all the strings in the response iterable are already
- encoded and the iterable is buffered.
- :param environ: the WSGI environment of the request.
- :return: returns a new :class:`~werkzeug.datastructures.Headers`
- object.
- """
- headers = Headers(self.headers)
- location = None
- content_location = None
- content_length = None
- status = self.status_code
- # iterate over the headers to find all values in one go. Because
- # get_wsgi_headers is used each response that gives us a tiny
- # speedup.
- for key, value in headers:
- ikey = key.lower()
- if ikey == u'location':
- location = value
- elif ikey == u'content-location':
- content_location = value
- elif ikey == u'content-length':
- content_length = value
- # make sure the location header is an absolute URL
- if location is not None:
- old_location = location
- if isinstance(location, text_type):
- # Safe conversion is necessary here as we might redirect
- # to a broken URI scheme (for instance itms-services).
- location = iri_to_uri(location, safe_conversion=True)
- if self.autocorrect_location_header:
- current_url = get_current_url(environ, root_only=True)
- if isinstance(current_url, text_type):
- current_url = iri_to_uri(current_url)
- location = url_join(current_url, location)
- if location != old_location:
- headers['Location'] = location
- # make sure the content location is a URL
- if content_location is not None and \
- isinstance(content_location, text_type):
- headers['Content-Location'] = iri_to_uri(content_location)
- if status in (304, 412):
- remove_entity_headers(headers)
- # if we can determine the content length automatically, we
- # should try to do that. But only if this does not involve
- # flattening the iterator or encoding of unicode strings in
- # the response. We however should not do that if we have a 304
- # response.
- if self.automatically_set_content_length and \
- self.is_sequence and content_length is None and \
- status not in (204, 304) and \
- not (100 <= status < 200):
- try:
- content_length = sum(len(to_bytes(x, 'ascii'))
- for x in self.response)
- except UnicodeError:
- # aha, something non-bytestringy in there, too bad, we
- # can't safely figure out the length of the response.
- pass
- else:
- headers['Content-Length'] = str(content_length)
- return headers
- def get_app_iter(self, environ):
- """Returns the application iterator for the given environ. Depending
- on the request method and the current status code the return value
- might be an empty response rather than the one from the response.
- If the request method is `HEAD` or the status code is in a range
- where the HTTP specification requires an empty response, an empty
- iterable is returned.
- .. versionadded:: 0.6
- :param environ: the WSGI environment of the request.
- :return: a response iterable.
- """
- status = self.status_code
- if environ['REQUEST_METHOD'] == 'HEAD' or \
- 100 <= status < 200 or status in (204, 304, 412):
- iterable = ()
- elif self.direct_passthrough:
- if __debug__:
- _warn_if_string(self.response)
- return self.response
- else:
- iterable = self.iter_encoded()
- return ClosingIterator(iterable, self.close)
- def get_wsgi_response(self, environ):
- """Returns the final WSGI response as tuple. The first item in
- the tuple is the application iterator, the second the status and
- the third the list of headers. The response returned is created
- specially for the given environment. For example if the request
- method in the WSGI environment is ``'HEAD'`` the response will
- be empty and only the headers and status code will be present.
- .. versionadded:: 0.6
- :param environ: the WSGI environment of the request.
- :return: an ``(app_iter, status, headers)`` tuple.
- """
- headers = self.get_wsgi_headers(environ)
- app_iter = self.get_app_iter(environ)
- return app_iter, self.status, headers.to_wsgi_list()
- def __call__(self, environ, start_response):
- """Process this response as WSGI application.
- :param environ: the WSGI environment.
- :param start_response: the response callable provided by the WSGI
- server.
- :return: an application iterator
- """
- app_iter, status, headers = self.get_wsgi_response(environ)
- start_response(status, headers)
- return app_iter
- class AcceptMixin(object):
- """A mixin for classes with an :attr:`~BaseResponse.environ` attribute
- to get all the HTTP accept headers as
- :class:`~werkzeug.datastructures.Accept` objects (or subclasses
- thereof).
- """
- @cached_property
- def accept_mimetypes(self):
- """List of mimetypes this client supports as
- :class:`~werkzeug.datastructures.MIMEAccept` object.
- """
- return parse_accept_header(self.environ.get('HTTP_ACCEPT'), MIMEAccept)
- @cached_property
- def accept_charsets(self):
- """List of charsets this client supports as
- :class:`~werkzeug.datastructures.CharsetAccept` object.
- """
- return parse_accept_header(self.environ.get('HTTP_ACCEPT_CHARSET'),
- CharsetAccept)
- @cached_property
- def accept_encodings(self):
- """List of encodings this client accepts. Encodings in a HTTP term
- are compression encodings such as gzip. For charsets have a look at
- :attr:`accept_charset`.
- """
- return parse_accept_header(self.environ.get('HTTP_ACCEPT_ENCODING'))
- @cached_property
- def accept_languages(self):
- """List of languages this client accepts as
- :class:`~werkzeug.datastructures.LanguageAccept` object.
- .. versionchanged 0.5
- In previous versions this was a regular
- :class:`~werkzeug.datastructures.Accept` object.
- """
- return parse_accept_header(self.environ.get('HTTP_ACCEPT_LANGUAGE'),
- LanguageAccept)
- class ETagRequestMixin(object):
- """Add entity tag and cache descriptors to a request object or object with
- a WSGI environment available as :attr:`~BaseRequest.environ`. This not
- only provides access to etags but also to the cache control header.
- """
- @cached_property
- def cache_control(self):
- """A :class:`~werkzeug.datastructures.RequestCacheControl` object
- for the incoming cache control headers.
- """
- cache_control = self.environ.get('HTTP_CACHE_CONTROL')
- return parse_cache_control_header(cache_control, None,
- RequestCacheControl)
- @cached_property
- def if_match(self):
- """An object containing all the etags in the `If-Match` header.
- :rtype: :class:`~werkzeug.datastructures.ETags`
- """
- return parse_etags(self.environ.get('HTTP_IF_MATCH'))
- @cached_property
- def if_none_match(self):
- """An object containing all the etags in the `If-None-Match` header.
- :rtype: :class:`~werkzeug.datastructures.ETags`
- """
- return parse_etags(self.environ.get('HTTP_IF_NONE_MATCH'))
- @cached_property
- def if_modified_since(self):
- """The parsed `If-Modified-Since` header as datetime object."""
- return parse_date(self.environ.get('HTTP_IF_MODIFIED_SINCE'))
- @cached_property
- def if_unmodified_since(self):
- """The parsed `If-Unmodified-Since` header as datetime object."""
- return parse_date(self.environ.get('HTTP_IF_UNMODIFIED_SINCE'))
- @cached_property
- def if_range(self):
- """The parsed `If-Range` header.
- .. versionadded:: 0.7
- :rtype: :class:`~werkzeug.datastructures.IfRange`
- """
- return parse_if_range_header(self.environ.get('HTTP_IF_RANGE'))
- @cached_property
- def range(self):
- """The parsed `Range` header.
- .. versionadded:: 0.7
- :rtype: :class:`~werkzeug.datastructures.Range`
- """
- return parse_range_header(self.environ.get('HTTP_RANGE'))
- class UserAgentMixin(object):
- """Adds a `user_agent` attribute to the request object which contains the
- parsed user agent of the browser that triggered the request as a
- :class:`~werkzeug.useragents.UserAgent` object.
- """
- @cached_property
- def user_agent(self):
- """The current user agent."""
- from werkzeug.useragents import UserAgent
- return UserAgent(self.environ)
- class AuthorizationMixin(object):
- """Adds an :attr:`authorization` property that represents the parsed
- value of the `Authorization` header as
- :class:`~werkzeug.datastructures.Authorization` object.
- """
- @cached_property
- def authorization(self):
- """The `Authorization` object in parsed form."""
- header = self.environ.get('HTTP_AUTHORIZATION')
- return parse_authorization_header(header)
- class StreamOnlyMixin(object):
- """If mixed in before the request object this will change the bahavior
- of it to disable handling of form parsing. This disables the
- :attr:`files`, :attr:`form` attributes and will just provide a
- :attr:`stream` attribute that however is always available.
- .. versionadded:: 0.9
- """
- disable_data_descriptor = True
- want_form_data_parsed = False
- class ETagResponseMixin(object):
- """Adds extra functionality to a response object for etag and cache
- handling. This mixin requires an object with at least a `headers`
- object that implements a dict like interface similar to
- :class:`~werkzeug.datastructures.Headers`.
- If you want the :meth:`freeze` method to automatically add an etag, you
- have to mixin this method before the response base class. The default
- response class does not do that.
- """
- @property
- def cache_control(self):
- """The Cache-Control general-header field is used to specify
- directives that MUST be obeyed by all caching mechanisms along the
- request/response chain.
- """
- def on_update(cache_control):
- if not cache_control and 'cache-control' in self.headers:
- del self.headers['cache-control']
- elif cache_control:
- self.headers['Cache-Control'] = cache_control.to_header()
- return parse_cache_control_header(self.headers.get('cache-control'),
- on_update,
- ResponseCacheControl)
- def _wrap_response(self, start, length):
- """Wrap existing Response in case of Range Request context."""
- if self.status_code == 206:
- self.response = _RangeWrapper(self.response, start, length)
- def _is_range_request_processable(self, environ):
- """Return ``True`` if `Range` header is present and if underlying
- resource is considered unchanged when compared with `If-Range` header.
- """
- return (
- 'HTTP_IF_RANGE' not in environ
- or not is_resource_modified(
- environ, self.headers.get('etag'), None,
- self.headers.get('last-modified'), ignore_if_range=False
- )
- ) and 'HTTP_RANGE' in environ
- def _process_range_request(self, environ, complete_length=None, accept_ranges=None):
- """Handle Range Request related headers (RFC7233). If `Accept-Ranges`
- header is valid, and Range Request is processable, we set the headers
- as described by the RFC, and wrap the underlying response in a
- RangeWrapper.
- Returns ``True`` if Range Request can be fulfilled, ``False`` otherwise.
- :raises: :class:`~werkzeug.exceptions.RequestedRangeNotSatisfiable`
- if `Range` header could not be parsed or satisfied.
- """
- from werkzeug.exceptions import RequestedRangeNotSatisfiable
- if accept_ranges is None:
- return False
- self.headers['Accept-Ranges'] = accept_ranges
- if not self._is_range_request_processable(environ) or complete_length is None:
- return False
- parsed_range = parse_range_header(environ.get('HTTP_RANGE'))
- if parsed_range is None:
- raise RequestedRangeNotSatisfiable(complete_length)
- range_tuple = parsed_range.range_for_length(complete_length)
- content_range_header = parsed_range.to_content_range_header(complete_length)
- if range_tuple is None or content_range_header is None:
- raise RequestedRangeNotSatisfiable(complete_length)
- content_length = range_tuple[1] - range_tuple[0]
- # Be sure not to send 206 response
- # if requested range is the full content.
- if content_length != complete_length:
- self.headers['Content-Length'] = content_length
- self.content_range = content_range_header
- self.status_code = 206
- self._wrap_response(range_tuple[0], content_length)
- return True
- return False
- def make_conditional(self, request_or_environ, accept_ranges=False,
- complete_length=None):
- """Make the response conditional to the request. This method works
- best if an etag was defined for the response already. The `add_etag`
- method can be used to do that. If called without etag just the date
- header is set.
- This does nothing if the request method in the request or environ is
- anything but GET or HEAD.
- For optimal performance when handling range requests, it's recommended
- that your response data object implements `seekable`, `seek` and `tell`
- methods as described by :py:class:`io.IOBase`. Objects returned by
- :meth:`~werkzeug.wsgi.wrap_file` automatically implement those methods.
- It does not remove the body of the response because that's something
- the :meth:`__call__` function does for us automatically.
- Returns self so that you can do ``return resp.make_conditional(req)``
- but modifies the object in-place.
- :param request_or_environ: a request object or WSGI environment to be
- used to make the response conditional
- against.
- :param accept_ranges: This parameter dictates the value of
- `Accept-Ranges` header. If ``False`` (default),
- the header is not set. If ``True``, it will be set
- to ``"bytes"``. If ``None``, it will be set to
- ``"none"``. If it's a string, it will use this
- value.
- :param complete_length: Will be used only in valid Range Requests.
- It will set `Content-Range` complete length
- value and compute `Content-Length` real value.
- This parameter is mandatory for successful
- Range Requests completion.
- :raises: :class:`~werkzeug.exceptions.RequestedRangeNotSatisfiable`
- if `Range` header could not be parsed or satisfied.
- """
- environ = _get_environ(request_or_environ)
- if environ['REQUEST_METHOD'] in ('GET', 'HEAD'):
- # if the date is not in the headers, add it now. We however
- # will not override an already existing header. Unfortunately
- # this header will be overriden by many WSGI servers including
- # wsgiref.
- if 'date' not in self.headers:
- self.headers['Date'] = http_date()
- accept_ranges = _clean_accept_ranges(accept_ranges)
- is206 = self._process_range_request(environ, complete_length, accept_ranges)
- if not is206 and not is_resource_modified(
- environ, self.headers.get('etag'), None,
- self.headers.get('last-modified')
- ):
- if parse_etags(environ.get('HTTP_IF_MATCH')):
- self.status_code = 412
- else:
- self.status_code = 304
- if self.automatically_set_content_length and 'content-length' not in self.headers:
- length = self.calculate_content_length()
- if length is not None:
- self.headers['Content-Length'] = length
- return self
- def add_etag(self, overwrite=False, weak=False):
- """Add an etag for the current response if there is none yet."""
- if overwrite or 'etag' not in self.headers:
- self.set_etag(generate_etag(self.get_data()), weak)
- def set_etag(self, etag, weak=False):
- """Set the etag, and override the old one if there was one."""
- self.headers['ETag'] = quote_etag(etag, weak)
- def get_etag(self):
- """Return a tuple in the form ``(etag, is_weak)``. If there is no
- ETag the return value is ``(None, None)``.
- """
- return unquote_etag(self.headers.get('ETag'))
- def freeze(self, no_etag=False):
- """Call this method if you want to make your response object ready for
- pickeling. This buffers the generator if there is one. This also
- sets the etag unless `no_etag` is set to `True`.
- """
- if not no_etag:
- self.add_etag()
- super(ETagResponseMixin, self).freeze()
- accept_ranges = header_property('Accept-Ranges', doc='''
- The `Accept-Ranges` header. Even though the name would indicate
- that multiple values are supported, it must be one string token only.
- The values ``'bytes'`` and ``'none'`` are common.
- .. versionadded:: 0.7''')
- def _get_content_range(self):
- def on_update(rng):
- if not rng:
- del self.headers['content-range']
- else:
- self.headers['Content-Range'] = rng.to_header()
- rv = parse_content_range_header(self.headers.get('content-range'),
- on_update)
- # always provide a content range object to make the descriptor
- # more user friendly. It provides an unset() method that can be
- # used to remove the header quickly.
- if rv is None:
- rv = ContentRange(None, None, None, on_update=on_update)
- return rv
- def _set_content_range(self, value):
- if not value:
- del self.headers['content-range']
- elif isinstance(value, string_types):
- self.headers['Content-Range'] = value
- else:
- self.headers['Content-Range'] = value.to_header()
- content_range = property(_get_content_range, _set_content_range, doc='''
- The `Content-Range` header as
- :class:`~werkzeug.datastructures.ContentRange` object. Even if the
- header is not set it wil provide such an object for easier
- manipulation.
- .. versionadded:: 0.7''')
- del _get_content_range, _set_content_range
- class ResponseStream(object):
- """A file descriptor like object used by the :class:`ResponseStreamMixin` to
- represent the body of the stream. It directly pushes into the response
- iterable of the response object.
- """
- mode = 'wb+'
- def __init__(self, response):
- self.response = response
- self.closed = False
- def write(self, value):
- if self.closed:
- raise ValueError('I/O operation on closed file')
- self.response._ensure_sequence(mutable=True)
- self.response.response.append(value)
- self.response.headers.pop('Content-Length', None)
- return len(value)
- def writelines(self, seq):
- for item in seq:
- self.write(item)
- def close(self):
- self.closed = True
- def flush(self):
- if self.closed:
- raise ValueError('I/O operation on closed file')
- def isatty(self):
- if self.closed:
- raise ValueError('I/O operation on closed file')
- return False
- def tell(self):
- self.response._ensure_sequence()
- return sum(map(len, self.response.response))
- @property
- def encoding(self):
- return self.response.charset
- class ResponseStreamMixin(object):
- """Mixin for :class:`BaseRequest` subclasses. Classes that inherit from
- this mixin will automatically get a :attr:`stream` property that provides
- a write-only interface to the response iterable.
- """
- @cached_property
- def stream(self):
- """The response iterable as write-only stream."""
- return ResponseStream(self)
- class CommonRequestDescriptorsMixin(object):
- """A mixin for :class:`BaseRequest` subclasses. Request objects that
- mix this class in will automatically get descriptors for a couple of
- HTTP headers with automatic type conversion.
- .. versionadded:: 0.5
- """
- content_type = environ_property('CONTENT_TYPE', doc='''
- The Content-Type entity-header field indicates the media type of
- the entity-body sent to the recipient or, in the case of the HEAD
- method, the media type that would have been sent had the request
- been a GET.''')
- @cached_property
- def content_length(self):
- """The Content-Length entity-header field indicates the size of the
- entity-body in bytes or, in the case of the HEAD method, the size of
- the entity-body that would have been sent had the request been a
- GET.
- """
- return get_content_length(self.environ)
- content_encoding = environ_property('HTTP_CONTENT_ENCODING', doc='''
- The Content-Encoding entity-header field is used as a modifier to the
- media-type. When present, its value indicates what additional content
- codings have been applied to the entity-body, and thus what decoding
- mechanisms must be applied in order to obtain the media-type
- referenced by the Content-Type header field.
- .. versionadded:: 0.9''')
- content_md5 = environ_property('HTTP_CONTENT_MD5', doc='''
- The Content-MD5 entity-header field, as defined in RFC 1864, is an
- MD5 digest of the entity-body for the purpose of providing an
- end-to-end message integrity check (MIC) of the entity-body. (Note:
- a MIC is good for detecting accidental modification of the
- entity-body in transit, but is not proof against malicious attacks.)
- .. versionadded:: 0.9''')
- referrer = environ_property('HTTP_REFERER', doc='''
- The Referer[sic] request-header field allows the client to specify,
- for the server's benefit, the address (URI) of the resource from which
- the Request-URI was obtained (the "referrer", although the header
- field is misspelled).''')
- date = environ_property('HTTP_DATE', None, parse_date, doc='''
- The Date general-header field represents the date and time at which
- the message was originated, having the same semantics as orig-date
- in RFC 822.''')
- max_forwards = environ_property('HTTP_MAX_FORWARDS', None, int, doc='''
- The Max-Forwards request-header field provides a mechanism with the
- TRACE and OPTIONS methods to limit the number of proxies or gateways
- that can forward the request to the next inbound server.''')
- def _parse_content_type(self):
- if not hasattr(self, '_parsed_content_type'):
- self._parsed_content_type = \
- parse_options_header(self.environ.get('CONTENT_TYPE', ''))
- @property
- def mimetype(self):
- """Like :attr:`content_type`, but without parameters (eg, without
- charset, type etc.) and always lowercase. For example if the content
- type is ``text/HTML; charset=utf-8`` the mimetype would be
- ``'text/html'``.
- """
- self._parse_content_type()
- return self._parsed_content_type[0].lower()
- @property
- def mimetype_params(self):
- """The mimetype parameters as dict. For example if the content
- type is ``text/html; charset=utf-8`` the params would be
- ``{'charset': 'utf-8'}``.
- """
- self._parse_content_type()
- return self._parsed_content_type[1]
- @cached_property
- def pragma(self):
- """The Pragma general-header field is used to include
- implementation-specific directives that might apply to any recipient
- along the request/response chain. All pragma directives specify
- optional behavior from the viewpoint of the protocol; however, some
- systems MAY require that behavior be consistent with the directives.
- """
- return parse_set_header(self.environ.get('HTTP_PRAGMA', ''))
- class CommonResponseDescriptorsMixin(object):
- """A mixin for :class:`BaseResponse` subclasses. Response objects that
- mix this class in will automatically get descriptors for a couple of
- HTTP headers with automatic type conversion.
- """
- def _get_mimetype(self):
- ct = self.headers.get('content-type')
- if ct:
- return ct.split(';')[0].strip()
- def _set_mimetype(self, value):
- self.headers['Content-Type'] = get_content_type(value, self.charset)
- def _get_mimetype_params(self):
- def on_update(d):
- self.headers['Content-Type'] = \
- dump_options_header(self.mimetype, d)
- d = parse_options_header(self.headers.get('content-type', ''))[1]
- return CallbackDict(d, on_update)
- mimetype = property(_get_mimetype, _set_mimetype, doc='''
- The mimetype (content type without charset etc.)''')
- mimetype_params = property(_get_mimetype_params, doc='''
- The mimetype parameters as dict. For example if the content
- type is ``text/html; charset=utf-8`` the params would be
- ``{'charset': 'utf-8'}``.
- .. versionadded:: 0.5
- ''')
- location = header_property('Location', doc='''
- The Location response-header field is used to redirect the recipient
- to a location other than the Request-URI for completion of the request
- or identification of a new resource.''')
- age = header_property('Age', None, parse_age, dump_age, doc='''
- The Age response-header field conveys the sender's estimate of the
- amount of time since the response (or its revalidation) was
- generated at the origin server.
- Age values are non-negative decimal integers, representing time in
- seconds.''')
- content_type = header_property('Content-Type', doc='''
- The Content-Type entity-header field indicates the media type of the
- entity-body sent to the recipient or, in the case of the HEAD method,
- the media type that would have been sent had the request been a GET.
- ''')
- content_length = header_property('Content-Length', None, int, str, doc='''
- The Content-Length entity-header field indicates the size of the
- entity-body, in decimal number of OCTETs, sent to the recipient or,
- in the case of the HEAD method, the size of the entity-body that would
- have been sent had the request been a GET.''')
- content_location = header_property('Content-Location', doc='''
- The Content-Location entity-header field MAY be used to supply the
- resource location for the entity enclosed in the message when that
- entity is accessible from a location separate from the requested
- resource's URI.''')
- content_encoding = header_property('Content-Encoding', doc='''
- The Content-Encoding entity-header field is used as a modifier to the
- media-type. When present, its value indicates what additional content
- codings have been applied to the entity-body, and thus what decoding
- mechanisms must be applied in order to obtain the media-type
- referenced by the Content-Type header field.''')
- content_md5 = header_property('Content-MD5', doc='''
- The Content-MD5 entity-header field, as defined in RFC 1864, is an
- MD5 digest of the entity-body for the purpose of providing an
- end-to-end message integrity check (MIC) of the entity-body. (Note:
- a MIC is good for detecting accidental modification of the
- entity-body in transit, but is not proof against malicious attacks.)
- ''')
- date = header_property('Date', None, parse_date, http_date, doc='''
- The Date general-header field represents the date and time at which
- the message was originated, having the same semantics as orig-date
- in RFC 822.''')
- expires = header_property('Expires', None, parse_date, http_date, doc='''
- The Expires entity-header field gives the date/time after which the
- response is considered stale. A stale cache entry may not normally be
- returned by a cache.''')
- last_modified = header_property('Last-Modified', None, parse_date,
- http_date, doc='''
- The Last-Modified entity-header field indicates the date and time at
- which the origin server believes the variant was last modified.''')
- def _get_retry_after(self):
- value = self.headers.get('retry-after')
- if value is None:
- return
- elif value.isdigit():
- return datetime.utcnow() + timedelta(seconds=int(value))
- return parse_date(value)
- def _set_retry_after(self, value):
- if value is None:
- if 'retry-after' in self.headers:
- del self.headers['retry-after']
- return
- elif isinstance(value, datetime):
- value = http_date(value)
- else:
- value = str(value)
- self.headers['Retry-After'] = value
- retry_after = property(_get_retry_after, _set_retry_after, doc='''
- The Retry-After response-header field can be used with a 503 (Service
- Unavailable) response to indicate how long the service is expected
- to be unavailable to the requesting client.
- Time in seconds until expiration or date.''')
- def _set_property(name, doc=None):
- def fget(self):
- def on_update(header_set):
- if not header_set and name in self.headers:
- del self.headers[name]
- elif header_set:
- self.headers[name] = header_set.to_header()
- return parse_set_header(self.headers.get(name), on_update)
- def fset(self, value):
- if not value:
- del self.headers[name]
- elif isinstance(value, string_types):
- self.headers[name] = value
- else:
- self.headers[name] = dump_header(value)
- return property(fget, fset, doc=doc)
- vary = _set_property('Vary', doc='''
- The Vary field value indicates the set of request-header fields that
- fully determines, while the response is fresh, whether a cache is
- permitted to use the response to reply to a subsequent request
- without revalidation.''')
- content_language = _set_property('Content-Language', doc='''
- The Content-Language entity-header field describes the natural
- language(s) of the intended audience for the enclosed entity. Note
- that this might not be equivalent to all the languages used within
- the entity-body.''')
- allow = _set_property('Allow', doc='''
- The Allow entity-header field lists the set of methods supported
- by the resource identified by the Request-URI. The purpose of this
- field is strictly to inform the recipient of valid methods
- associated with the resource. An Allow header field MUST be
- present in a 405 (Method Not Allowed) response.''')
- del _set_property, _get_mimetype, _set_mimetype, _get_retry_after, \
- _set_retry_after
- class WWWAuthenticateMixin(object):
- """Adds a :attr:`www_authenticate` property to a response object."""
- @property
- def www_authenticate(self):
- """The `WWW-Authenticate` header in a parsed form."""
- def on_update(www_auth):
- if not www_auth and 'www-authenticate' in self.headers:
- del self.headers['www-authenticate']
- elif www_auth:
- self.headers['WWW-Authenticate'] = www_auth.to_header()
- header = self.headers.get('www-authenticate')
- return parse_www_authenticate_header(header, on_update)
- class Request(BaseRequest, AcceptMixin, ETagRequestMixin,
- UserAgentMixin, AuthorizationMixin,
- CommonRequestDescriptorsMixin):
- """Full featured request object implementing the following mixins:
- - :class:`AcceptMixin` for accept header parsing
- - :class:`ETagRequestMixin` for etag and cache control handling
- - :class:`UserAgentMixin` for user agent introspection
- - :class:`AuthorizationMixin` for http auth handling
- - :class:`CommonRequestDescriptorsMixin` for common headers
- """
- class PlainRequest(StreamOnlyMixin, Request):
- """A request object without special form parsing capabilities.
- .. versionadded:: 0.9
- """
- class Response(BaseResponse, ETagResponseMixin, ResponseStreamMixin,
- CommonResponseDescriptorsMixin,
- WWWAuthenticateMixin):
- """Full featured response object implementing the following mixins:
- - :class:`ETagResponseMixin` for etag and cache control handling
- - :class:`ResponseStreamMixin` to add support for the `stream` property
- - :class:`CommonResponseDescriptorsMixin` for various HTTP descriptors
- - :class:`WWWAuthenticateMixin` for HTTP authentication support
- """
|