CHANGES.rst

Changelog

1.5.0 (2026.02.21)

• drop support for Python 3.8 and 3.9

• add support for Python 3.13

• migrate from setup.py to pyproject.toml configuration

• fix doc building on read the docs

• SECURITY FIX: Fix critical path traversal and extension bypass vulnerability (CVE pending, CVSS 9.8)

  • Apply secure_filename() to the name parameter to prevent path traversal attacks
  • Re-validate file extension after name override to prevent extension bypass
  • Add path containment check to ensure files are saved within the upload directory
  • Sanitize folder component when extracted from name parameter

  Impact: This vulnerability allowed remote attackers to write files to arbitrary locations on the filesystem and bypass extension restrictions, potentially leading to remote code execution via Server-Side Template Injection (SSTI) in Flask applications.

  Credit: Jaron Cabral (Cal Poly Humboldt) for discovery and reporting

  Recommendation: All users should upgrade to this version immediately. Do not pass user-controlled input to the name parameter in older versions.

1.4.0 (2023.10.03)

• fix deprecation warning for pytest
• drop support for Python 3.6 / 3.7
• add support for Python 3.12
• upgrade dependencies for building docs

1.3.0 (2022.12.20)

• improve documentation (#133)
• drop support for Python 3.6
• add support for Python 3.11
• update dependencies for building documentation

1.2.0 (2021.11.07)

• add contexts to coverage report
• pin documentation dependencies to prevent future breakage
• fix typing errors (mypy) with recently released Flask 2.0.1
• add support for Python 3.10

1.1.0 (2021.05.09)

• make type checkers aware that this library is using type annotations

1.0.0 (2021.04.07)

• raise test coverage to 100%
• use official Pallets theme for the documentation
• remove deprecated patch_request_class helper function; use MAX_CONTENT_LENGTH instead.
• autoserve now has been deactivated by default and needs explicit activation via the setting UPLOADS_AUTOSERVE=True

0.5.0

• improve documentation of example app
• document surprising autoserve feature
• issue a warning when using autoserve without explicit configuration

0.4.0

• add type annotations
• drop support for Python 2 and Python 3.5 (#8)
• deprecate patch_request_class (#43)
• use a src directory for source code (#21)
• add tox env for check-python-versions (#20)
• add flake8-bugbear
• add short contribution guide (#6)
• add getting started (#59)
• delete broken example and add minimal example to README (#15)
• add support for Python 3.9
• use gh actions instead of Travis CI

0.3.2

• documentation update (#5)
  • update docs/index.rst
  • use blue ReadTheDocs theme
  • update sphinx configuration
  • add documentation link to setup.py, so it shows on PyPi
  • add note about documentation in the README file
  • delete old theme files
• configure isort to force single line imports

0.3.1

• add badges to README (# 31)
• add migration guide from Flask-Uploads to Flask-Reuploaded (#11)
• add packaging guide (#28)
• update installation instruction in README

0.3

Besides including four years of unreleased changes from the original package, most notable the fix for the Werkzeug API change, the following changes happened since forking the original package.

• rename package from Flask-Uploads to Flask-Reuploaded (#10)
• update setup.py (#12)
• start using pre-commit.com (#4)
• update README (#14)
• setup CI (Travis) (#3)
• fix broken tests (#13)
• make use of pytest instead of the no longer maintained nose (#2)
• add a changelog and start tracking changes (#1)