internal/tools/: pyramid-2.0.2 metadata and description

Homepage Simple index

The Pyramid Web Framework, a Pylons project

author Chris McDonough, Agendaless Consulting
  • Development Status :: 6 - Mature
  • Intended Audience :: Developers
  • Programming Language :: Python
  • Programming Language :: Python :: 3
  • Programming Language :: Python :: 3.6
  • Programming Language :: Python :: 3.7
  • Programming Language :: Python :: 3.8
  • Programming Language :: Python :: 3.9
  • Programming Language :: Python :: 3.10
  • Programming Language :: Python :: 3.11
  • Programming Language :: Python :: Implementation :: CPython
  • Programming Language :: Python :: Implementation :: PyPy
  • Framework :: Pyramid
  • Topic :: Internet :: WWW/HTTP
  • Topic :: Internet :: WWW/HTTP :: WSGI
  • License :: Repoze Public License
description_content_type text/x-rst
keywords web,wsgi,pylons,pyramid
license BSD-derived (Repoze)
  • Documentation,
  • Changelog,
  • Issue Tracker,
provides_extras docs
  • hupper >=1.5
  • plaster
  • plaster-pastedeploy
  • setuptools
  • translationstring >=0.4
  • venusian >=1.0
  • webob >=1.8.3
  • zope.deprecation >=3.5.0
  • zope.interface >=3.8.0
  • Sphinx >=3.0.0 ; extra == 'docs'
  • docutils ; extra == 'docs'
  • pylons-sphinx-themes >=1.0.8 ; extra == 'docs'
  • pylons-sphinx-latesturl ; extra == 'docs'
  • repoze.sphinx.autointerface ; extra == 'docs'
  • sphinx-copybutton ; extra == 'docs'
  • sphinxcontrib-autoprogram ; extra == 'docs'
  • webtest >=1.3.1 ; extra == 'testing'
  • zope.component >=4.0 ; extra == 'testing'
  • coverage ; extra == 'testing'
  • pytest >=5.4.2 ; extra == 'testing'
  • pytest-cov ; extra == 'testing'
requires_python >=3.6
File Tox results History
241 KB
Python Wheel
3 MB


2.0-branch Travis CI Status 2.0-branch Documentation Status IRC Libera.Chat

Pyramid is a small, fast, down-to-earth, open source Python web framework. It makes real-world web application development and deployment more fun, more predictable, and more productive. Try Pyramid, browse its add-ons and documentation, and get an overview.

from wsgiref.simple_server import make_server
from pyramid.config import Configurator
from pyramid.response import Response

def hello_world(request):
    return Response('Hello World!')

if __name__ == '__main__':
    with Configurator() as config:
        config.add_route('hello', '/')
        config.add_view(hello_world, route_name='hello')
        app = config.make_wsgi_app()
    server = make_server('', 6543, app)

Pyramid is a project of the Pylons Project.

Support and Documentation

See Pyramid Support and Development for documentation, reporting bugs, and getting support.

Developing and Contributing

See HACKING.txt and for guidelines on running tests, adding features, coding style, and updating documentation when developing in or contributing to Pyramid.


Pyramid is offered under the BSD-derived Repoze Public License.


Pyramid is made available by Agendaless Consulting and a team of contributors.

2.0.2 (2023-08-25)

Bug Fixes

  • Removed support for null-bytes in the path when making a request for a file against a static_view. Whille null-bytes are allowed by the HTTP specification, due to the handling of null-bytes potentially leading to security vulnerabilities it is no longer supported.

    This fixes a security vulnerability that is present due to a bug in Python 3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an index.html one directory up from the static views path.

    Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue.

Backward Incompatibilities

  • Requests to a static_view are no longer allowed to contain a null-byte in any part of the path segment.

2.0.1 (2023-01-29)

2.0 (2021-02-28)

  • No changes from 2.0b1.

2.0b1 (2021-02-20)

2.0b0 (2020-12-15)

2.0a0 (2020-11-29)


  • Add support for Python 3.9. See

  • The aslist method now handles non-string objects when flattening. See

  • It is now possible to pass multiple values to the header predicate for route and view configuration. See

  • Add support for Python 3.8. See

  • New security APIs have been added to support a massive overhaul of the authentication and authorization system. Read “Upgrading Authentication/Authorization” in the “What’s New in Pyramid 2.0” chapter of the documentation for information about using this new system.

    • pyramid.config.Configurator.set_security_policy.

    • pyramid.interfaces.ISecurityPolicy

    • pyramid.request.Request.identity.

    • pyramid.request.Request.is_authenticated

    • pyramid.authentication.SessionAuthenticationHelper

    • pyramid.authorization.ACLHelper

    • is_authenticated=True/False predicate for route and view configs

    See and

  • Changed the default serializer on pyramid.session.SignedCookieSessionFactory to use pyramid.session.JSONSerializer instead of pyramid.session.PickleSerializer. Read “Upgrading Session Serialization” in the “What’s New in Pyramid 2.0” chapter of the documentation for more information about why this change was made. See

  • It is now possible to control whether a route pattern contains a trailing slash when it is composed with a route prefix using config.include(..., route_prefix=...) or with config.route_prefix_context(...). This can be done by specifying an empty pattern and setting the new argument inherit_slash=True. For example:

    with config.route_prefix_context('/users'):
        config.add_route('users', '', inherit_slash=True)

    In the example, the resulting pattern will be /users. Similarly, if the route prefix were /users/ then the final pattern would be /users/. If the pattern was '/', then the final pattern would always be /users/. This new setting is only available if the pattern supplied to add_route is the empty string (''). See

  • No longer define pyramid.request.Request.json_body which is already provided by WebOb. This allows the attribute to now be settable. See

  • Improve debugging info from pyramid.view.view_config decorator. See

  • A new parameter, allow_no_origin, was added to pyramid.config.Configurator.set_default_csrf_options as well as pyramid.csrf.check_csrf_origin. This option controls whether a request is rejected if it has no Origin or Referer header - often the result of a user configuring their browser not to send a Referer header for privacy reasons even on same-domain requests. The default is to reject requests without a known origin. It is also possible to allow the special Origin: null header by adding it to the pyramid.csrf_trusted_origins list in the settings. See and

  • A new parameter, check_origin, was added to pyramid.config.Configurator.set_default_csrf_options which disables origin checking entirely. See

  • Added pyramid.interfaces.IPredicateInfo which defines the object passed to predicate factories as their second argument. See

  • Added support for serving pre-compressed static assets by using the content_encodings argument of pyramid.config.Configurator.add_static_view and pyramid.static.static_view. See

  • Fix DeprecationWarning emitted by using the imp module. See

  • Properties created via config.add_request_method(..., property=True) or request.set_property used to be readonly. They can now be overridden via = ... and until the value is deleted it will return the overridden value. This is most useful when mocking request properties in testing. See

  • Finished callbacks are now executed as part of the closer that is invoked as part of pyramid.scripting.prepare and pyramid.paster.bootstrap. See

  • Added pyramid.request.RequestLocalCache which can be used to create simple objects that are shared across requests and can be used to store per-request data. This is useful when the source of data is external to the request itself. Often a reified property is used on a request via pyramid.config.Configurator.add_request_method, or pyramid.decorator.reify, and these work great when the data is generated on-demand when accessing the request property. However, often the case is that the data is generated when accessing some other system and then we want to cache the data for the duration of the request. See

  • Exposed pyramid.authorization.ALL_PERMISSIONS and pyramid.authorization.DENY_ALL such that all of the ACL-related constants are now importable from the pyramid.authorization namespace. See

  • pserve now outputs verbose messaging to stderr instead of stdout to circumvent buffering issues that exist by default on stdout. See


  • Deprecated the authentication and authorization interfaces and principal-based support. See “Upgrading Authentication/Authorization” in the “What’s New in Pyramid 2.0” chapter of the documentation for information on equivalent APIs and notes on upgrading. The following APIs are deprecated as a result of this change:

    • pyramid.config.Configurator.set_authentication_policy

    • pyramid.config.Configurator.set_authorization_policy

    • pyramid.interfaces.IAuthenticationPolicy

    • pyramid.interfaces.IAuthorizationPolicy

    • pyramid.request.Request.effective_principals

    • pyramid.request.Request.unauthenticated_userid

    • pyramid.authentication.AuthTktAuthenticationPolicy

    • pyramid.authentication.RemoteUserAuthenticationPolicy

    • pyramid.authentication.RepozeWho1AuthenticationPolicy

    • pyramid.authentication.SessionAuthenticationPolicy

    • pyramid.authentication.BasicAuthAuthenticationPolicy

    • pyramid.authorization.ACLAuthorizationPolicy

    • The effective_principals view and route predicates.


  • Deprecated This method continues to work with the deprecated pyramid.interfaces.IAuthorizationPolicy interface but will not work with the new pyramid.interfaces.ISecurityPolicy. See

  • Deprecated several ACL-related aspects of Equivalent objects should now be imported from the pyramid.authorization namespace. This includes:








  • Deprecated pyramid.session.PickleSerializer. See, and, and

Backward Incompatibilities

  • Drop support for Python 2.7, 3.4, and 3.5. See, and, and

  • Removed the pyramid.compat module. Integrators should use the six module or vendor shims they are using into their own codebases going forward.

  • pcreate and the builtin scaffolds have been removed in favor of using the cookiecutter tool and the pyramid-cookiecutter-starter cookiecutter. The script and scaffolds were deprecated in Pyramid 1.8. See

  • Changed the default hashalg on pyramid.authentication.AuthTktCookieHelper to sha512. See

  • Removed pyramid.interfaces.ITemplateRenderer. This interface was deprecated since Pyramid 1.5 and was an interface used by libraries like pyramid_mako and pyramid_chameleon but provided no functionality within Pyramid itself. See

  • Removed,,, and These methods were deprecated in Pyramid 1.5 and all have equivalents available as properties on the request. For example, request.authenticated_userid. See

  • Removed support for supplying a media range to the accept predicate of both pyramid.config.Configurator.add_view and pyramid.config.Configurator.add_route. These options were deprecated in Pyramid 1.10 and WebOb 1.8 because they resulted in uncontrollable matching that was not compliant with the RFC. See

  • Removed pyramid.session.UnencryptedCookieSessionFactoryConfig. This session factory was replaced with pyramid.session.SignedCookieSessionFactory in Pyramid 1.5 and has been deprecated since then. See

  • Removed pyramid.session.signed_serialize, and pyramid.session.signed_deserialize. These methods were only used by the now-removed pyramid.session.UnencryptedCookieSessionFactoryConfig and were coupled to the vulnerable pickle serialization format which could lead to remove code execution if the secret key is compromised. See

  • Changed the default serializer on pyramid.session.SignedCookieSessionFactory to use pyramid.session.JSONSerializer instead of pyramid.session.PickleSerializer. Read “Upgrading Session Serialization” in the “What’s New in Pyramid 2.0” chapter of the documentation for more information about why this change was made. See

  • pyramid.request.Request.invoke_exception_view will no longer be called by the default execution policy. See

  • pyramid.config.Configurator.scan will no longer, by default, execute Venusian decorator callbacks registered for categories other than 'pyramid'. To find any decorator regardless of category, specify config.scan(..., categories=None). See

  • The second argument to predicate factories has been changed from config to info, an instance of pyramid.interfaces.IPredicateInfo. This limits the data available to predicates but still provides the package, registry, settings and dotted-name resolver which should cover most use cases and is largely backward compatible. See

  • Removed the check_csrf predicate. Instead, use pyramid.config.Configurator.set_default_csrf_options and the require_csrf view option to enable automatic CSRF checking. See

  • Update the default behavior of pyramid.authenticationAuthTktAuthenticationPolicy and pyramid.authentication.AuthTktCookieHelper to only set a single cookie without a domain parameter when no other domain constraints are specified. Prior to this change, wild_domain=False (the default) was effectively treated the same as wild_domain=True, in which a cookie was defined such that browsers would use it both for the request’s domain, as well as any subdomain. In the new behavior, cookies will only affect the current domain, and not subdomains, by default. See

Documentation Changes