Safety vulnerability ID: 38085
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Twisted 20.3.0 includes a fix for CVE-2020-10108: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
Latest version: 24.10.0
An asynchronous networking framework written in Python
===========================
Bugfixes
--------
- twisted.protocols.amp.BoxDispatcher.callRemote and callRemoteString will no longer return failing Deferreds for requiresAnswer=False commands when the transport they're operating on has been disconnected. (9756)
Improved Documentation
----------------------
- Added a missing hyphen to a reference to the ``--debug`` option of ``pdb`` in the Trial how-to. (9690)
- The documentation of the twisted.cred.checkers module has been extended and corrected. (9724)
Deprecations and Removals
-------------------------
- twisted.news is deprecated. (9405)
Misc
----
- 9634, 9701, 9707, 9710, 9715, 9726, 9727, 9728, 9729, 9735, 9737, 9757
Conch
-----
Features
~~~~~~~~
- twisted.conch.ssh now supports the curve25519-sha256 key exchange algorithm (requires OpenSSL >= 1.1.0). (6814)
- twisted.conch.ssh.keys can now write private keys in the new "openssh-key-v1" format, introduced in OpenSSH 6.5 and made the default in OpenSSH 7.8. ckeygen has a corresponding new --private-key-subtype=v1 option. (9683)
Bugfixes
~~~~~~~~
- twisted.conch.keys.Key.privateBlob now returns the correct blob format for ECDSA (i.e. the same as that implemented by OpenSSH). (9682)
Misc
~~~~
- 9760
Web
---
Bugfixes
~~~~~~~~
- Fixed return type of twisted.web.http.Request.getUser and twisted.web.http.Request.getPassword to binary if no authorization header was found or an exception was thrown (9596)
- twisted.web.http.HTTPChannel now rejects requests (with status code 400 and a drop) that have malformed headers of the form "Foo : value" or ": value". (9646)
- twisted.web.http.Request now correctly parses multipart-encoded form data submitted as a chunked request on Python 3.7+. (9678)
- twisted.web.client.BrowserLikePolicyForHTTPS is now listed in __all__, since it's a user-facing class that anyone could import and extend. (9769)
- twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed (CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu for reporting this) and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for reporting this) and now fail with a 400; requests whose Transfer-Encoding header had a value other than "chunked" and "identity" (thanks to ZeddYu Lu) were allowed and now fail with a 400. (9770)
Mail
----
Misc
~~~~
- 9733
Words
-----
Bugfixes
~~~~~~~~
- Fixed parsing of streams with Python 3.8 when there are spaces in namespaces or namespaced attributes in twisted.words.xish.domish.ExpatElementStream (9730)
Names
-----
Bugfixes
~~~~~~~~
- twisted.names.secondary.SecondaryAuthority now accepts str for its domain parameter, so twist dns --secondary now functions on Python 3. (9496)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application