Safety vulnerability ID: 73795
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Affected versions of Twisted are vulnerable to XSS. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.
Latest version: 24.10.0
An asynchronous networking framework written in Python
Security Advisories
-------------------
- twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810). (9839)
- The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure (CVE-2024-41671/GHSA-c8m8-j448-xjx7) (12248)
Features
--------
- twisted.protocols.ftp now supports the IPv6 extensions defined in RFC 2428. (9645)
- twisted.internet.defer.inlineCallbacks can now yield a coroutine. (9972)
- twisted.python._shellcomp.ZshArgumentsGenerator was updated for Python 3.13. (12065)
- twisted.web.wsgi request environment now contains the peer port number as `REMOTE_PORT`. (12096)
- twisted.internet.defer.Deferred.callback() and twisted.internet.defer.Deferred.addCallbacks() no longer use `assert` to check the type of the arguments. You should now use type checking to validate your code. These changes were done to reduce the CPU usage. (12122)
- Added two new methods, twisted.logger.Logger.failuresHandled and twisted.logger.Logger.failureHandler, which allow for more concise and convenient handling of exceptions when dispatching out to application code. The former can arbitrarily customize failure handling at the call site, and the latter can be used for performance-sensitive cases where no additional information needs to be logged. (12188)
- twisted.internet.defer.Deferred.addCallback now runs about 10% faster. (12223)
- twisted.internet.defer.Deferred error handling is now faster, taking 40% less time to run. (12227)
Bugfixes
--------
- twisted.internet.ssl.Certificate.__repr__ can now handle certificates without a common name (CN) in the certificate itself or the signing CA. (5851)
- Type annotations have been added to twisted.conch.interfaces.IKnownHostEntry and its implementations, twisted.conch.client.knownhosts.PlainHost and twisted.conch.client.knownhosts.HashedHost, correcting a variety of type confusion issues throughout the conch client code. (9713)
- twisted.python.failure.Failure once again utilizes the custom pickling logic it used to in the past. (12112)
- twisted.conch.client.knownhosts.KnownHostsFile.verifyHostKey no longer logs an exception when automatically adding an IP address host key, which means the interactive `conch` command-line no longer will either. (12141)
Improved Documentation
----------------------
- The IRC server example found in the documentation was updated for readability. (12097)
- Remove contextvars from list of optional dependencies. (12128)
- The documentation for installing Twisted was moved into a single page. (12145)
- The project's compatibility policy now clearly indicates that the GitHub Actions test matrix defines the supported platforms. (12167)
- Updated imap4client.py example, it no longer references Python 2. (12252)
Deprecations and Removals
-------------------------
- twisted.internet.defer.returnValue has been deprecated. You can replace it with the standard `return` statement. (9930)
- The `twisted-iocpsupport` is no longer a hard dependency on Windows.
The IOCP support is now installed together with the other Windows soft
dependencies via `twisted[windows-platform]`. (11893)
- twisted.python.deprecate helper function will now always strip whitespaces from the docstrings.
This is done to have the same behaviour as with Python 3.13. (12063)
- twisted.conch.manhole.ManholeInterpreter.write, twisted.conch.manhole.ManholeInterpreter.addOutput, twisted.mail.imap4.IMAP4Server.sendUntaggedResponse `async` argument, deprecated since 18.9.0, has been removed. (12130)
- twisted.web.soap was removed.
The SOAP support was already broken, for at least the last 4 years.
The SOAP support in Twisted has no active maintainer. (12146)
Misc
----
- 11744, 11771, 12113, 12154, 12169, 12179, 12193, 12195, 12197, 12215, 12221, 12243, 12249, 12254, 12259, 12669
Conch
-----
Bugfixes
~~~~~~~~
- twisted.conch.insults.window.Widget.functionKeyReceived now dispatches functional key events to corresponding `func_KEYNAME` methods, where `KEYNAME` can be `F1`, `F2`, `HOME`, `UP_ARROW` etc. This is a regression introduced with 8214 in Twisted 16.5.0, where events changed from `const` objects to bytestrings in square brackets like `[F1]`. (12046)
Web
---
Features
~~~~~~~~
- twisted.web.agent.Agent now allows duplicate Content-Length headers having the same value, per RFC 9110 section 8.6. It is otherwise more strict when parsing Content-Length header values. (9064)
- twisted.web.client.HTTPConnectionPool used by HTTP clients now runs faster by using a little less CPU. (12108)
- twisted.web.http_headers now uses less CPU, making a small HTTP client request 10% faster or so. (12116)
- twisted.web's HTTP/1.1 server now runs a little faster, with about 10% lower CPU overhead. (12133)
- twisted.web's HTTP 1.1 server is an additional 5% faster. (12155)
Bugfixes
~~~~~~~~
- twisted.web.http.IM_A_TEAPOT was added and returns `I'm a teapot`
as default message for the status code 418,
as defined in RFC 2324 section 2.3.2. (12104)
- The HTTP 1.0/1.1 server provided by twisted.web is now more picky about the first line of a request, improving compliance with RFC 9112. (12233)
- The HTTP 1.0/1.1 server provided by twisted.web now constraints the character set of HTTP header names, improving compliance with RFC 9110. (12235)
Improved Documentation
~~~~~~~~~~~~~~~~~~~~~~
- Fix ReverseProxyResource example in developer guide. (12152)
Deprecations and Removals
~~~~~~~~~~~~~~~~~~~~~~~~~
- twisted.web.util.ChildRedirector, which has never worked on Python 3, has been removed. (9591)
- ``twisted.web.http.Request.setResponseCode()`` no longer validates the types of inputs; we encourage you to use a type checker like mypy to catch these sort of errors. The long-deprecated ``twisted.web.server.string_date_time()`` and ``twisted.web.server.date_time_string()`` APIs were removed altogether. (12133)
- twisted.web.http.HTTPClient is now deprecated in favor of twisted.web.client.Agent (12158)
Misc
~~~~
- 12098, 12194, 12200, 12241, 12257
Mail
----
No significant changes.
Words
-----
No significant changes.
Names
-----
No significant changes.
Trial
-----
No significant changes.
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application