[Twisted-Python] Twisted 19.2.0rc1 Release Candidate Announcement

Tom Most twm at freecog.net
Wed Mar 6 00:24:47 MST 2019


Another note:

> twisted.web.client.Request and twisted.web.client.HTTPClient were both vulnerable to header injection attacks. They now replace linear whitespace ('r', 'n', and 'rn') with a single space. (#9421)

Headers now assumes the value is a list of string (or bytes). It used to accept a list of arbitrary values. When using the twisted.web resource model (the IRequest.setHeader API) the value would be coerced.

This change actually broke some of my tests, though not any production code. I was passing a list where a scalar string was required (this, precisely: https://github.com/twisted/treq/pull/237). The result was a response with a header like:

    Foo: ['value']

That's not a useful feature in this case so I am happy to have caught the bug but it does seem like there may be real-world code this breaks. For example, request.setHeader('Retry-After', 10) would produce a valid header.

(Also the release note seems to be missing some backslashes in the bit I quoted.)

---Tom




More information about the Twisted-Python mailing list