Author: jeremycline
Reviewer: hawkowl
Fixes: ticket:9668
Python 3.8 adds a new keyword argument, stacklevel, to its findCaller
function in commit dde9fdbe4539 ("bpo-33165: Added stacklevel parameter
to logging APIs. (GH-7424)"). As Twisted is replacing this method with
its own method, logging with STDLibLogObserver fails in Python 3.8. This
patch adds the argument, but does not use it as there is already a
stackDepth instance variable and the stackInfo on the method is also
ignored.
This patch fixes the logger tests that currently fail in Python 3.8.
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Author: markrwilliams
Reviewers: glyph
Fixes: ticket:9647
Twisted's HTTP client APIs were vulnerable to maliciously constructed
HTTP methods, hosts, and/or paths, URI components such as paths and
query parameters. These vulnerabilities were beyond the header name
and value injection vulnerabilities addressed in:
https://twistedmatrix.com/trac/ticket/9420https://github.com/twisted/twisted/pull/999/
The following client APIs will raise a ValueError if given a method,
host, or URI that includes newlines or other disallowed characters:
- twisted.web.client.Agent.request
- twisted.web.client.ProxyAgent.request
- twisted.web.client.Request.__init__
- twisted.web.client.Request.writeTo
ProxyAgent is patched separately from Agent because unlike other
agents (e.g. CookieAgent) it is not implemented as an Agent wrapper.
Request.__init__ checks its method and URI so that errors occur closer
to their originating input. Request.method and Request.uri are both
public APIs, however, so Request.writeTo (via Request._writeHeaders)
also checks the validity of both before writing anything to the wire.
Additionally, the following deprecated client APIs have also been
patched:
- twisted.web.client.HTTPPageGetter.__init__
- twisted.web.client.HTTPPageDownloader.__init__
- twisted.web.client.HTTPClientFactory.__init__
- twisted.web.client.HTTPClientFactory.setURL
- twisted.web.client.HTTPDownloader.__init__
- twisted.web.client.HTTPDownloader.setURL
- twisted.web.client.getPage
- twisted.web.client.downloadPage
These have been patched prior to their removal so that they won't be
vulnerable in the last Twisted release that includes them. They
represent a best effort, because testing every combination of these
public APIs would require more code than deprecated APIs warrant.
In all cases URI components, including hostnames, are restricted to
the characters allowed in path components. This mirrors the CPython
patch (for bpo-30458) that addresses equivalent vulnerabilities:
bb8071a4ca
HTTP methods, however, are checked against the set of characters
described in RFC-7230.
Tom Most
Amber H. Brown
Mark Williams
Ryan Van Gilder
Heather White
Jeremy Cline
Ralph Meijer
Jean-Paul Calderone
Glyph
Wilfredo Sánchez