Update dependency twisted to v24 [SECURITY] #286
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==23.10.0
->==24.7.0
GitHub Vulnerability Alerts
CVE-2024-41671
Summary
The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
PoC
Impact
See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.
CVE-2024-41810
Summary
The
twisted.web.util.redirectTo
function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.Details
Twisted’s
redirectTo
function generates anHTTP 302 Redirect
response. The response contains an HTML body, built for exceptional cases where the browser doesn’t properly handle the redirect, allowing the user to click a link, navigating them to the specified destination.The function reflects the destination URL in the HTML body without any output encoding.
If an attacker has full or partial control over redirect location due to an application bug, also known as an “Open Redirect”, they may inject arbitrary HTML into the response’s body, ultimately leading to an XSS attack.
It’s worth noting that the issue is known to maintainers and tracked with GitHub Issue#9839. The issue description, however, does not make any mention of exploitability and simply states: “…Browsers don't seem to actually render that page…”
PoC
The issue can be reproduced by running the following Twisted-based HTTP server locally:
Once running, navigate to the following URL:
http://127.0.0.1:9009?url=ws://example.com/"><script>alert(document.location)</script>
, and verify that the “alert” dialog was displayed.Note: Due to the different ways browsers validate the redirect Location header, this attack is possible only in Firefox. All other tested browsers will display an error message to the user and will not render the HTML body.
Impact
If successfully exploited, the issue will allow malicious JavaScript to run in the context of the victim's session. This will in turn lead to unauthorized access/modification to victim's account and information associated with it, or allow for unauthorized operations to be performed within the context of the victim's session.
Release Notes
twisted/twisted (twisted)
v24.7.0
: Twisted 24.7.0Compare Source
Twisted 24.7.0 (2024-08-08)
24.7.0.rc2 fixed an unreleased regression caused by PR 12109. (#12279)
No other changes since 24.7.0.rc2
Features
REMOTE_PORT
. (#12096)assert
to check the type of the arguments. You should now use type checking to validate your code. These changes were done to reduce the CPU usage. (#12122)Bugfixes
conch
command-line no longer will either. (#12141)Improved Documentation
Deprecations and Removals
return
statement. (#9930)twisted-iocpsupport
is no longer a hard dependency on Windows.The IOCP support is now installed together with the other Windows soft
dependencies via
twisted[windows-platform]
. (#11893)This is done to have the same behaviour as with Python 3.13. (#12063)
async
argument, deprecated since 18.9.0, has been removed. (#12130)The SOAP support was already broken, for at least the last 4 years.
The SOAP support in Twisted has no active maintainer. (#12146)
Misc
Conch
Bugfixes
Bugfixes
Deprecations and Removals
v24.3.0
: Twisted 24.3.0Compare Source
Twisted 24.3.0 (2024-03-01)
This release supports PyPy v7.3.14.
Bugfixes
flat function names, in format strings, as it has long been
explicitly documented to do. So, you will now get the expected
result from [formatEvent("here's the result of calling a method at
log-format time: {obj.method()}", obj=...)]{.title-ref} (#9347)
provided in the last chunk of a chunked encoded response, rather
than raising an exception. (#11997)
twisted.protocols.tls.TLSMemoryBIOFactory, was refactored for
improved performance when doing a high number of small writes.
(#12011)
without triggering a deprecation warnings on Python 3.12. (#12026)
reactor.spawnProcess
,now copies the parent environment when the [env=None]{.title-ref}
argument is passed on Posix systems and
os.posix_spawnp
is usedinternally. (#12068)
introspection was adjusted for the latest PyPy 7.3.14 release,
allowing legacy @inlineCallbacks to run on new PyPY versions.
(#12084)
Deprecations and Removals
tests with skip annotation or skip attribute for Python 3.12.1 or
newer. This is the result of upstream Python gh-106584 change. The
behavior is not change in 3.12.0 or older. (#12052)
Misc
#12067, #12076, #12078, #12087, #12095
Conch
No significant changes.
Web
Bugfixes
references long-deprecated
cookielib
andurllib2
standardlibrary modules. (#12044)
Deprecations and Removals
[multipart/form-data]{.title-ref} using
[email.message_from_bytes]{.title-ref}. The usage of
[cgi.parse_multipart]{.title-ref} was removed as the
[cgi]{.title-ref} module will be removed in Python 3.13. (#11848)
Misc
Mail
No significant changes.
Words
Improved Documentation
Names
No significant changes.
Trial
No significant changes.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.