Another note:
> twisted.web.client.Request and twisted.web.client.HTTPClient were both
> vulnerable to header injection attacks. They now replace linear whitespace
> ('r', 'n', and 'rn') with a single space. (#9421)
Headers now assumes the value is a list of string (or bytes). It used to accept
a list of arbitrary values. When using the twisted.web resource model (the
IRequest.setHeader API) the value would be coerced.
This change actually broke some of my tests, though not any production code. I
was passing a list where a scalar string was required (this, precisely:
https://github.com/twisted/treq/pull/237). The result was a response with a
header like:
Foo: ['value']
That's not a useful feature in this case so I am happy to have caught the bug
but it does seem like there may be real-world code this breaks. For example,
request.setHeader('Retry-After', 10) would produce a valid header.
(Also the release note seems to be missing some backslashes in the bit I
quoted.)
---Tom
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
