twisted / twisted / 6665
82%

DEFAULT BRANCH: trunk
Ran
Jobs 6
Files 870
Run time 12min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
6665

cron

travis-ci

web-flow 
Prevent CRLF injections described in CVE-2019-12387

Author: markrwilliams

Reviewers: glyph

Fixes: ticket:9647

Twisted's HTTP client APIs were vulnerable to maliciously constructed
HTTP methods, hosts, and/or paths, URI components such as paths and
query parameters.  These vulnerabilities were beyond the header name
and value injection vulnerabilities addressed in:

https://twistedmatrix.com/trac/ticket/9420
https://github.com/twisted/twisted/pull/999/

The following client APIs will raise a ValueError if given a method,
host, or URI that includes newlines or other disallowed characters:

- twisted.web.client.Agent.request
- twisted.web.client.ProxyAgent.request
- twisted.web.client.Request.__init__
- twisted.web.client.Request.writeTo

ProxyAgent is patched separately from Agent because unlike other
agents (e.g. CookieAgent) it is not implemented as an Agent wrapper.

Request.__init__ checks its method and URI so that errors occur closer
to their originating input.  Request.method and Request.uri are both
public APIs, however, so Request.writeTo (via Request._writeHeaders)
also checks the validity of both before writing anything to the wire.

Additionally, the following deprecated client APIs have also been
patched:

- twisted.web.client.HTTPPageGetter.__init__
- twisted.web.client.HTTPPageDownloader.__init__
- twisted.web.client.HTTPClientFactory.__init__
- twisted.web.client.HTTPClientFactory.setURL
- twisted.web.client.HTTPDownloader.__init__
- twisted.web.client.HTTPDownloader.setURL
- twisted.web.client.getPage
- twisted.web.client.downloadPage

These have been patched prior to their removal so that they won't be
vulnerable in the last Twisted release that includes them.  They
represent a best effort, because testing every combination of these
public APIs would require more code than deprecated APIs warrant.

In all cases URI components, including hostnames, are restricted to
the characters allo... (continued)

21804 of 27203 branches covered (80.15%)

138615 of 151762 relevant lines covered (91.34%)

5.2 hits per line

Jobs
ID Job ID Ran Files Coverage
2 6665.2 (TOXENV=py27-alldeps-withcov-posix,coverage-prepare,codecov-push,coveralls-push) 0
90.41
 Travis Job 6665.2
3 6665.3 (TOXENV=py27-nodeps-withcov-posix,coverage-prepare,codecov-push,coveralls-push) 0
80.02
 Travis Job 6665.3
4 6665.4 (TOXENV=py35-alldeps-withcov-posix,coverage-prepare,codecov-push,coveralls-push) 0
90.68
 Travis Job 6665.4
5 6665.5 (TOXENV=py36-alldeps-withcov-posix,coverage-prepare,codecov-push,coveralls-push) 0
90.68
 Travis Job 6665.5
6 6665.6 (TOXENV=py37-alldeps-withcov-posix,coverage-prepare,codecov-push,coveralls-push) 0
90.67
 Travis Job 6665.6
8 6665.8 (TOXENV=py36-alldeps-withcov-posix,coverage-prepare,codecov-push,coveralls-push DISABLE_IPV6=yes) 0
90.68
 Travis Job 6665.8
Source Files on build 6665
Detailed source file information is not available for this build.