diff -Nru twisted-18.9.0/debian/changelog twisted-18.9.0/debian/changelog --- twisted-18.9.0/debian/changelog 2019-08-28 13:00:59.000000000 +0000 +++ twisted-18.9.0/debian/changelog 2020-03-16 16:51:15.000000000 +0000 @@ -1,3 +1,36 @@ +twisted (18.9.0-3ubuntu1.1) eoan-security; urgency=medium + + * SECURITY UPDATE: incorrect URI and HTTP method validation + - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in + src/twisted/web/_newclient.py, src/twisted/web/client.py, + src/twisted/web/test/injectionhelpers.py, + src/twisted/web/test/test_agent.py, + src/twisted/web/test/test_webclient.py. + - CVE-2019-12387 + * SECURITY UPDATE: incorrect cert validation in XMPP support + - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement + certificate checking. + - CVE-2019-12855 + * SECURITY UPDATE: HTTP/2 denial of service issues + - debian/patches/CVE-2019-951x.patch: buffer outbound control frames + and timeout invalid clients in src/twisted/web/_http2.py, + src/twisted/web/error.py, src/twisted/web/http.py, + src/twisted/web/test/test_http.py, + src/twisted/web/test/test_http2.py. + - CVE-2019-9512 + - CVE-2019-9514 + - CVE-2019-9515 + * SECURITY UPDATE: request smuggling attacks + - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce + duplication in src/twisted/web/test/test_http.py. + - debian/patches/CVE-2020-1010x.patch: fix several request smuggling + attacks in src/twisted/web/http.py, + src/twisted/web/test/test_http.py. + - CVE-2020-10108 + - CVE-2020-10109 + + -- Marc Deslauriers Mon, 16 Mar 2020 12:51:15 -0400 + twisted (18.9.0-3ubuntu1) eoan; urgency=medium * Add missing Depends for python{,3}-idna to python{,3}-twisted-core, as diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12387.patch twisted-18.9.0/debian/patches/CVE-2019-12387.patch --- twisted-18.9.0/debian/patches/CVE-2019-12387.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12387.patch 2020-03-16 16:49:41.000000000 +0000 @@ -0,0 +1,962 @@ +Backport of: + +From 6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2 Mon Sep 17 00:00:00 2001 +From: Mark Williams +Date: Wed, 5 Jun 2019 00:03:37 -0700 +Subject: [PATCH] Prevent CRLF injections described in CVE-2019-12387 + +Author: markrwilliams + +Reviewers: glyph + +Fixes: ticket:9647 + +Twisted's HTTP client APIs were vulnerable to maliciously constructed +HTTP methods, hosts, and/or paths, URI components such as paths and +query parameters. These vulnerabilities were beyond the header name +and value injection vulnerabilities addressed in: + +https://twistedmatrix.com/trac/ticket/9420 +https://github.com/twisted/twisted/pull/999/ + +The following client APIs will raise a ValueError if given a method, +host, or URI that includes newlines or other disallowed characters: + +- twisted.web.client.Agent.request +- twisted.web.client.ProxyAgent.request +- twisted.web.client.Request.__init__ +- twisted.web.client.Request.writeTo + +ProxyAgent is patched separately from Agent because unlike other +agents (e.g. CookieAgent) it is not implemented as an Agent wrapper. + +Request.__init__ checks its method and URI so that errors occur closer +to their originating input. Request.method and Request.uri are both +public APIs, however, so Request.writeTo (via Request._writeHeaders) +also checks the validity of both before writing anything to the wire. + +Additionally, the following deprecated client APIs have also been +patched: + +- twisted.web.client.HTTPPageGetter.__init__ +- twisted.web.client.HTTPPageDownloader.__init__ +- twisted.web.client.HTTPClientFactory.__init__ +- twisted.web.client.HTTPClientFactory.setURL +- twisted.web.client.HTTPDownloader.__init__ +- twisted.web.client.HTTPDownloader.setURL +- twisted.web.client.getPage +- twisted.web.client.downloadPage + +These have been patched prior to their removal so that they won't be +vulnerable in the last Twisted release that includes them. They +represent a best effort, because testing every combination of these +public APIs would require more code than deprecated APIs warrant. + +In all cases URI components, including hostnames, are restricted to +the characters allowed in path components. This mirrors the CPython +patch (for bpo-30458) that addresses equivalent vulnerabilities: + +https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052 + +HTTP methods, however, are checked against the set of characters +described in RFC-7230. +--- + src/twisted/web/_newclient.py | 85 +++++- + src/twisted/web/client.py | 22 +- + src/twisted/web/newsfragments/9647.bugfix | 1 + + src/twisted/web/test/injectionhelpers.py | 168 ++++++++++++ + src/twisted/web/test/test_agent.py | 147 +++++++++- + src/twisted/web/test/test_webclient.py | 313 +++++++++++++++++++++- + 6 files changed, 725 insertions(+), 11 deletions(-) + create mode 100644 src/twisted/web/newsfragments/9647.bugfix + create mode 100644 src/twisted/web/test/injectionhelpers.py + +--- a/src/twisted/web/_newclient.py ++++ b/src/twisted/web/_newclient.py +@@ -29,6 +29,8 @@ Various other classes in this module sup + from __future__ import division, absolute_import + __metaclass__ = type + ++import re ++ + from zope.interface import implementer + + from twisted.python.compat import networkString +@@ -579,6 +581,74 @@ class HTTPClientParser(HTTPParser): + + + ++_VALID_METHOD = re.compile( ++ br"\A[%s]+\Z" % ( ++ bytes().join( ++ ( ++ b"!", b"#", b"$", b"%", b"&", b"'", b"*", ++ b"+", b"-", b".", b"^", b"_", b"`", b"|", b"~", ++ b"\x30-\x39", ++ b"\x41-\x5a", ++ b"\x61-\x7A", ++ ), ++ ), ++ ), ++) ++ ++ ++ ++def _ensureValidMethod(method): ++ """ ++ An HTTP method is an HTTP token, which consists of any visible ++ ASCII character that is not a delimiter (i.e. one of ++ C{"(),/:;<=>?@[\\]{}}.) ++ ++ @param method: the method to check ++ @type method: L{bytes} ++ ++ @return: the method if it is valid ++ @rtype: L{bytes} ++ ++ @raise ValueError: if the method is not valid ++ ++ @see: U{https://tools.ietf.org/html/rfc7230#section-3.1.1}, ++ U{https://tools.ietf.org/html/rfc7230#section-3.2.6}, ++ U{https://tools.ietf.org/html/rfc5234#appendix-B.1} ++ """ ++ if _VALID_METHOD.match(method): ++ return method ++ raise ValueError("Invalid method {!r}".format(method)) ++ ++ ++ ++_VALID_URI = re.compile(br'\A[\x21-\x7e]+\Z') ++ ++ ++ ++def _ensureValidURI(uri): ++ """ ++ A valid URI cannot contain control characters (i.e., characters ++ between 0-32, inclusive and 127) or non-ASCII characters (i.e., ++ characters with values between 128-255, inclusive). ++ ++ @param uri: the URI to check ++ @type uri: L{bytes} ++ ++ @return: the URI if it is valid ++ @rtype: L{bytes} ++ ++ @raise ValueError: if the URI is not valid ++ ++ @see: U{https://tools.ietf.org/html/rfc3986#section-3.3}, ++ U{https://tools.ietf.org/html/rfc3986#appendix-A}, ++ U{https://tools.ietf.org/html/rfc5234#appendix-B.1} ++ """ ++ if _VALID_URI.match(uri): ++ return uri ++ raise ValueError("Invalid URI {!r}".format(uri)) ++ ++ ++ + @implementer(IClientRequest) + class Request: + """ +@@ -618,8 +688,8 @@ class Request: + connection, defaults to C{False}. + @type persistent: L{bool} + """ +- self.method = method +- self.uri = uri ++ self.method = _ensureValidMethod(method) ++ self.uri = _ensureValidURI(uri) + self.headers = headers + self.bodyProducer = bodyProducer + self.persistent = persistent +@@ -664,8 +734,15 @@ class Request: + # method would probably be good. It would be nice if this method + # weren't limited to issuing HTTP/1.1 requests. + requestLines = [] +- requestLines.append(b' '.join([self.method, self.uri, +- b'HTTP/1.1\r\n'])) ++ requestLines.append( ++ b' '.join( ++ [ ++ _ensureValidMethod(self.method), ++ _ensureValidURI(self.uri), ++ b'HTTP/1.1\r\n', ++ ] ++ ), ++ ) + if not self.persistent: + requestLines.append(b'Connection: close\r\n') + if TEorCL is not None: +--- a/src/twisted/web/client.py ++++ b/src/twisted/web/client.py +@@ -46,6 +46,9 @@ from twisted.web.iweb import UNKNOWN_LEN + from twisted.web.http_headers import Headers + from twisted.logger import Logger + ++from twisted.web._newclient import _ensureValidURI, _ensureValidMethod ++ ++ + + class PartialDownloadError(error.Error): + """ +@@ -77,11 +80,13 @@ class HTTPPageGetter(http.HTTPClient): + + _completelyDone = True + +- _specialHeaders = set((b'host', b'user-agent', b'cookie', b'content-length')) ++ _specialHeaders = set( ++ (b'host', b'user-agent', b'cookie', b'content-length'), ++ ) + + def connectionMade(self): +- method = getattr(self.factory, 'method', b'GET') +- self.sendCommand(method, self.factory.path) ++ method = _ensureValidMethod(getattr(self.factory, 'method', b'GET')) ++ self.sendCommand(method, _ensureValidURI(self.factory.path)) + if self.factory.scheme == b'http' and self.factory.port != 80: + host = self.factory.host + b':' + intToBytes(self.factory.port) + elif self.factory.scheme == b'https' and self.factory.port != 443: +@@ -361,7 +366,7 @@ class HTTPClientFactory(protocol.ClientF + # just in case a broken http/1.1 decides to keep connection alive + self.headers.setdefault(b"connection", b"close") + self.postdata = postdata +- self.method = method ++ self.method = _ensureValidMethod(method) + + self.setURL(url) + +@@ -388,6 +393,7 @@ class HTTPClientFactory(protocol.ClientF + return "<%s: %s>" % (self.__class__.__name__, self.url) + + def setURL(self, url): ++ _ensureValidURI(url.strip()) + self.url = url + uri = URI.fromBytes(url) + if uri.scheme and uri.host: +@@ -732,7 +738,7 @@ def _makeGetterFactory(url, factoryFacto + + @return: The factory created by C{factoryFactory} + """ +- uri = URI.fromBytes(url) ++ uri = URI.fromBytes(_ensureValidURI(url.strip())) + factory = factoryFactory(url, *args, **kwargs) + if uri.scheme == b'https': + from twisted.internet import ssl +@@ -1422,6 +1428,9 @@ class _AgentBase(object): + Issue a new request, given the endpoint and the path sent as part of + the request. + """ ++ ++ method = _ensureValidMethod(method) ++ + # Create minimal headers, if necessary: + if headers is None: + headers = Headers() +@@ -1646,6 +1655,7 @@ class Agent(_AgentBase): + + @see: L{twisted.web.iweb.IAgent.request} + """ ++ uri = _ensureValidURI(uri.strip()) + parsedURI = URI.fromBytes(uri) + try: + endpoint = self._getEndpoint(parsedURI) +@@ -1679,6 +1689,8 @@ class ProxyAgent(_AgentBase): + """ + Issue a new request via the configured proxy. + """ ++ uri = _ensureValidURI(uri.strip()) ++ + # Cache *all* connections under the same key, since we are only + # connecting to a single destination, the proxy: + key = ("http-proxy", self._proxyEndpoint) +--- /dev/null ++++ b/src/twisted/web/test/injectionhelpers.py +@@ -0,0 +1,168 @@ ++""" ++Helpers for URI and method injection tests. ++ ++@see: U{CVE-2019-12387} ++""" ++ ++import string ++ ++ ++UNPRINTABLE_ASCII = ( ++ frozenset(range(0, 128)) - ++ frozenset(bytearray(string.printable, 'ascii')) ++) ++ ++NONASCII = frozenset(range(128, 256)) ++ ++ ++ ++class MethodInjectionTestsMixin(object): ++ """ ++ A mixin that runs HTTP method injection tests. Define ++ L{MethodInjectionTestsMixin.attemptRequestWithMaliciousMethod} in ++ a L{twisted.trial.unittest.SynchronousTestCase} subclass to test ++ how HTTP client code behaves when presented with malicious HTTP ++ methods. ++ ++ @see: U{CVE-2019-12387} ++ """ ++ ++ def attemptRequestWithMaliciousMethod(self, method): ++ """ ++ Attempt to send a request with the given method. This should ++ synchronously raise a L{ValueError} if either is invalid. ++ ++ @param method: the method (e.g. C{GET\x00}) ++ ++ @param uri: the URI ++ ++ @type method: ++ """ ++ raise NotImplementedError() ++ ++ ++ def test_methodWithCLRFRejected(self): ++ """ ++ Issuing a request with a method that contains a carriage ++ return and line feed fails with a L{ValueError}. ++ """ ++ with self.assertRaises(ValueError) as cm: ++ method = b"GET\r\nX-Injected-Header: value" ++ self.attemptRequestWithMaliciousMethod(method) ++ self.assertRegex(str(cm.exception), "^Invalid method") ++ ++ ++ def test_methodWithUnprintableASCIIRejected(self): ++ """ ++ Issuing a request with a method that contains unprintable ++ ASCII characters fails with a L{ValueError}. ++ """ ++ for c in UNPRINTABLE_ASCII: ++ method = b"GET%s" % (bytearray([c]),) ++ with self.assertRaises(ValueError) as cm: ++ self.attemptRequestWithMaliciousMethod(method) ++ self.assertRegex(str(cm.exception), "^Invalid method") ++ ++ ++ def test_methodWithNonASCIIRejected(self): ++ """ ++ Issuing a request with a method that contains non-ASCII ++ characters fails with a L{ValueError}. ++ """ ++ for c in NONASCII: ++ method = b"GET%s" % (bytearray([c]),) ++ with self.assertRaises(ValueError) as cm: ++ self.attemptRequestWithMaliciousMethod(method) ++ self.assertRegex(str(cm.exception), "^Invalid method") ++ ++ ++ ++class URIInjectionTestsMixin(object): ++ """ ++ A mixin that runs HTTP URI injection tests. Define ++ L{MethodInjectionTestsMixin.attemptRequestWithMaliciousURI} in a ++ L{twisted.trial.unittest.SynchronousTestCase} subclass to test how ++ HTTP client code behaves when presented with malicious HTTP ++ URIs. ++ """ ++ ++ def attemptRequestWithMaliciousURI(self, method): ++ """ ++ Attempt to send a request with the given URI. This should ++ synchronously raise a L{ValueError} if either is invalid. ++ ++ @param uri: the URI. ++ ++ @type method: ++ """ ++ raise NotImplementedError() ++ ++ ++ def test_hostWithCRLFRejected(self): ++ """ ++ Issuing a request with a URI whose host contains a carriage ++ return and line feed fails with a L{ValueError}. ++ """ ++ with self.assertRaises(ValueError) as cm: ++ uri = b"http://twisted\r\n.invalid/path" ++ self.attemptRequestWithMaliciousURI(uri) ++ self.assertRegex(str(cm.exception), "^Invalid URI") ++ ++ ++ def test_hostWithWithUnprintableASCIIRejected(self): ++ """ ++ Issuing a request with a URI whose host contains unprintable ++ ASCII characters fails with a L{ValueError}. ++ """ ++ for c in UNPRINTABLE_ASCII: ++ uri = b"http://twisted%s.invalid/OK" % (bytearray([c]),) ++ with self.assertRaises(ValueError) as cm: ++ self.attemptRequestWithMaliciousURI(uri) ++ self.assertRegex(str(cm.exception), "^Invalid URI") ++ ++ ++ def test_hostWithNonASCIIRejected(self): ++ """ ++ Issuing a request with a URI whose host contains non-ASCII ++ characters fails with a L{ValueError}. ++ """ ++ for c in NONASCII: ++ uri = b"http://twisted%s.invalid/OK" % (bytearray([c]),) ++ with self.assertRaises(ValueError) as cm: ++ self.attemptRequestWithMaliciousURI(uri) ++ self.assertRegex(str(cm.exception), "^Invalid URI") ++ ++ ++ def test_pathWithCRLFRejected(self): ++ """ ++ Issuing a request with a URI whose path contains a carriage ++ return and line feed fails with a L{ValueError}. ++ """ ++ with self.assertRaises(ValueError) as cm: ++ uri = b"http://twisted.invalid/\r\npath" ++ self.attemptRequestWithMaliciousURI(uri) ++ self.assertRegex(str(cm.exception), "^Invalid URI") ++ ++ ++ def test_pathWithWithUnprintableASCIIRejected(self): ++ """ ++ Issuing a request with a URI whose path contains unprintable ++ ASCII characters fails with a L{ValueError}. ++ """ ++ for c in UNPRINTABLE_ASCII: ++ uri = b"http://twisted.invalid/OK%s" % (bytearray([c]),) ++ with self.assertRaises(ValueError) as cm: ++ self.attemptRequestWithMaliciousURI(uri) ++ self.assertRegex(str(cm.exception), "^Invalid URI") ++ ++ ++ def test_pathWithNonASCIIRejected(self): ++ """ ++ Issuing a request with a URI whose path contains non-ASCII ++ characters fails with a L{ValueError}. ++ """ ++ for c in NONASCII: ++ uri = b"http://twisted.invalid/OK%s" % (bytearray([c]),) ++ with self.assertRaises(ValueError) as cm: ++ self.attemptRequestWithMaliciousURI(uri) ++ self.assertRegex(str(cm.exception), "^Invalid URI") +--- a/src/twisted/web/test/test_agent.py ++++ b/src/twisted/web/test/test_agent.py +@@ -11,7 +11,7 @@ from io import BytesIO + + from zope.interface.verify import verifyObject + +-from twisted.trial.unittest import TestCase ++from twisted.trial.unittest import TestCase, SynchronousTestCase + from twisted.web import client, error, http_headers + from twisted.web._newclient import RequestNotSent, RequestTransmissionFailed + from twisted.web._newclient import ResponseNeverReceived, ResponseFailed +@@ -50,6 +50,10 @@ from twisted.internet.endpoints import H + from twisted.test.proto_helpers import AccumulatingProtocol + from twisted.test.iosim import IOPump, FakeTransport + from twisted.test.test_sslverify import certificatesForAuthorityAndServer ++from twisted.web.test.injectionhelpers import ( ++ MethodInjectionTestsMixin, ++ URIInjectionTestsMixin, ++) + from twisted.web.error import SchemeNotSupported + from twisted.logger import globalLogPublisher + +@@ -886,6 +890,7 @@ class AgentTests(TestCase, FakeReactorAn + """ + Tests for the new HTTP client API provided by L{Agent}. + """ ++ + def makeAgent(self): + """ + @return: a new L{twisted.web.client.Agent} instance +@@ -1307,6 +1312,48 @@ class AgentTests(TestCase, FakeReactorAn + + + ++class AgentMethodInjectionTests( ++ FakeReactorAndConnectMixin, ++ MethodInjectionTestsMixin, ++ SynchronousTestCase, ++): ++ """ ++ Test L{client.Agent} against HTTP method injections. ++ """ ++ ++ def attemptRequestWithMaliciousMethod(self, method): ++ """ ++ Attempt a request with the provided method. ++ ++ @param method: see L{MethodInjectionTestsMixin} ++ """ ++ agent = client.Agent(self.createReactor()) ++ uri = b"http://twisted.invalid" ++ agent.request(method, uri, client.Headers(), None) ++ ++ ++ ++class AgentURIInjectionTests( ++ FakeReactorAndConnectMixin, ++ URIInjectionTestsMixin, ++ SynchronousTestCase, ++): ++ """ ++ Test L{client.Agent} against URI injections. ++ """ ++ ++ def attemptRequestWithMaliciousURI(self, uri): ++ """ ++ Attempt a request with the provided method. ++ ++ @param uri: see L{URIInjectionTestsMixin} ++ """ ++ agent = client.Agent(self.createReactor()) ++ method = b"GET" ++ agent.request(method, uri, client.Headers(), None) ++ ++ ++ + class AgentHTTPSTests(TestCase, FakeReactorAndConnectMixin, + IntegrationTestingMixin): + """ +@@ -3105,3 +3152,101 @@ class ReadBodyTests(TestCase): + + warnings = self.flushWarnings() + self.assertEqual(len(warnings), 0) ++ ++ ++ ++class RequestMethodInjectionTests( ++ MethodInjectionTestsMixin, ++ SynchronousTestCase, ++): ++ """ ++ Test L{client.Request} against HTTP method injections. ++ """ ++ ++ def attemptRequestWithMaliciousMethod(self, method): ++ """ ++ Attempt a request with the provided method. ++ ++ @param method: see L{MethodInjectionTestsMixin} ++ """ ++ client.Request( ++ method=method, ++ uri=b"http://twisted.invalid", ++ headers=http_headers.Headers(), ++ bodyProducer=None, ++ ) ++ ++ ++ ++class RequestWriteToMethodInjectionTests( ++ MethodInjectionTestsMixin, ++ SynchronousTestCase, ++): ++ """ ++ Test L{client.Request.writeTo} against HTTP method injections. ++ """ ++ ++ def attemptRequestWithMaliciousMethod(self, method): ++ """ ++ Attempt a request with the provided method. ++ ++ @param method: see L{MethodInjectionTestsMixin} ++ """ ++ headers = http_headers.Headers({b"Host": [b"twisted.invalid"]}) ++ req = client.Request( ++ method=b"GET", ++ uri=b"http://twisted.invalid", ++ headers=headers, ++ bodyProducer=None, ++ ) ++ req.method = method ++ req.writeTo(StringTransport()) ++ ++ ++ ++class RequestURIInjectionTests( ++ URIInjectionTestsMixin, ++ SynchronousTestCase, ++): ++ """ ++ Test L{client.Request} against HTTP URI injections. ++ """ ++ ++ def attemptRequestWithMaliciousURI(self, uri): ++ """ ++ Attempt a request with the provided URI. ++ ++ @param method: see L{URIInjectionTestsMixin} ++ """ ++ client.Request( ++ method=b"GET", ++ uri=uri, ++ headers=http_headers.Headers(), ++ bodyProducer=None, ++ ) ++ ++ ++ ++class RequestWriteToURIInjectionTests( ++ URIInjectionTestsMixin, ++ SynchronousTestCase, ++): ++ """ ++ Test L{client.Request.writeTo} against HTTP method injections. ++ """ ++ ++ def attemptRequestWithMaliciousURI(self, uri): ++ """ ++ Attempt a request with the provided method. ++ ++ @param method: see L{URIInjectionTestsMixin} ++ """ ++ headers = http_headers.Headers({b"Host": [b"twisted.invalid"]}) ++ req = client.Request( ++ method=b"GET", ++ uri=b"http://twisted.invalid", ++ headers=headers, ++ bodyProducer=None, ++ ) ++ req.uri = uri ++ req.writeTo(StringTransport()) +--- a/src/twisted/web/test/test_webclient.py ++++ b/src/twisted/web/test/test_webclient.py +@@ -7,6 +7,7 @@ Tests for the old L{twisted.web.client} + + from __future__ import division, absolute_import + ++import io + import os + from errno import ENOSPC + +@@ -20,7 +21,8 @@ from twisted.trial import unittest, util + from twisted.web import server, client, error, resource + from twisted.web.static import Data + from twisted.web.util import Redirect +-from twisted.internet import reactor, defer, interfaces ++from twisted.internet import address, reactor, defer, interfaces ++from twisted.internet.protocol import ClientFactory + from twisted.python.filepath import FilePath + from twisted.protocols.policies import WrappingFactory + from twisted.test.proto_helpers import ( +@@ -35,6 +37,12 @@ from twisted import test + from twisted.logger import (globalLogPublisher, FilteringLogObserver, + LogLevelFilterPredicate, LogLevel, Logger) + ++from twisted.web.test.injectionhelpers import ( ++ MethodInjectionTestsMixin, ++ URIInjectionTestsMixin, ++) ++ ++ + + serverPEM = FilePath(test.__file__).sibling('server.pem') + serverPEMPath = serverPEM.asBytesMode().path +@@ -1519,3 +1527,306 @@ class DeprecationTests(unittest.TestCase + L{client.HTTPDownloader} is deprecated. + """ + self._testDeprecatedClass("HTTPDownloader") ++ ++ ++ ++class GetPageMethodInjectionTests( ++ MethodInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Test L{client.getPage} against HTTP method injections. ++ """ ++ ++ def attemptRequestWithMaliciousMethod(self, method): ++ """ ++ Attempt a request with the provided method. ++ ++ @param method: see L{MethodInjectionTestsMixin} ++ """ ++ uri = b'http://twisted.invalid' ++ client.getPage(uri, method=method) ++ ++ ++ ++class GetPageURIInjectionTests( ++ URIInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Test L{client.getPage} against URI injections. ++ """ ++ ++ def attemptRequestWithMaliciousURI(self, uri): ++ """ ++ Attempt a request with the provided URI. ++ ++ @param uri: see L{URIInjectionTestsMixin} ++ """ ++ client.getPage(uri) ++ ++ ++ ++class DownloadPageMethodInjectionTests( ++ MethodInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Test L{client.getPage} against HTTP method injections. ++ """ ++ ++ def attemptRequestWithMaliciousMethod(self, method): ++ """ ++ Attempt a request with the provided method. ++ ++ @param method: see L{MethodInjectionTestsMixin} ++ """ ++ uri = b'http://twisted.invalid' ++ client.downloadPage(uri, file=io.BytesIO(), method=method) ++ ++ ++ ++class DownloadPageURIInjectionTests( ++ URIInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Test L{client.downloadPage} against URI injections. ++ """ ++ ++ def attemptRequestWithMaliciousURI(self, uri): ++ """ ++ Attempt a request with the provided URI. ++ ++ @param uri: see L{URIInjectionTestsMixin} ++ """ ++ client.downloadPage(uri, file=io.BytesIO()) ++ ++ ++ ++def makeHTTPPageGetterFactory(protocolClass, method, host, path): ++ """ ++ Make a L{ClientFactory} that can be used with ++ L{client.HTTPPageGetter} and its subclasses. ++ ++ @param protocolClass: The protocol class ++ @type protocolClass: A subclass of L{client.HTTPPageGetter} ++ ++ @param method: the HTTP method ++ ++ @param host: the host ++ ++ @param path: The URI path ++ ++ @return: A L{ClientFactory}. ++ """ ++ factory = ClientFactory.forProtocol(protocolClass) ++ ++ factory.method = method ++ factory.host = host ++ factory.path = path ++ ++ factory.scheme = b"http" ++ factory.port = 0 ++ factory.headers = {} ++ factory.agent = b"User/Agent" ++ factory.cookies = {} ++ ++ return factory ++ ++ ++ ++class HTTPPageGetterMethodInjectionTests( ++ MethodInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Test L{client.HTTPPageGetter} against HTTP method injections. ++ """ ++ protocolClass = client.HTTPPageGetter ++ ++ def attemptRequestWithMaliciousMethod(self, method): ++ """ ++ Attempt a request with the provided method. ++ ++ @param method: L{MethodInjectionTestsMixin} ++ """ ++ transport = StringTransport() ++ factory = makeHTTPPageGetterFactory( ++ self.protocolClass, ++ method=method, ++ host=b"twisted.invalid", ++ path=b"/", ++ ) ++ getter = factory.buildProtocol( ++ address.IPv4Address("TCP", "127.0.0.1", 0), ++ ) ++ getter.makeConnection(transport) ++ ++ ++ ++class HTTPPageGetterURIInjectionTests( ++ URIInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Test L{client.HTTPPageGetter} against HTTP URI injections. ++ """ ++ protocolClass = client.HTTPPageGetter ++ ++ def attemptRequestWithMaliciousURI(self, uri): ++ """ ++ Attempt a request with the provided URI. ++ ++ @param uri: L{URIInjectionTestsMixin} ++ """ ++ transport = StringTransport() ++ # Setting the host and path to the same value is imprecise but ++ # doesn't require parsing an invalid URI. ++ factory = makeHTTPPageGetterFactory( ++ self.protocolClass, ++ method=b"GET", ++ host=uri, ++ path=uri, ++ ) ++ getter = factory.buildProtocol( ++ address.IPv4Address("TCP", "127.0.0.1", 0), ++ ) ++ getter.makeConnection(transport) ++ ++ ++ ++class HTTPPageDownloaderMethodInjectionTests( ++ HTTPPageGetterMethodInjectionTests ++): ++ ++ """ ++ Test L{client.HTTPPageDownloader} against HTTP method injections. ++ """ ++ protocolClass = client.HTTPPageDownloader ++ ++ ++ ++class HTTPPageDownloaderURIInjectionTests( ++ HTTPPageGetterURIInjectionTests ++): ++ """ ++ Test L{client.HTTPPageDownloader} against HTTP URI injections. ++ """ ++ protocolClass = client.HTTPPageDownloader ++ ++ ++ ++class HTTPClientFactoryMethodInjectionTests( ++ MethodInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Tests L{client.HTTPClientFactory} against HTTP method injections. ++ """ ++ ++ def attemptRequestWithMaliciousMethod(self, method): ++ """ ++ Attempt a request with the provided method. ++ ++ @param method: L{MethodInjectionTestsMixin} ++ """ ++ client.HTTPClientFactory(b"https://twisted.invalid", method) ++ ++ ++ ++class HTTPClientFactoryURIInjectionTests( ++ URIInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Tests L{client.HTTPClientFactory} against HTTP URI injections. ++ """ ++ ++ def attemptRequestWithMaliciousURI(self, uri): ++ """ ++ Attempt a request with the provided URI. ++ ++ @param uri: L{URIInjectionTestsMixin} ++ """ ++ client.HTTPClientFactory(uri) ++ ++ ++ ++class HTTPClientFactorySetURLURIInjectionTests( ++ URIInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Tests L{client.HTTPClientFactory.setURL} against HTTP URI injections. ++ """ ++ ++ def attemptRequestWithMaliciousURI(self, uri): ++ """ ++ Attempt a request with the provided URI. ++ ++ @param uri: L{URIInjectionTestsMixin} ++ """ ++ client.HTTPClientFactory(b"https://twisted.invalid").setURL(uri) ++ ++ ++ ++class HTTPDownloaderMethodInjectionTests( ++ MethodInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Tests L{client.HTTPDownloader} against HTTP method injections. ++ """ ++ ++ def attemptRequestWithMaliciousMethod(self, method): ++ """ ++ Attempt a request with the provided method. ++ ++ @param method: L{MethodInjectionTestsMixin} ++ """ ++ client.HTTPDownloader( ++ b"https://twisted.invalid", ++ io.BytesIO(), ++ method=method, ++ ) ++ ++ ++ ++class HTTPDownloaderURIInjectionTests( ++ URIInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Tests L{client.HTTPDownloader} against HTTP URI injections. ++ """ ++ ++ def attemptRequestWithMaliciousURI(self, uri): ++ """ ++ Attempt a request with the provided URI. ++ ++ @param uri: L{URIInjectionTestsMixin} ++ """ ++ client.HTTPDownloader(uri, io.BytesIO()) ++ ++ ++ ++class HTTPDownloaderSetURLURIInjectionTests( ++ URIInjectionTestsMixin, ++ unittest.SynchronousTestCase, ++): ++ """ ++ Tests L{client.HTTPDownloader.setURL} against HTTP URI injections. ++ """ ++ ++ def attemptRequestWithMaliciousURI(self, uri): ++ """ ++ Attempt a request with the provided URI. ++ ++ @param uri: L{URIInjectionTestsMixin} ++ """ ++ downloader = client.HTTPDownloader( ++ b"https://twisted.invalid", ++ io.BytesIO(), ++ ) ++ downloader.setURL(uri) diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-01.patch twisted-18.9.0/debian/patches/CVE-2019-12855-01.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-01.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-01.patch 2020-03-16 16:49:48.000000000 +0000 @@ -0,0 +1,176 @@ +From 488bdd0b80cd1084359e34b8d36ae536520b1f86 Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Tue, 7 May 2019 12:26:14 -0400 +Subject: [PATCH 01/17] Use optionsForClientTLS to verify server certificate by + default + +--- + .../words/protocols/jabber/xmlstream.py | 2 +- + .../words/test/test_jabberxmlstream.py | 61 +++++++++++++------ + 2 files changed, 44 insertions(+), 19 deletions(-) + +diff --git a/src/twisted/words/protocols/jabber/xmlstream.py b/src/twisted/words/protocols/jabber/xmlstream.py +index c191e9ae219..70d9267b705 100644 +--- a/src/twisted/words/protocols/jabber/xmlstream.py ++++ b/src/twisted/words/protocols/jabber/xmlstream.py +@@ -414,7 +414,7 @@ def onProceed(self, obj): + """ + + self.xmlstream.removeObserver('/failure', self.onFailure) +- ctx = ssl.CertificateOptions() ++ ctx = ssl.optionsForClientTLS(self.xmlstream.otherEntity.host) + self.xmlstream.transport.startTLS(ctx) + self.xmlstream.reset() + self.xmlstream.sendHeader() +diff --git a/src/twisted/words/test/test_jabberxmlstream.py b/src/twisted/words/test/test_jabberxmlstream.py +index 302171d7297..ccccf87372c 100644 +--- a/src/twisted/words/test/test_jabberxmlstream.py ++++ b/src/twisted/words/test/test_jabberxmlstream.py +@@ -14,6 +14,7 @@ + from twisted.internet import defer, task + from twisted.internet.error import ConnectionLost + from twisted.internet.interfaces import IProtocolFactory ++from twisted.internet._sslverify import ClientTLSOptions + from twisted.python import failure + from twisted.python.compat import unicode + from twisted.test import proto_helpers +@@ -665,7 +666,7 @@ def setUp(self): + + self.savedSSL = xmlstream.ssl + +- self.authenticator = xmlstream.Authenticator() ++ self.authenticator = xmlstream.ConnectAuthenticator(u'example.com') + self.xmlstream = xmlstream.XmlStream(self.authenticator) + self.xmlstream.send = self.output.append + self.xmlstream.connectionMade() +@@ -679,9 +680,9 @@ def tearDown(self): + xmlstream.ssl = self.savedSSL + + +- def testWantedSupported(self): ++ def test_wantedSupported(self): + """ +- Test start when TLS is wanted and the SSL library available. ++ When TLS is wanted and SSL available, StartTLS is initiated. + """ + self.xmlstream.transport = proto_helpers.StringTransport() + self.xmlstream.transport.startTLS = lambda ctx: self.done.append('TLS') +@@ -690,7 +691,8 @@ def testWantedSupported(self): + + d = self.init.start() + d.addCallback(self.assertEqual, xmlstream.Reset) +- starttls = self.output[0] ++ self.assertEqual(2, len(self.output)) ++ starttls = self.output[1] + self.assertEqual('starttls', starttls.name) + self.assertEqual(NS_XMPP_TLS, starttls.uri) + self.xmlstream.dataReceived("" % NS_XMPP_TLS) +@@ -698,40 +700,63 @@ def testWantedSupported(self): + + return d + ++ ++ def test_certificateVerify(self): ++ """ ++ The server certificate will be verified. ++ """ ++ ++ def fakeStartTLS(contextFactory): ++ self.assertIsInstance(contextFactory, ClientTLSOptions) ++ self.assertEqual(contextFactory._hostname, u"example.com") ++ self.done.append('TLS') ++ ++ self.xmlstream.transport = proto_helpers.StringTransport() ++ self.xmlstream.transport.startTLS = fakeStartTLS ++ self.xmlstream.reset = lambda: self.done.append('reset') ++ self.xmlstream.sendHeader = lambda: self.done.append('header') ++ ++ d = self.init.start() ++ self.xmlstream.dataReceived("" % NS_XMPP_TLS) ++ self.assertEqual(['TLS', 'reset', 'header'], self.done) ++ return d ++ ++ + if not xmlstream.ssl: + testWantedSupported.skip = "SSL not available" ++ test_certificateVerify = "SSL not available" + + +- def testWantedNotSupportedNotRequired(self): ++ def test_wantedNotSupportedNotRequired(self): + """ +- Test start when TLS is wanted and the SSL library available. ++ No StartTLS is initiated when wanted, not required, SSL not available. + """ + xmlstream.ssl = None + + d = self.init.start() + d.addCallback(self.assertEqual, None) +- self.assertEqual([], self.output) ++ self.assertEqual(1, len(self.output)) + + return d + + +- def testWantedNotSupportedRequired(self): ++ def test_wantedNotSupportedRequired(self): + """ +- Test start when TLS is wanted and the SSL library available. ++ TLSNotSupported is raised when TLS is required but not available. + """ + xmlstream.ssl = None + self.init.required = True + + d = self.init.start() + self.assertFailure(d, xmlstream.TLSNotSupported) +- self.assertEqual([], self.output) ++ self.assertEqual(1, len(self.output)) + + return d + + +- def testNotWantedRequired(self): ++ def test_notWantedRequired(self): + """ +- Test start when TLS is not wanted, but required by the server. ++ TLSRequired is raised when TLS is not wanted, but required by server. + """ + tls = domish.Element(('urn:ietf:params:xml:ns:xmpp-tls', 'starttls')) + tls.addElement('required') +@@ -739,15 +764,15 @@ def testNotWantedRequired(self): + self.init.wanted = False + + d = self.init.start() +- self.assertEqual([], self.output) ++ self.assertEqual(1, len(self.output)) + self.assertFailure(d, xmlstream.TLSRequired) + + return d + + +- def testNotWantedNotRequired(self): ++ def test_notWantedNotRequired(self): + """ +- Test start when TLS is not wanted, but required by the server. ++ No StartTLS is initiated when not wanted and not required. + """ + tls = domish.Element(('urn:ietf:params:xml:ns:xmpp-tls', 'starttls')) + self.xmlstream.features = {(tls.uri, tls.name): tls} +@@ -755,13 +780,13 @@ def testNotWantedNotRequired(self): + + d = self.init.start() + d.addCallback(self.assertEqual, None) +- self.assertEqual([], self.output) ++ self.assertEqual(1, len(self.output)) + return d + + +- def testFailed(self): ++ def test_failed(self): + """ +- Test failed TLS negotiation. ++ TLSFailed is raised when the server responds with a failure. + """ + # Pretend that ssl is supported, it isn't actually used when the + # server starts out with a failure in response to our initial + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-02.patch twisted-18.9.0/debian/patches/CVE-2019-12855-02.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-02.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-02.patch 2020-03-16 16:49:52.000000000 +0000 @@ -0,0 +1,25 @@ +From 0ff32b1bf115acc90d223b9ce9820063cf89003d Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Tue, 7 May 2019 15:54:33 -0400 +Subject: [PATCH 02/17] Fix client example to print disconnection reason + +--- + docs/words/examples/xmpp_client.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/docs/words/examples/xmpp_client.py b/docs/words/examples/xmpp_client.py +index cb80202c67f..4a3651009b4 100644 +--- a/docs/words/examples/xmpp_client.py ++++ b/docs/words/examples/xmpp_client.py +@@ -53,8 +53,9 @@ def connected(self, xs): + xs.rawDataOutFn = self.rawDataOut + + +- def disconnected(self, xs): ++ def disconnected(self, reason): + print('Disconnected.') ++ print(reason) + + self.finished.callback(None) + + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-03.patch twisted-18.9.0/debian/patches/CVE-2019-12855-03.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-03.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-03.patch 2020-03-16 16:49:55.000000000 +0000 @@ -0,0 +1,80 @@ +From 89954dfb18e613be583c74e22a3dd55d66e7d975 Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Tue, 7 May 2019 18:23:49 -0400 +Subject: [PATCH 03/17] Allow for custom contextFactory to TLS initializer + +--- + .../words/protocols/jabber/xmlstream.py | 6 ++++- + .../words/test/test_jabberxmlstream.py | 24 +++++++++++++++++++ + 2 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/src/twisted/words/protocols/jabber/xmlstream.py b/src/twisted/words/protocols/jabber/xmlstream.py +index 70d9267b705..51a8466b16a 100644 +--- a/src/twisted/words/protocols/jabber/xmlstream.py ++++ b/src/twisted/words/protocols/jabber/xmlstream.py +@@ -406,6 +406,7 @@ class TLSInitiatingInitializer(BaseFeatureInitiatingInitializer): + + feature = (NS_XMPP_TLS, 'starttls') + wanted = True ++ contextFactory = None + _deferred = None + + def onProceed(self, obj): +@@ -414,7 +415,10 @@ def onProceed(self, obj): + """ + + self.xmlstream.removeObserver('/failure', self.onFailure) +- ctx = ssl.optionsForClientTLS(self.xmlstream.otherEntity.host) ++ if self.contextFactory: ++ ctx = self.contextFactory ++ else: ++ ctx = ssl.optionsForClientTLS(self.xmlstream.otherEntity.host) + self.xmlstream.transport.startTLS(ctx) + self.xmlstream.reset() + self.xmlstream.sendHeader() +diff --git a/src/twisted/words/test/test_jabberxmlstream.py b/src/twisted/words/test/test_jabberxmlstream.py +index ccccf87372c..863cad0f328 100644 +--- a/src/twisted/words/test/test_jabberxmlstream.py ++++ b/src/twisted/words/test/test_jabberxmlstream.py +@@ -14,6 +14,7 @@ + from twisted.internet import defer, task + from twisted.internet.error import ConnectionLost + from twisted.internet.interfaces import IProtocolFactory ++from twisted.internet.ssl import CertificateOptions + from twisted.internet._sslverify import ClientTLSOptions + from twisted.python import failure + from twisted.python.compat import unicode +@@ -722,9 +723,32 @@ def fakeStartTLS(contextFactory): + return d + + ++ def test_certificateVerifyContext(self): ++ """ ++ A custom contextFactory is passed through to startTLS. ++ """ ++ ctx = CertificateOptions() ++ self.init.contextFactory = ctx ++ ++ def fakeStartTLS(contextFactory): ++ self.assertIs(ctx, contextFactory) ++ self.done.append('TLS') ++ ++ self.xmlstream.transport = proto_helpers.StringTransport() ++ self.xmlstream.transport.startTLS = fakeStartTLS ++ self.xmlstream.reset = lambda: self.done.append('reset') ++ self.xmlstream.sendHeader = lambda: self.done.append('header') ++ ++ d = self.init.start() ++ self.xmlstream.dataReceived("" % NS_XMPP_TLS) ++ self.assertEqual(['TLS', 'reset', 'header'], self.done) ++ return d ++ ++ + if not xmlstream.ssl: + testWantedSupported.skip = "SSL not available" + test_certificateVerify = "SSL not available" ++ test_certificateVerifyContext = "SSL not available" + + + def test_wantedNotSupportedNotRequired(self): + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-04.patch twisted-18.9.0/debian/patches/CVE-2019-12855-04.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-04.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-04.patch 2020-03-16 16:49:59.000000000 +0000 @@ -0,0 +1,26 @@ +From 4759e27af0ffa2e61538d5e0a66c3e57e20d3f5b Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Wed, 8 May 2019 13:19:17 -0400 +Subject: [PATCH 04/17] Add docstrings for new contextFactory attribute + +--- + src/twisted/words/protocols/jabber/xmlstream.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/twisted/words/protocols/jabber/xmlstream.py b/src/twisted/words/protocols/jabber/xmlstream.py +index 51a8466b16a..88ad21f76a6 100644 +--- a/src/twisted/words/protocols/jabber/xmlstream.py ++++ b/src/twisted/words/protocols/jabber/xmlstream.py +@@ -402,6 +402,11 @@ class TLSInitiatingInitializer(BaseFeatureInitiatingInitializer): + + @cvar wanted: indicates if TLS negotiation is wanted. + @type wanted: C{bool} ++ ++ @cvar contextFactory: An object which creates appropriately configured TLS ++ connections. This is passed to C{startTLS} on the transport and is ++ preferably created using L{twisted.internet.ssl.optionsForClientTLS}. ++ @type contextFactory: L{IOpenSSLClientConnectionCreator} + """ + + feature = (NS_XMPP_TLS, 'starttls') + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-05.patch twisted-18.9.0/debian/patches/CVE-2019-12855-05.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-05.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-05.patch 2020-03-16 16:50:03.000000000 +0000 @@ -0,0 +1,180 @@ +From fa18e8e65cf486ea9adc8e9a9a6df7e168098ce8 Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Thu, 9 May 2019 11:11:14 -0400 +Subject: [PATCH 05/17] Clean up connecting authenticators + +This adds an option `required` argument to the inits of initializers +deriving from BaseFeatureInitiatingInitializer, to simplify setup. +Additionally it changes the requiredness of two initializers used by +XMPPAuthenticator: + +* Setup of TLS is now required by default. This ensures that if StartTLS +is not advertized by the server, initialization fails instead of +silently proceeding to authentication without encryption. +* Binding a resource is required by default, because without it servers +will not allow any further meaningful interaction. +--- + src/twisted/words/protocols/jabber/client.py | 28 +++++-------- + .../words/protocols/jabber/xmlstream.py | 9 +++-- + src/twisted/words/test/test_jabberclient.py | 39 ++++++++++++++++++- + .../words/test/test_jabberxmlstream.py | 9 +++++ + 4 files changed, 61 insertions(+), 24 deletions(-) + +diff --git a/src/twisted/words/protocols/jabber/client.py b/src/twisted/words/protocols/jabber/client.py +index ffe6c939d8a..566bc9ff177 100644 +--- a/src/twisted/words/protocols/jabber/client.py ++++ b/src/twisted/words/protocols/jabber/client.py +@@ -206,14 +206,10 @@ def associateWithStream(self, xs): + xs.version = (0, 0) + xmlstream.ConnectAuthenticator.associateWithStream(self, xs) + +- inits = [ (xmlstream.TLSInitiatingInitializer, False), +- (IQAuthInitializer, True), +- ] +- +- for initClass, required in inits: +- init = initClass(xs) +- init.required = required +- xs.initializers.append(init) ++ xs.initializers = [ ++ xmlstream.TLSInitiatingInitializer(xs, required=False), ++ IQAuthInitializer(xs), ++ ] + + # TODO: move registration into an Initializer? + +@@ -377,14 +373,10 @@ def associateWithStream(self, xs): + """ + xmlstream.ConnectAuthenticator.associateWithStream(self, xs) + +- xs.initializers = [CheckVersionInitializer(xs)] +- inits = [ (xmlstream.TLSInitiatingInitializer, False), +- (sasl.SASLInitiatingInitializer, True), +- (BindInitializer, False), +- (SessionInitializer, False), ++ xs.initializers = [ ++ CheckVersionInitializer(xs), ++ xmlstream.TLSInitiatingInitializer(xs, required=True), ++ sasl.SASLInitiatingInitializer(xs, required=True), ++ BindInitializer(xs, required=True), ++ SessionInitializer(xs, required=False), + ] +- +- for initClass, required in inits: +- init = initClass(xs) +- init.required = required +- xs.initializers.append(init) +diff --git a/src/twisted/words/protocols/jabber/xmlstream.py b/src/twisted/words/protocols/jabber/xmlstream.py +index 88ad21f76a6..f7512016c5a 100644 +--- a/src/twisted/words/protocols/jabber/xmlstream.py ++++ b/src/twisted/words/protocols/jabber/xmlstream.py +@@ -316,16 +316,17 @@ class BaseFeatureInitiatingInitializer(object): + + @cvar feature: tuple of (uri, name) of the stream feature root element. + @type feature: tuple of (C{str}, C{str}) ++ + @ivar required: whether the stream feature is required to be advertized + by the receiving entity. + @type required: C{bool} + """ + + feature = None +- required = False + +- def __init__(self, xs): ++ def __init__(self, xs, required=False): + self.xmlstream = xs ++ self.required = required + + + def initialize(self): +@@ -400,10 +401,10 @@ class TLSInitiatingInitializer(BaseFeatureInitiatingInitializer): + set the C{wanted} attribute to False instead of removing it from the list + of initializers, so a proper exception L{TLSRequired} can be raised. + +- @cvar wanted: indicates if TLS negotiation is wanted. ++ @ivar wanted: indicates if TLS negotiation is wanted. + @type wanted: C{bool} + +- @cvar contextFactory: An object which creates appropriately configured TLS ++ @ivar contextFactory: An object which creates appropriately configured TLS + connections. This is passed to C{startTLS} on the transport and is + preferably created using L{twisted.internet.ssl.optionsForClientTLS}. + @type contextFactory: L{IOpenSSLClientConnectionCreator} +diff --git a/src/twisted/words/test/test_jabberclient.py b/src/twisted/words/test/test_jabberclient.py +index d54f88651ad..19be60b34eb 100644 +--- a/src/twisted/words/test/test_jabberclient.py ++++ b/src/twisted/words/test/test_jabberclient.py +@@ -379,6 +379,41 @@ def onSession(iq): + + + ++class BasicAuthenticatorTests(unittest.TestCase): ++ """ ++ Test for both XMPPAuthenticator and XMPPClientFactory. ++ """ ++ def testBasic(self): ++ """ ++ Test basic operations. ++ ++ Setup a basicClientFactory, which sets up a BasicAuthenticator, and let ++ it produce a protocol instance. Then inspect the instance variables of ++ the authenticator and XML stream objects. ++ """ ++ self.client_jid = jid.JID('user@example.com/resource') ++ ++ # Get an XmlStream instance. Note that it gets initialized with the ++ # XMPPAuthenticator (that has its associateWithXmlStream called) that ++ # is in turn initialized with the arguments to the factory. ++ xs = client.basicClientFactory(self.client_jid, ++ 'secret').buildProtocol(None) ++ ++ # test authenticator's instance variables ++ self.assertEqual('example.com', xs.authenticator.otherHost) ++ self.assertEqual(self.client_jid, xs.authenticator.jid) ++ self.assertEqual('secret', xs.authenticator.password) ++ ++ # test list of initializers ++ tls, auth = xs.initializers ++ ++ self.assertIsInstance(tls, xmlstream.TLSInitiatingInitializer) ++ self.assertIsInstance(auth, client.IQAuthInitializer) ++ ++ self.assertFalse(tls.required) ++ ++ ++ + class XMPPAuthenticatorTests(unittest.TestCase): + """ + Test for both XMPPAuthenticator and XMPPClientFactory. +@@ -412,7 +447,7 @@ def testBasic(self): + self.assertIsInstance(bind, client.BindInitializer) + self.assertIsInstance(session, client.SessionInitializer) + +- self.assertFalse(tls.required) ++ self.assertTrue(tls.required) + self.assertTrue(sasl.required) +- self.assertFalse(bind.required) ++ self.assertTrue(bind.required) + self.assertFalse(session.required) +diff --git a/src/twisted/words/test/test_jabberxmlstream.py b/src/twisted/words/test/test_jabberxmlstream.py +index 863cad0f328..6df336deb20 100644 +--- a/src/twisted/words/test/test_jabberxmlstream.py ++++ b/src/twisted/words/test/test_jabberxmlstream.py +@@ -681,6 +681,15 @@ def tearDown(self): + xmlstream.ssl = self.savedSSL + + ++ def test_initRequired(self): ++ """ ++ Passing required sets the instance variable. ++ """ ++ self.init = xmlstream.TLSInitiatingInitializer(self.xmlstream, ++ required=True) ++ self.assertTrue(self.init.required) ++ ++ + def test_wantedSupported(self): + """ + When TLS is wanted and SSL available, StartTLS is initiated. + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-06.patch twisted-18.9.0/debian/patches/CVE-2019-12855-06.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-06.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-06.patch 2020-03-16 16:50:06.000000000 +0000 @@ -0,0 +1,179 @@ +From cadf08f3481b689929ad471a17ce29683dc0635d Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Thu, 9 May 2019 12:05:21 -0400 +Subject: [PATCH 06/17] Provide a way to use custom certificate options for + XMPP clients + +This adds an optional `contextFactory` argument to `XMPPClientFactory` +that is passed on to `XMPPAuthenticator`, which in turn passes it to +`TLSInitiatingInitializer`. +--- + src/twisted/words/protocols/jabber/client.py | 25 ++++++++++--- + .../words/protocols/jabber/xmlstream.py | 9 +++++ + src/twisted/words/test/test_jabberclient.py | 35 ++++++++++++++++--- + 3 files changed, 61 insertions(+), 8 deletions(-) + +diff --git a/src/twisted/words/protocols/jabber/client.py b/src/twisted/words/protocols/jabber/client.py +index 566bc9ff177..4b310e34f38 100644 +--- a/src/twisted/words/protocols/jabber/client.py ++++ b/src/twisted/words/protocols/jabber/client.py +@@ -298,7 +298,7 @@ def start(self): + + + +-def XMPPClientFactory(jid, password): ++def XMPPClientFactory(jid, password, contextFactory=None): + """ + Client factory for XMPP 1.0 (only). + +@@ -310,12 +310,20 @@ def XMPPClientFactory(jid, password): + + @param jid: Jabber ID to connect with. + @type jid: L{jid.JID} ++ + @param password: password to authenticate with. + @type password: L{unicode} ++ ++ @param contextFactory: An object which creates appropriately configured TLS ++ connections. This is passed to C{startTLS} on the transport and is ++ preferably created using L{twisted.internet.ssl.optionsForClientTLS}. ++ See L{xmlstream.TLSInitiatingInitializer} for details. ++ @type contextFactory: L{IOpenSSLClientConnectionCreator} ++ + @return: XML stream factory. + @rtype: L{xmlstream.XmlStreamFactory} + """ +- a = XMPPAuthenticator(jid, password) ++ a = XMPPAuthenticator(jid, password, contextFactory=contextFactory) + return xmlstream.XmlStreamFactory(a) + + +@@ -350,16 +358,24 @@ class XMPPAuthenticator(xmlstream.ConnectAuthenticator): + resource binding step, and this is stored in this instance + variable. + @type jid: L{jid.JID} ++ + @ivar password: password to be used during SASL authentication. + @type password: L{unicode} ++ ++ @ivar contextFactory: An object which creates appropriately configured TLS ++ connections. This is passed to C{startTLS} on the transport and is ++ preferably created using L{twisted.internet.ssl.optionsForClientTLS}. ++ See L{xmlstream.TLSInitiatingInitializer} for details. ++ @type contextFactory: L{IOpenSSLClientConnectionCreator} + """ + + namespace = 'jabber:client' + +- def __init__(self, jid, password): ++ def __init__(self, jid, password, contextFactory=None): + xmlstream.ConnectAuthenticator.__init__(self, jid.host) + self.jid = jid + self.password = password ++ self.contextFactory = contextFactory + + + def associateWithStream(self, xs): +@@ -375,7 +391,8 @@ def associateWithStream(self, xs): + + xs.initializers = [ + CheckVersionInitializer(xs), +- xmlstream.TLSInitiatingInitializer(xs, required=True), ++ xmlstream.TLSInitiatingInitializer( ++ xs, required=True, contextFactory=self.contextFactory), + sasl.SASLInitiatingInitializer(xs, required=True), + BindInitializer(xs, required=True), + SessionInitializer(xs, required=False), +diff --git a/src/twisted/words/protocols/jabber/xmlstream.py b/src/twisted/words/protocols/jabber/xmlstream.py +index f7512016c5a..1ed79d47726 100644 +--- a/src/twisted/words/protocols/jabber/xmlstream.py ++++ b/src/twisted/words/protocols/jabber/xmlstream.py +@@ -407,6 +407,9 @@ class TLSInitiatingInitializer(BaseFeatureInitiatingInitializer): + @ivar contextFactory: An object which creates appropriately configured TLS + connections. This is passed to C{startTLS} on the transport and is + preferably created using L{twisted.internet.ssl.optionsForClientTLS}. ++ If C{None}, the default is to verify the server certificate against ++ the trust roots as provided by the platform. See ++ L{twisted.internet._sslverify.platformTrust}. + @type contextFactory: L{IOpenSSLClientConnectionCreator} + """ + +@@ -415,6 +418,12 @@ class TLSInitiatingInitializer(BaseFeatureInitiatingInitializer): + contextFactory = None + _deferred = None + ++ def __init__(self, xs, required=True, contextFactory=None): ++ super(TLSInitiatingInitializer, self).__init__( ++ xs, required=required) ++ self.contextFactory = contextFactory ++ ++ + def onProceed(self, obj): + """ + Proceed with TLS negotiation and reset the XML stream. +diff --git a/src/twisted/words/test/test_jabberclient.py b/src/twisted/words/test/test_jabberclient.py +index 19be60b34eb..2e39de72cee 100644 +--- a/src/twisted/words/test/test_jabberclient.py ++++ b/src/twisted/words/test/test_jabberclient.py +@@ -9,7 +9,7 @@ + + from hashlib import sha1 + +-from twisted.internet import defer ++from twisted.internet import defer, ssl + from twisted.python.compat import unicode + from twisted.trial import unittest + from twisted.words.protocols.jabber import client, error, jid, xmlstream +@@ -381,9 +381,10 @@ def onSession(iq): + + class BasicAuthenticatorTests(unittest.TestCase): + """ +- Test for both XMPPAuthenticator and XMPPClientFactory. ++ Test for both BasicAuthenticator and basicClientFactory. + """ +- def testBasic(self): ++ ++ def test_basic(self): + """ + Test basic operations. + +@@ -418,7 +419,8 @@ class XMPPAuthenticatorTests(unittest.TestCase): + """ + Test for both XMPPAuthenticator and XMPPClientFactory. + """ +- def testBasic(self): ++ ++ def test_basic(self): + """ + Test basic operations. + +@@ -451,3 +453,28 @@ def testBasic(self): + self.assertTrue(sasl.required) + self.assertTrue(bind.required) + self.assertFalse(session.required) ++ ++ ++ def test_tlsContextFactory(self): ++ """ ++ Test basic operations. ++ ++ Setup an XMPPClientFactory, which sets up an XMPPAuthenticator, and let ++ it produce a protocol instance. Then inspect the instance variables of ++ the authenticator and XML stream objects. ++ """ ++ self.client_jid = jid.JID('user@example.com/resource') ++ ++ # Get an XmlStream instance. Note that it gets initialized with the ++ # XMPPAuthenticator (that has its associateWithXmlStream called) that ++ # is in turn initialized with the arguments to the factory. ++ contextFactory = ssl.CertificateOptions() ++ factory = client.XMPPClientFactory(self.client_jid, 'secret', ++ contextFactory=contextFactory) ++ xs = factory.buildProtocol(None) ++ ++ # test list of initializers ++ version, tls, sasl, bind, session = xs.initializers ++ ++ self.assertIsInstance(tls, xmlstream.TLSInitiatingInitializer) ++ self.assertIs(contextFactory, tls.contextFactory) + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-07.patch twisted-18.9.0/debian/patches/CVE-2019-12855-07.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-07.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-07.patch 2020-03-16 16:50:10.000000000 +0000 @@ -0,0 +1,31 @@ +From 5ed194c0514a04500b3190b0ecbad0cce8b9b82d Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Thu, 9 May 2019 12:12:32 -0400 +Subject: [PATCH 07/17] Adjust tests to TLSInitiatingInitializer being required + by default + +--- + src/twisted/words/test/test_jabberxmlstream.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/twisted/words/test/test_jabberxmlstream.py b/src/twisted/words/test/test_jabberxmlstream.py +index 6df336deb20..2b8dcd9516e 100644 +--- a/src/twisted/words/test/test_jabberxmlstream.py ++++ b/src/twisted/words/test/test_jabberxmlstream.py +@@ -765,6 +765,7 @@ def test_wantedNotSupportedNotRequired(self): + No StartTLS is initiated when wanted, not required, SSL not available. + """ + xmlstream.ssl = None ++ self.init.required = False + + d = self.init.start() + d.addCallback(self.assertEqual, None) +@@ -810,6 +811,7 @@ def test_notWantedNotRequired(self): + tls = domish.Element(('urn:ietf:params:xml:ns:xmpp-tls', 'starttls')) + self.xmlstream.features = {(tls.uri, tls.name): tls} + self.init.wanted = False ++ self.init.required = False + + d = self.init.start() + d.addCallback(self.assertEqual, None) + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-09.patch twisted-18.9.0/debian/patches/CVE-2019-12855-09.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-09.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-09.patch 2020-03-16 16:50:16.000000000 +0000 @@ -0,0 +1,23 @@ +From 0a93949f91ea22cfc5453c326e36e927c8da1015 Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Mon, 27 May 2019 13:53:31 +0200 +Subject: [PATCH 09/17] Fix skipping renamed test when SSL is not available + +--- + src/twisted/words/test/test_jabberxmlstream.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/twisted/words/test/test_jabberxmlstream.py b/src/twisted/words/test/test_jabberxmlstream.py +index 2b8dcd9516e..d9f4962ec0c 100644 +--- a/src/twisted/words/test/test_jabberxmlstream.py ++++ b/src/twisted/words/test/test_jabberxmlstream.py +@@ -755,7 +755,7 @@ def fakeStartTLS(contextFactory): + + + if not xmlstream.ssl: +- testWantedSupported.skip = "SSL not available" ++ test_wantedSupported.skip = "SSL not available" + test_certificateVerify = "SSL not available" + test_certificateVerifyContext = "SSL not available" + + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-10.patch twisted-18.9.0/debian/patches/CVE-2019-12855-10.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-10.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-10.patch 2020-03-16 16:50:21.000000000 +0000 @@ -0,0 +1,105 @@ +From 751ac6f754146e5b61ab65d2995be2a9534bd41d Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Mon, 27 May 2019 14:48:26 +0200 +Subject: [PATCH 10/17] Skip TLS tests if OpenSSL is not available + +--- + src/twisted/words/test/test_jabberclient.py | 12 +++++++++- + .../words/test/test_jabberxmlstream.py | 22 ++++++++++++------- + 2 files changed, 25 insertions(+), 9 deletions(-) + +diff --git a/src/twisted/words/test/test_jabberclient.py b/src/twisted/words/test/test_jabberclient.py +index 2e39de72cee..8afb92951f7 100644 +--- a/src/twisted/words/test/test_jabberclient.py ++++ b/src/twisted/words/test/test_jabberclient.py +@@ -9,13 +9,21 @@ + + from hashlib import sha1 + +-from twisted.internet import defer, ssl ++from twisted.internet import defer + from twisted.python.compat import unicode + from twisted.trial import unittest + from twisted.words.protocols.jabber import client, error, jid, xmlstream + from twisted.words.protocols.jabber.sasl import SASLInitiatingInitializer + from twisted.words.xish import utility + ++try: ++ from twisted.internet import ssl ++except ImportError: ++ ssl = None ++ skipWhenNoSSL = "SSL not available" ++else: ++ skipWhenNoSSL = None ++ + IQ_AUTH_GET = '/iq[@type="get"]/query[@xmlns="jabber:iq:auth"]' + IQ_AUTH_SET = '/iq[@type="set"]/query[@xmlns="jabber:iq:auth"]' + NS_BIND = 'urn:ietf:params:xml:ns:xmpp-bind' +@@ -478,3 +486,5 @@ def test_tlsContextFactory(self): + + self.assertIsInstance(tls, xmlstream.TLSInitiatingInitializer) + self.assertIs(contextFactory, tls.contextFactory) ++ ++ test_tlsContextFactory.skip = skipWhenNoSSL +diff --git a/src/twisted/words/test/test_jabberxmlstream.py b/src/twisted/words/test/test_jabberxmlstream.py +index d9f4962ec0c..aad0305ef99 100644 +--- a/src/twisted/words/test/test_jabberxmlstream.py ++++ b/src/twisted/words/test/test_jabberxmlstream.py +@@ -14,8 +14,6 @@ + from twisted.internet import defer, task + from twisted.internet.error import ConnectionLost + from twisted.internet.interfaces import IProtocolFactory +-from twisted.internet.ssl import CertificateOptions +-from twisted.internet._sslverify import ClientTLSOptions + from twisted.python import failure + from twisted.python.compat import unicode + from twisted.test import proto_helpers +@@ -23,7 +21,15 @@ + from twisted.words.xish import domish + from twisted.words.protocols.jabber import error, ijabber, jid, xmlstream + +- ++try: ++ from twisted.internet import ssl ++except ImportError: ++ ssl = None ++ skipWhenNoSSL = "SSL not available" ++else: ++ skipWhenNoSSL = None ++ from twisted.internet.ssl import CertificateOptions ++ from twisted.internet._sslverify import ClientTLSOptions + + NS_XMPP_TLS = 'urn:ietf:params:xml:ns:xmpp-tls' + +@@ -710,6 +716,8 @@ def test_wantedSupported(self): + + return d + ++ test_wantedSupported.skip = skipWhenNoSSL ++ + + def test_certificateVerify(self): + """ +@@ -731,6 +739,8 @@ def fakeStartTLS(contextFactory): + self.assertEqual(['TLS', 'reset', 'header'], self.done) + return d + ++ test_certificateVerify.skip = skipWhenNoSSL ++ + + def test_certificateVerifyContext(self): + """ +@@ -753,11 +763,7 @@ def fakeStartTLS(contextFactory): + self.assertEqual(['TLS', 'reset', 'header'], self.done) + return d + +- +- if not xmlstream.ssl: +- test_wantedSupported.skip = "SSL not available" +- test_certificateVerify = "SSL not available" +- test_certificateVerifyContext = "SSL not available" ++ test_certificateVerifyContext.skip = skipWhenNoSSL + + + def test_wantedNotSupportedNotRequired(self): + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-11.patch twisted-18.9.0/debian/patches/CVE-2019-12855-11.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-11.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-11.patch 2020-03-16 16:50:25.000000000 +0000 @@ -0,0 +1,46 @@ +From 672a6338dea08a17cbe18af3d47bdb14fcd0d84b Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Mon, 27 May 2019 15:33:20 +0200 +Subject: [PATCH 11/17] Fix indents + +--- + src/twisted/words/test/test_jabberclient.py | 4 ++-- + src/twisted/words/test/test_jabberxmlstream.py | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/twisted/words/test/test_jabberclient.py b/src/twisted/words/test/test_jabberclient.py +index 8afb92951f7..7c31bed8656 100644 +--- a/src/twisted/words/test/test_jabberclient.py ++++ b/src/twisted/words/test/test_jabberclient.py +@@ -17,7 +17,7 @@ + from twisted.words.xish import utility + + try: +- from twisted.internet import ssl ++ from twisted.internet import ssl + except ImportError: + ssl = None + skipWhenNoSSL = "SSL not available" +@@ -406,7 +406,7 @@ def test_basic(self): + # XMPPAuthenticator (that has its associateWithXmlStream called) that + # is in turn initialized with the arguments to the factory. + xs = client.basicClientFactory(self.client_jid, +- 'secret').buildProtocol(None) ++ 'secret').buildProtocol(None) + + # test authenticator's instance variables + self.assertEqual('example.com', xs.authenticator.otherHost) +diff --git a/src/twisted/words/test/test_jabberxmlstream.py b/src/twisted/words/test/test_jabberxmlstream.py +index aad0305ef99..7b384645a2c 100644 +--- a/src/twisted/words/test/test_jabberxmlstream.py ++++ b/src/twisted/words/test/test_jabberxmlstream.py +@@ -22,7 +22,7 @@ + from twisted.words.protocols.jabber import error, ijabber, jid, xmlstream + + try: +- from twisted.internet import ssl ++ from twisted.internet import ssl + except ImportError: + ssl = None + skipWhenNoSSL = "SSL not available" + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-12.patch twisted-18.9.0/debian/patches/CVE-2019-12855-12.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-12.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-12.patch 2020-03-16 16:50:29.000000000 +0000 @@ -0,0 +1,34 @@ +From a649757186c12d2b4f4a8e215b4d36ba26bd331f Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Tue, 28 May 2019 16:53:22 +0200 +Subject: [PATCH 12/17] Better docstring for BasicAuthenticatorTests + +--- + src/twisted/words/test/test_jabberclient.py | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/twisted/words/test/test_jabberclient.py b/src/twisted/words/test/test_jabberclient.py +index 7c31bed8656..1403131baf6 100644 +--- a/src/twisted/words/test/test_jabberclient.py ++++ b/src/twisted/words/test/test_jabberclient.py +@@ -394,11 +394,14 @@ class BasicAuthenticatorTests(unittest.TestCase): + + def test_basic(self): + """ +- Test basic operations. +- +- Setup a basicClientFactory, which sets up a BasicAuthenticator, and let +- it produce a protocol instance. Then inspect the instance variables of +- the authenticator and XML stream objects. ++ Authenticator and stream are properly constructed by the factory. ++ ++ The L{xmlstream.XmlStream} protocol created by the factory has the new ++ L{client.BasicAuthenticator} instance in its C{authenticator} ++ attribute. It is set up with C{jid} and C{password} as passed to the ++ factory, C{otherHost} taken from the client JID. The stream futher has ++ two initializers, for TLS and authentication, of which the first has ++ its C{required} attribute set to C{True}. + """ + self.client_jid = jid.JID('user@example.com/resource') + + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-13.patch twisted-18.9.0/debian/patches/CVE-2019-12855-13.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-13.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-13.patch 2020-03-16 16:50:33.000000000 +0000 @@ -0,0 +1,211 @@ +From ea2d28f7035cdbc56063a0672acef426086875ff Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Sun, 16 Jun 2019 18:41:49 +0200 +Subject: [PATCH 13/17] Rename contextFactory to configurationForTLS, make + private vars + +--- + src/twisted/words/newsfragments/9561.feature | 2 +- + src/twisted/words/protocols/jabber/client.py | 37 +++++++++++-------- + .../words/protocols/jabber/xmlstream.py | 28 +++++++------- + src/twisted/words/test/test_jabberclient.py | 26 +++++++------ + .../words/test/test_jabberxmlstream.py | 3 ++ + 5 files changed, 55 insertions(+), 41 deletions(-) + +diff --git a/src/twisted/words/protocols/jabber/client.py b/src/twisted/words/protocols/jabber/client.py +index 4b310e34f38..db4cbfccf21 100644 +--- a/src/twisted/words/protocols/jabber/client.py ++++ b/src/twisted/words/protocols/jabber/client.py +@@ -298,7 +298,7 @@ def start(self): + + + +-def XMPPClientFactory(jid, password, contextFactory=None): ++def XMPPClientFactory(jid, password, configurationForTLS=None): + """ + Client factory for XMPP 1.0 (only). + +@@ -314,16 +314,18 @@ def XMPPClientFactory(jid, password, contextFactory=None): + @param password: password to authenticate with. + @type password: L{unicode} + +- @param contextFactory: An object which creates appropriately configured TLS +- connections. This is passed to C{startTLS} on the transport and is +- preferably created using L{twisted.internet.ssl.optionsForClientTLS}. +- See L{xmlstream.TLSInitiatingInitializer} for details. +- @type contextFactory: L{IOpenSSLClientConnectionCreator} ++ @param configurationForTLS: An object which creates appropriately ++ configured TLS connections. This is passed to C{startTLS} on the ++ transport and is preferably created using ++ L{twisted.internet.ssl.optionsForClientTLS}. See ++ L{xmlstream.TLSInitiatingInitializer} for details. ++ @type configurationForTLS: L{IOpenSSLClientConnectionCreator} + + @return: XML stream factory. + @rtype: L{xmlstream.XmlStreamFactory} + """ +- a = XMPPAuthenticator(jid, password, contextFactory=contextFactory) ++ a = XMPPAuthenticator(jid, password, ++ configurationForTLS=configurationForTLS) + return xmlstream.XmlStreamFactory(a) + + +@@ -361,21 +363,23 @@ class XMPPAuthenticator(xmlstream.ConnectAuthenticator): + + @ivar password: password to be used during SASL authentication. + @type password: L{unicode} +- +- @ivar contextFactory: An object which creates appropriately configured TLS +- connections. This is passed to C{startTLS} on the transport and is +- preferably created using L{twisted.internet.ssl.optionsForClientTLS}. +- See L{xmlstream.TLSInitiatingInitializer} for details. +- @type contextFactory: L{IOpenSSLClientConnectionCreator} + """ + + namespace = 'jabber:client' + +- def __init__(self, jid, password, contextFactory=None): ++ def __init__(self, jid, password, configurationForTLS=None): ++ """ ++ @param configurationForTLS: An object which creates appropriately ++ configured TLS connections. This is passed to C{startTLS} on the ++ transport and is preferably created using ++ L{twisted.internet.ssl.optionsForClientTLS}. See ++ L{xmlstream.TLSInitiatingInitializer} for details. ++ @type configurationForTLS: L{IOpenSSLClientConnectionCreator} ++ """ + xmlstream.ConnectAuthenticator.__init__(self, jid.host) + self.jid = jid + self.password = password +- self.contextFactory = contextFactory ++ self._configurationForTLS = configurationForTLS + + + def associateWithStream(self, xs): +@@ -392,7 +396,8 @@ def associateWithStream(self, xs): + xs.initializers = [ + CheckVersionInitializer(xs), + xmlstream.TLSInitiatingInitializer( +- xs, required=True, contextFactory=self.contextFactory), ++ xs, required=True, ++ configurationForTLS=self._configurationForTLS), + sasl.SASLInitiatingInitializer(xs, required=True), + BindInitializer(xs, required=True), + SessionInitializer(xs, required=False), +diff --git a/src/twisted/words/protocols/jabber/xmlstream.py b/src/twisted/words/protocols/jabber/xmlstream.py +index 1ed79d47726..135d71295df 100644 +--- a/src/twisted/words/protocols/jabber/xmlstream.py ++++ b/src/twisted/words/protocols/jabber/xmlstream.py +@@ -403,25 +403,27 @@ class TLSInitiatingInitializer(BaseFeatureInitiatingInitializer): + + @ivar wanted: indicates if TLS negotiation is wanted. + @type wanted: C{bool} +- +- @ivar contextFactory: An object which creates appropriately configured TLS +- connections. This is passed to C{startTLS} on the transport and is +- preferably created using L{twisted.internet.ssl.optionsForClientTLS}. +- If C{None}, the default is to verify the server certificate against +- the trust roots as provided by the platform. See +- L{twisted.internet._sslverify.platformTrust}. +- @type contextFactory: L{IOpenSSLClientConnectionCreator} + """ + + feature = (NS_XMPP_TLS, 'starttls') + wanted = True +- contextFactory = None + _deferred = None ++ _configurationForTLS = None + +- def __init__(self, xs, required=True, contextFactory=None): ++ def __init__(self, xs, required=True, configurationForTLS=None): ++ """ ++ @param configurationForTLS: An object which creates appropriately ++ configured TLS connections. This is passed to C{startTLS} on the ++ transport and is preferably created using ++ L{twisted.internet.ssl.optionsForClientTLS}. If C{None}, the ++ default is to verify the server certificate against the trust roots ++ as provided by the platform. See ++ L{twisted.internet._sslverify.platformTrust}. ++ @type configurationForTLS: L{IOpenSSLClientConnectionCreator} ++ """ + super(TLSInitiatingInitializer, self).__init__( + xs, required=required) +- self.contextFactory = contextFactory ++ self._configurationForTLS = configurationForTLS + + + def onProceed(self, obj): +@@ -430,8 +432,8 @@ def onProceed(self, obj): + """ + + self.xmlstream.removeObserver('/failure', self.onFailure) +- if self.contextFactory: +- ctx = self.contextFactory ++ if self._configurationForTLS: ++ ctx = self._configurationForTLS + else: + ctx = ssl.optionsForClientTLS(self.xmlstream.otherEntity.host) + self.xmlstream.transport.startTLS(ctx) +diff --git a/src/twisted/words/test/test_jabberclient.py b/src/twisted/words/test/test_jabberclient.py +index 1403131baf6..4f5c8092419 100644 +--- a/src/twisted/words/test/test_jabberclient.py ++++ b/src/twisted/words/test/test_jabberclient.py +@@ -466,28 +466,32 @@ def test_basic(self): + self.assertFalse(session.required) + + +- def test_tlsContextFactory(self): ++ def test_tlsConfiguration(self): + """ +- Test basic operations. +- +- Setup an XMPPClientFactory, which sets up an XMPPAuthenticator, and let +- it produce a protocol instance. Then inspect the instance variables of +- the authenticator and XML stream objects. ++ A TLS configuration is passed to the TLS initializer. + """ ++ configs = [] ++ ++ def init(self, xs, required=True, configurationForTLS=None): ++ configs.append(configurationForTLS) ++ + self.client_jid = jid.JID('user@example.com/resource') + + # Get an XmlStream instance. Note that it gets initialized with the + # XMPPAuthenticator (that has its associateWithXmlStream called) that + # is in turn initialized with the arguments to the factory. +- contextFactory = ssl.CertificateOptions() +- factory = client.XMPPClientFactory(self.client_jid, 'secret', +- contextFactory=contextFactory) ++ configurationForTLS = ssl.CertificateOptions() ++ factory = client.XMPPClientFactory( ++ self.client_jid, 'secret', ++ configurationForTLS=configurationForTLS) ++ self.patch(xmlstream.TLSInitiatingInitializer, "__init__", init) + xs = factory.buildProtocol(None) + + # test list of initializers + version, tls, sasl, bind, session = xs.initializers + + self.assertIsInstance(tls, xmlstream.TLSInitiatingInitializer) +- self.assertIs(contextFactory, tls.contextFactory) ++ self.assertIs(configurationForTLS, configs[0]) ++ + +- test_tlsContextFactory.skip = skipWhenNoSSL ++ test_tlsConfiguration.skip = skipWhenNoSSL +diff --git a/src/twisted/words/test/test_jabberxmlstream.py b/src/twisted/words/test/test_jabberxmlstream.py +index 7b384645a2c..85f6d195d4a 100644 +--- a/src/twisted/words/test/test_jabberxmlstream.py ++++ b/src/twisted/words/test/test_jabberxmlstream.py +@@ -747,6 +747,9 @@ def test_certificateVerifyContext(self): + A custom contextFactory is passed through to startTLS. + """ + ctx = CertificateOptions() ++ self.init = xmlstream.TLSInitiatingInitializer( ++ self.xmlstream, configurationForTLS=ctx) ++ + self.init.contextFactory = ctx + + def fakeStartTLS(contextFactory): + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-14.patch twisted-18.9.0/debian/patches/CVE-2019-12855-14.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-14.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-14.patch 2020-03-16 16:50:36.000000000 +0000 @@ -0,0 +1,40 @@ +From 05556b6ca14a49e4c7f3b5e8ede83137b869926e Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Sun, 16 Jun 2019 19:02:52 +0200 +Subject: [PATCH 14/17] Move check for configurationTLS being None to __init__ + +--- + src/twisted/words/protocols/jabber/xmlstream.py | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/twisted/words/protocols/jabber/xmlstream.py b/src/twisted/words/protocols/jabber/xmlstream.py +index 135d71295df..dd4bd8f1932 100644 +--- a/src/twisted/words/protocols/jabber/xmlstream.py ++++ b/src/twisted/words/protocols/jabber/xmlstream.py +@@ -423,7 +423,11 @@ def __init__(self, xs, required=True, configurationForTLS=None): + """ + super(TLSInitiatingInitializer, self).__init__( + xs, required=required) +- self._configurationForTLS = configurationForTLS ++ if configurationForTLS: ++ self._configurationForTLS = configurationForTLS ++ else: ++ self._configurationForTLS = ssl.optionsForClientTLS( ++ self.xmlstream.authenticator.otherHost) + + + def onProceed(self, obj): +@@ -432,11 +436,7 @@ def onProceed(self, obj): + """ + + self.xmlstream.removeObserver('/failure', self.onFailure) +- if self._configurationForTLS: +- ctx = self._configurationForTLS +- else: +- ctx = ssl.optionsForClientTLS(self.xmlstream.otherEntity.host) +- self.xmlstream.transport.startTLS(ctx) ++ self.xmlstream.transport.startTLS(self._configurationForTLS) + self.xmlstream.reset() + self.xmlstream.sendHeader() + self._deferred.callback(Reset) + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-15.patch twisted-18.9.0/debian/patches/CVE-2019-12855-15.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-15.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-15.patch 2020-03-16 16:50:41.000000000 +0000 @@ -0,0 +1,59 @@ +From 7caf8ac8795492e346e8f52633ff6d343a07edde Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Sun, 16 Jun 2019 19:11:35 +0200 +Subject: [PATCH 15/17] Document configurationForTLS being None directly + +--- + src/twisted/words/protocols/jabber/client.py | 16 ++++++++++------ + src/twisted/words/protocols/jabber/xmlstream.py | 3 ++- + 2 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/src/twisted/words/protocols/jabber/client.py b/src/twisted/words/protocols/jabber/client.py +index db4cbfccf21..8f197cdafe1 100644 +--- a/src/twisted/words/protocols/jabber/client.py ++++ b/src/twisted/words/protocols/jabber/client.py +@@ -317,9 +317,10 @@ def XMPPClientFactory(jid, password, configurationForTLS=None): + @param configurationForTLS: An object which creates appropriately + configured TLS connections. This is passed to C{startTLS} on the + transport and is preferably created using +- L{twisted.internet.ssl.optionsForClientTLS}. See +- L{xmlstream.TLSInitiatingInitializer} for details. +- @type configurationForTLS: L{IOpenSSLClientConnectionCreator} ++ L{twisted.internet.ssl.optionsForClientTLS}. If C{None}, the default is ++ to verify the server certificate against the trust roots as provided by ++ the platform. See L{twisted.internet._sslverify.platformTrust}. ++ @type configurationForTLS: L{IOpenSSLClientConnectionCreator} or C{None} + + @return: XML stream factory. + @rtype: L{xmlstream.XmlStreamFactory} +@@ -372,9 +373,12 @@ def __init__(self, jid, password, configurationForTLS=None): + @param configurationForTLS: An object which creates appropriately + configured TLS connections. This is passed to C{startTLS} on the + transport and is preferably created using +- L{twisted.internet.ssl.optionsForClientTLS}. See +- L{xmlstream.TLSInitiatingInitializer} for details. +- @type configurationForTLS: L{IOpenSSLClientConnectionCreator} ++ L{twisted.internet.ssl.optionsForClientTLS}. If C{None}, the ++ default is to verify the server certificate against the trust roots ++ as provided by the platform. See ++ L{twisted.internet._sslverify.platformTrust}. ++ @type configurationForTLS: L{IOpenSSLClientConnectionCreator} or ++ C{None} + """ + xmlstream.ConnectAuthenticator.__init__(self, jid.host) + self.jid = jid +diff --git a/src/twisted/words/protocols/jabber/xmlstream.py b/src/twisted/words/protocols/jabber/xmlstream.py +index dd4bd8f1932..905402c5360 100644 +--- a/src/twisted/words/protocols/jabber/xmlstream.py ++++ b/src/twisted/words/protocols/jabber/xmlstream.py +@@ -419,7 +419,8 @@ def __init__(self, xs, required=True, configurationForTLS=None): + default is to verify the server certificate against the trust roots + as provided by the platform. See + L{twisted.internet._sslverify.platformTrust}. +- @type configurationForTLS: L{IOpenSSLClientConnectionCreator} ++ @type configurationForTLS: L{IOpenSSLClientConnectionCreator} or ++ C{None} + """ + super(TLSInitiatingInitializer, self).__init__( + xs, required=required) + diff -Nru twisted-18.9.0/debian/patches/CVE-2019-12855-17.patch twisted-18.9.0/debian/patches/CVE-2019-12855-17.patch --- twisted-18.9.0/debian/patches/CVE-2019-12855-17.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-12855-17.patch 2020-03-16 16:50:46.000000000 +0000 @@ -0,0 +1,41 @@ +From abbf0fd52c13b1fb5e1429189a3fcc48565870a5 Mon Sep 17 00:00:00 2001 +From: Ralph Meijer +Date: Sun, 16 Jun 2019 19:50:33 +0200 +Subject: [PATCH 17/17] Revert "Move check for configurationTLS being None to + __init__" + +This reverts commit 05556b6ca14a49e4c7f3b5e8ede83137b869926e. +--- + src/twisted/words/protocols/jabber/xmlstream.py | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/twisted/words/protocols/jabber/xmlstream.py b/src/twisted/words/protocols/jabber/xmlstream.py +index 905402c5360..20948c6d3be 100644 +--- a/src/twisted/words/protocols/jabber/xmlstream.py ++++ b/src/twisted/words/protocols/jabber/xmlstream.py +@@ -424,11 +424,7 @@ def __init__(self, xs, required=True, configurationForTLS=None): + """ + super(TLSInitiatingInitializer, self).__init__( + xs, required=required) +- if configurationForTLS: +- self._configurationForTLS = configurationForTLS +- else: +- self._configurationForTLS = ssl.optionsForClientTLS( +- self.xmlstream.authenticator.otherHost) ++ self._configurationForTLS = configurationForTLS + + + def onProceed(self, obj): +@@ -437,7 +433,11 @@ def onProceed(self, obj): + """ + + self.xmlstream.removeObserver('/failure', self.onFailure) +- self.xmlstream.transport.startTLS(self._configurationForTLS) ++ if self._configurationForTLS: ++ ctx = self._configurationForTLS ++ else: ++ ctx = ssl.optionsForClientTLS(self.xmlstream.otherEntity.host) ++ self.xmlstream.transport.startTLS(ctx) + self.xmlstream.reset() + self.xmlstream.sendHeader() + self._deferred.callback(Reset) diff -Nru twisted-18.9.0/debian/patches/CVE-2019-951x.patch twisted-18.9.0/debian/patches/CVE-2019-951x.patch --- twisted-18.9.0/debian/patches/CVE-2019-951x.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2019-951x.patch 2020-03-16 16:50:58.000000000 +0000 @@ -0,0 +1,627 @@ +Backport of: + +From 1595d9adc21c580065d1d6036c9611c411990816 Mon Sep 17 00:00:00 2001 +From: Mark Williams +Date: Thu, 8 Aug 2019 19:18:20 -0700 +Subject: [PATCH] Buffer outbound control frames and timeout invalid clients. + +A HTTP/2 server can be effectively DoSed by having a remote peer stop +reading from a connection while continuing to send frames that trigger +automatic control frame emission. This patch addresses that by ensuring +that rather than automatically write all control frames into the +transport, we will buffer them in the HTTP/2 connection object, ensuring +that we have visibility into the size of that buffer, and thus can abort +the connection if it grows too large. + +An HTTP/2 server can also be DoSed by a client that sends only invalid +frames (e.g., a RESET_STREAM frame when no streams have been created.) +This patches addresses that by only resetting H2Connection's timeout +when the underlying h2.connection.H2Connection has parsed at least one +valid frame. +--- + src/twisted/web/_http2.py | 130 ++++++++++---- + src/twisted/web/error.py | 8 + + src/twisted/web/http.py | 8 +- + src/twisted/web/test/test_http.py | 13 +- + src/twisted/web/test/test_http2.py | 262 ++++++++++++++++++++++++++++- + 5 files changed, 387 insertions(+), 34 deletions(-) + +--- a/src/twisted/web/_http2.py ++++ b/src/twisted/web/_http2.py +@@ -41,6 +41,7 @@ from twisted.internet.protocol import Pr + from twisted.logger import Logger + from twisted.protocols.policies import TimeoutMixin + from twisted.python.failure import Failure ++from twisted.web.error import ExcessiveBufferingError + + + # This API is currently considered private. +@@ -138,6 +139,12 @@ class H2Connection(Protocol, TimeoutMixi + self._streamCleanupCallbacks = {} + self._stillProducing = True + ++ # Limit the number of buffered control frame (e.g. PING and ++ # SETTINGS) bytes. ++ self._maxBufferedControlFrameBytes = 1024 * 17 ++ self._bufferedControlFrames = deque() ++ self._bufferedControlFrameBytes = 0 ++ + if reactor is None: + from twisted.internet import reactor + self._reactor = reactor +@@ -165,18 +172,19 @@ class H2Connection(Protocol, TimeoutMixi + @param data: The data received from the transport. + @type data: L{bytes} + """ +- self.resetTimeout() +- + try: + events = self.conn.receive_data(data) + except h2.exceptions.ProtocolError: +- # A remote protocol error terminates the connection. +- dataToSend = self.conn.data_to_send() +- self.transport.write(dataToSend) +- self.transport.loseConnection() +- self.connectionLost(Failure()) ++ stillActive = self._tryToWriteControlData() ++ if stillActive: ++ self.transport.loseConnection() ++ self.connectionLost(Failure(), _cancelTimeouts=False) + return + ++ # Only reset the timeout if we've received an actual H2 ++ # protocol message ++ self.resetTimeout() ++ + for event in events: + if isinstance(event, h2.events.RequestReceived): + self._requestReceived(event) +@@ -192,11 +200,12 @@ class H2Connection(Protocol, TimeoutMixi + self._handlePriorityUpdate(event) + elif isinstance(event, h2.events.ConnectionTerminated): + self.transport.loseConnection() +- self.connectionLost(ConnectionLost("Remote peer sent GOAWAY")) ++ self.connectionLost( ++ ConnectionLost("Remote peer sent GOAWAY"), ++ _cancelTimeouts=False, ++ ) + +- dataToSend = self.conn.data_to_send() +- if dataToSend: +- self.transport.write(dataToSend) ++ self._tryToWriteControlData() + + + def timeoutConnection(self): +@@ -259,15 +268,23 @@ class H2Connection(Protocol, TimeoutMixi + self.transport.abortConnection() + + +- def connectionLost(self, reason): ++ def connectionLost(self, reason, _cancelTimeouts=True): + """ + Called when the transport connection is lost. + +- Informs all outstanding response handlers that the connection has been +- lost, and cleans up all internal state. ++ Informs all outstanding response handlers that the connection ++ has been lost, and cleans up all internal state. ++ ++ @param reason: See L{IProtocol.connectionLost} ++ ++ @param _cancelTimeouts: Propagate the C{reason} to this ++ connection's streams but don't cancel any timers, so that ++ peers who never read the data we've written are eventually ++ timed out. + """ + self._stillProducing = False +- self.setTimeout(None) ++ if _cancelTimeouts: ++ self.setTimeout(None) + + for stream in self.streams.values(): + stream.connectionLost(reason) +@@ -276,7 +293,7 @@ class H2Connection(Protocol, TimeoutMixi + self._requestDone(streamID) + + # If we were going to force-close the transport, we don't have to now. +- if self._abortingCall is not None: ++ if _cancelTimeouts and self._abortingCall is not None: + self._abortingCall.cancel() + self._abortingCall = None + +@@ -324,7 +341,8 @@ class H2Connection(Protocol, TimeoutMixi + # + # Note that all of this only applies to *data*. Headers and other control + # frames deliberately skip this processing as they are not subject to flow +- # control or priority constraints. ++ # control or priority constraints. Instead, they are stored in their own buffer ++ # which is used primarily to detect excessive buffering. + def stopProducing(self): + """ + Stop producing data. +@@ -343,6 +361,8 @@ class H2Connection(Protocol, TimeoutMixi + for the time being, and to stop until resumeProducing() is called. + """ + self._consumerBlocked = Deferred() ++ # Ensure pending control data (if any) are sent first. ++ self._consumerBlocked.addCallback(self._flushBufferedControlData) + + + def resumeProducing(self): +@@ -568,7 +588,7 @@ class H2Connection(Protocol, TimeoutMixi + # when a connection is lost, so that's what we do too. + return + else: +- self.transport.write(self.conn.data_to_send()) ++ self._tryToWriteControlData() + + + def writeDataToStream(self, streamID, data): +@@ -622,8 +642,9 @@ class H2Connection(Protocol, TimeoutMixi + @type streamID: L{int} + """ + self.conn.reset_stream(streamID) +- self.transport.write(self.conn.data_to_send()) +- self._requestDone(streamID) ++ stillActive = self._tryToWriteControlData() ++ if stillActive: ++ self._requestDone(streamID) + + + def _requestDone(self, streamID): +@@ -739,9 +760,7 @@ class H2Connection(Protocol, TimeoutMixi + @type increment: L{int} + """ + self.conn.acknowledge_received_data(increment, streamID) +- data = self.conn.data_to_send() +- if data: +- self.transport.write(data) ++ self._tryToWriteControlData() + + + def _isSecure(self): +@@ -766,7 +785,7 @@ class H2Connection(Protocol, TimeoutMixi + """ + headers = [(b':status', b'100')] + self.conn.send_headers(headers=headers, stream_id=streamID) +- self.transport.write(self.conn.data_to_send()) ++ self._tryToWriteControlData() + + + def _respondToBadRequestAndDisconnect(self, streamID): +@@ -791,11 +810,11 @@ class H2Connection(Protocol, TimeoutMixi + stream_id=streamID, + end_stream=True + ) +- self.transport.write(self.conn.data_to_send()) +- +- stream = self.streams[streamID] +- stream.connectionLost(ConnectionLost("Invalid request")) +- self._requestDone(streamID) ++ stillActive = self._tryToWriteControlData() ++ if stillActive: ++ stream = self.streams[streamID] ++ stream.connectionLost(ConnectionLost("Invalid request")) ++ self._requestDone(streamID) + + + def _streamIsActive(self, streamID): +@@ -811,6 +830,59 @@ class H2Connection(Protocol, TimeoutMixi + """ + return streamID in self.streams + ++ def _tryToWriteControlData(self): ++ """ ++ Checks whether the connection is blocked on flow control and, ++ if it isn't, writes any buffered control data. ++ ++ @return: L{True} if the connection is still active and ++ L{False} if it was aborted because too many bytes have ++ been written but not consumed by the other end. ++ """ ++ bufferedBytes = self.conn.data_to_send() ++ if not bufferedBytes: ++ return True ++ ++ if self._consumerBlocked is None and not self._bufferedControlFrames: ++ # The consumer isn't blocked, and we don't have any buffered frames: ++ # write this directly. ++ self.transport.write(bufferedBytes) ++ return True ++ else: ++ # Either the consumer is blocked or we have buffered frames. If the ++ # consumer is blocked, we'll write this when we unblock. If we have ++ # buffered frames, we have presumably been re-entered from ++ # transport.write, and so to avoid reordering issues we'll buffer anyway. ++ self._bufferedControlFrames.append(bufferedBytes) ++ self._bufferedControlFrameBytes += len(bufferedBytes) ++ ++ if self._bufferedControlFrameBytes >= self._maxBufferedControlFrameBytes: ++ self._log.error( ++ "Maximum number of control frame bytes buffered: " ++ "{bufferedControlFrameBytes} > = {maxBufferedControlFrameBytes}. " ++ "Aborting connection to client: {client} ", ++ bufferedControlFrameBytes=self._bufferedControlFrameBytes, ++ maxBufferedControlFrameBytes=self._maxBufferedControlFrameBytes, ++ client=self.transport.getPeer(), ++ ) ++ # We've exceeded a reasonable buffer size for max buffered control frames. ++ # This is a denial of service risk, so we're going to drop this connection. ++ self.transport.abortConnection() ++ self.connectionLost(ExcessiveBufferingError()) ++ return False ++ return True ++ ++ def _flushBufferedControlData(self, *args): ++ """ ++ Called when the connection is marked writable again after being marked unwritable. ++ Attempts to flush buffered control data if there is any. ++ """ ++ # To respect backpressure here we send each write in order, paying attention to whether ++ # we got blocked ++ while self._consumerBlocked is None and self._bufferedControlFrames: ++ nextWrite = self._bufferedControlFrames.popleft() ++ self._bufferedControlFrameBytes -= len(nextWrite) ++ self.transport.write(nextWrite) + + + @implementer(ITransport, IConsumer, IPushProducer) +--- a/src/twisted/web/error.py ++++ b/src/twisted/web/error.py +@@ -300,6 +300,14 @@ class UnsupportedType(Exception): + """ + + ++class ExcessiveBufferingError(Exception): ++ """ ++ The HTTP/2 protocol has been forced to buffer an excessive amount of ++ outbound data, and has therefore closed the connection and dropped all ++ outbound data. ++ """ ++ ++ + + class FlattenerError(Exception): + """ +--- a/src/twisted/web/http.py ++++ b/src/twisted/web/http.py +@@ -2892,7 +2892,8 @@ class _GenericHTTPChannelProtocol(proxyF + # We need to make sure that the HTTPChannel is unregistered + # from the transport so that the H2Connection can register + # itself if possible. +- self._channel._networkProducer.unregisterProducer() ++ networkProducer = self._channel._networkProducer ++ networkProducer.unregisterProducer() + + transport = self._channel.transport + self._channel = H2Connection() +@@ -2902,6 +2903,11 @@ class _GenericHTTPChannelProtocol(proxyF + self._channel.timeOut = self._timeOut + self._channel.callLater = self._callLater + self._channel.makeConnection(transport) ++ ++ # Register the H2Connection as the transport's ++ # producer, so that the transport can apply back ++ # pressure. ++ networkProducer.registerProducer(self._channel, True) + else: + # Only HTTP/2 and HTTP/1.1 are supported right now. + assert negotiatedProtocol == b'http/1.1', \ +--- a/src/twisted/web/test/test_http.py ++++ b/src/twisted/web/test/test_http.py +@@ -896,15 +896,22 @@ class GenericHTTPChannelTests(unittest.T + genericProtocol.requestFactory = DummyHTTPHandlerProxy + genericProtocol.makeConnection(transport) + ++ originalChannel = genericProtocol._channel ++ + # We expect the transport has a underlying channel registered as + # a producer. +- self.assertIs(transport.producer, genericProtocol._channel) ++ self.assertIs(transport.producer, originalChannel) + + # Force the upgrade. + genericProtocol.dataReceived(b'P') + +- # The transport should now have no producer. +- self.assertIs(transport.producer, None) ++ # The transport should not have the original channel as its ++ # producer... ++ self.assertIsNot(transport.producer, originalChannel) ++ ++ # ...it should have the new H2 channel as its producer ++ self.assertIs(transport.producer, genericProtocol._channel) ++ + if not http.H2_ENABLED: + test_unregistersProducer.skip = "HTTP/2 support not present" + +--- a/src/twisted/web/test/test_http2.py ++++ b/src/twisted/web/test/test_http2.py +@@ -14,7 +14,7 @@ from zope.interface import providedBy, d + from twisted.internet import defer, reactor, task, error + from twisted.python import failure + from twisted.python.compat import iterbytes +-from twisted.test.proto_helpers import StringTransport ++from twisted.test.proto_helpers import StringTransport, MemoryReactorClock + from twisted.test.test_internet import DummyProducer + from twisted.trial import unittest + from twisted.web import http +@@ -1651,6 +1651,194 @@ class HTTP2ServerTests(unittest.TestCase + return d + + ++ def test_fast400WithCircuitBreaker(self): ++ """ ++ A HTTP/2 stream that has had _respondToBadRequestAndDisconnect ++ called on it does not write control frame data if its ++ transport is paused and its control frame limit has been ++ reached. ++ """ ++ # Set the connection up. ++ memoryReactor = MemoryReactorClock() ++ connection = H2Connection(memoryReactor) ++ connection.callLater = memoryReactor.callLater ++ # Use the DelayedHTTPHandler to prevent the connection from ++ # writing any response bytes after receiving a request that ++ # establishes the stream. ++ connection.requestFactory = DelayedHTTPHandler ++ ++ streamID = 1 ++ ++ frameFactory = FrameFactory() ++ transport = StringTransport() ++ ++ # Establish the connection ++ clientConnectionPreface = frameFactory.clientConnectionPreface() ++ connection.makeConnection(transport) ++ connection.dataReceived(clientConnectionPreface) ++ # Establish the stream. ++ connection.dataReceived( ++ buildRequestBytes( ++ self.getRequestHeaders, [], frameFactory, streamID=streamID) ++ ) ++ ++ # Pause the connection and limit the number of outbound bytes ++ # to 0, so that attempting to send the 400 aborts the ++ # connection. ++ connection.pauseProducing() ++ connection._maxBufferedControlFrameBytes = 0 ++ ++ connection._respondToBadRequestAndDisconnect(streamID) ++ ++ self.assertTrue(transport.disconnected) ++ ++ ++ def test_bufferingAutomaticFrameData(self): ++ """ ++ If a the L{H2Connection} has been paused by the transport, it will ++ not write automatic frame data triggered by writes. ++ """ ++ # Set the connection up. ++ connection = H2Connection() ++ connection.requestFactory = DummyHTTPHandlerProxy ++ frameFactory = FrameFactory() ++ transport = StringTransport() ++ ++ clientConnectionPreface = frameFactory.clientConnectionPreface() ++ connection.makeConnection(transport) ++ connection.dataReceived(clientConnectionPreface) ++ ++ # Now we're going to pause the producer. ++ connection.pauseProducing() ++ ++ # Now we're going to send a bunch of empty SETTINGS frames. This ++ # should not cause writes. ++ for _ in range(0, 100): ++ connection.dataReceived(frameFactory.buildSettingsFrame({}).serialize()) ++ ++ frames = framesFromBytes(transport.value()) ++ self.assertEqual(len(frames), 1) ++ ++ # Re-enable the transport. ++ connection.resumeProducing() ++ frames = framesFromBytes(transport.value()) ++ self.assertEqual(len(frames), 101) ++ ++ ++ def test_bufferingAutomaticFrameDataWithCircuitBreaker(self): ++ """ ++ If the L{H2Connection} has been paused by the transport, it will ++ not write automatic frame data triggered by writes. If this buffer ++ gets too large, the connection will be dropped. ++ """ ++ # Set the connection up. ++ connection = H2Connection() ++ connection.requestFactory = DummyHTTPHandlerProxy ++ frameFactory = FrameFactory() ++ transport = StringTransport() ++ ++ clientConnectionPreface = frameFactory.clientConnectionPreface() ++ connection.makeConnection(transport) ++ connection.dataReceived(clientConnectionPreface) ++ ++ # Now we're going to pause the producer. ++ connection.pauseProducing() ++ ++ # Now we're going to limit the outstanding buffered bytes to ++ # 100 bytes. ++ connection._maxBufferedControlFrameBytes = 100 ++ ++ # Now we're going to send 11 empty SETTINGS frames. This ++ # should not cause writes, or a close. ++ self.assertFalse(transport.disconnecting) ++ for _ in range(0, 11): ++ connection.dataReceived(frameFactory.buildSettingsFrame({}).serialize()) ++ self.assertFalse(transport.disconnecting) ++ ++ # Send a last settings frame, which will push us over the buffer limit. ++ connection.dataReceived(frameFactory.buildSettingsFrame({}).serialize()) ++ self.assertTrue(transport.disconnected) ++ ++ ++ def test_bufferingContinuesIfProducerIsPausedOnWrite(self): ++ """ ++ If the L{H2Connection} has buffered control frames, is unpaused, and then ++ paused while unbuffering, it persists the buffer and stops trying to write. ++ """ ++ class AutoPausingStringTransport(StringTransport): ++ def write(self, *args, **kwargs): ++ StringTransport.write(self, *args, **kwargs) ++ self.producer.pauseProducing() ++ ++ # Set the connection up. ++ connection = H2Connection() ++ connection.requestFactory = DummyHTTPHandlerProxy ++ frameFactory = FrameFactory() ++ transport = AutoPausingStringTransport() ++ transport.registerProducer(connection, True) ++ ++ clientConnectionPreface = frameFactory.clientConnectionPreface() ++ connection.makeConnection(transport) ++ connection.dataReceived(clientConnectionPreface) ++ ++ # The connection should already be paused. ++ self.assertIsNotNone(connection._consumerBlocked) ++ frames = framesFromBytes(transport.value()) ++ self.assertEqual(len(frames), 1) ++ self.assertEqual(connection._bufferedControlFrameBytes, 0) ++ ++ # Now we're going to send 11 empty SETTINGS frames. This should produce ++ # no output, but some buffered settings ACKs. ++ for _ in range(0, 11): ++ connection.dataReceived(frameFactory.buildSettingsFrame({}).serialize()) ++ ++ frames = framesFromBytes(transport.value()) ++ self.assertEqual(len(frames), 1) ++ self.assertEqual(connection._bufferedControlFrameBytes, 9 * 11) ++ ++ # Ok, now we're going to unpause the producer. This should write only one of the ++ # SETTINGS ACKs, as the connection gets repaused. ++ connection.resumeProducing() ++ ++ frames = framesFromBytes(transport.value()) ++ self.assertEqual(len(frames), 2) ++ self.assertEqual(connection._bufferedControlFrameBytes, 9 * 10) ++ ++ ++ def test_circuitBreakerAbortsAfterProtocolError(self): ++ """ ++ A client that triggers a L{h2.exceptions.ProtocolError} over a ++ paused connection that's reached its buffered control frame ++ limit causes that connection to be aborted. ++ """ ++ memoryReactor = MemoryReactorClock() ++ connection = H2Connection(memoryReactor) ++ connection.callLater = memoryReactor.callLater ++ ++ frameFactory = FrameFactory() ++ transport = StringTransport() ++ ++ # Establish the connection. ++ clientConnectionPreface = frameFactory.clientConnectionPreface() ++ connection.makeConnection(transport) ++ connection.dataReceived(clientConnectionPreface) ++ ++ # Pause it and limit the number of outbound bytes to 0, so ++ # that a ProtocolError aborts the connection ++ connection.pauseProducing() ++ connection._maxBufferedControlFrameBytes = 0 ++ ++ # Trigger a ProtocolError with a data frame that refers to an ++ # unknown stream. ++ invalidData = frameFactory.buildDataFrame( ++ data=b'yo', streamID=0xF0 ++ ).serialize() ++ ++ # The frame should have aborted the connection. ++ connection.dataReceived(invalidData) ++ self.assertTrue(transport.disconnected) ++ ++ + + class H2FlowControlTests(unittest.TestCase, HTTP2TestHelpers): + """ +@@ -2364,6 +2552,50 @@ class H2FlowControlTests(unittest.TestCa + self.assertFalse(dataFrames) + + ++ def test_abortRequestWithCircuitBreaker(self): ++ """ ++ Aborting a request associated with a paused connection that's ++ reached its buffered control frame limit causes that ++ connection to be aborted. ++ """ ++ memoryReactor = MemoryReactorClock() ++ connection = H2Connection(memoryReactor) ++ connection.callLater = memoryReactor.callLater ++ connection.requestFactory = DummyHTTPHandlerProxy ++ ++ frameFactory = FrameFactory() ++ transport = StringTransport() ++ ++ # Establish the connection. ++ clientConnectionPreface = frameFactory.clientConnectionPreface() ++ connection.makeConnection(transport) ++ connection.dataReceived(clientConnectionPreface) ++ ++ # Send a headers frame for a stream ++ streamID = 1 ++ headersFrameData = frameFactory.buildHeadersFrame( ++ headers=self.postRequestHeaders, streamID=streamID ++ ).serialize() ++ connection.dataReceived(headersFrameData) ++ ++ # Pause it and limit the number of outbound bytes to 1, so ++ # that a ProtocolError aborts the connection ++ connection.pauseProducing() ++ connection._maxBufferedControlFrameBytes = 0 ++ ++ # Remove anything sent by the preceding frames. ++ transport.clear() ++ ++ # Abort the request. ++ connection.abortRequest(streamID) ++ ++ # No RST_STREAM frame was sent... ++ self.assertFalse(transport.value()) ++ # ...and the transport was disconnected (abortConnection was ++ # called) ++ self.assertTrue(transport.disconnected) ++ ++ + + class HTTP2TransportChecking(unittest.TestCase, HTTP2TestHelpers): + getRequestHeaders = [ +@@ -2901,3 +3133,31 @@ class HTTP2TimeoutTests(unittest.TestCas + # transports, including TCP and TLS. We don't have anything we can + # assert on here: this just must not explode. + conn.connectionLost(error.ConnectionDone) ++ ++ ++ def test_timeOutClientThatSendsOnlyInvalidFrames(self): ++ """ ++ A client that sends only invalid frames is eventually timed out. ++ """ ++ memoryReactor = MemoryReactorClock() ++ ++ connection = H2Connection(memoryReactor) ++ connection.callLater = memoryReactor.callLater ++ connection.timeOut = 60 ++ ++ frameFactory = FrameFactory() ++ transport = StringTransport() ++ ++ clientConnectionPreface = frameFactory.clientConnectionPreface() ++ connection.makeConnection(transport) ++ connection.dataReceived(clientConnectionPreface) ++ ++ # Send data until both the loseConnection and abortConnection ++ # timeouts have elapsed. ++ for _ in range(connection.timeOut + connection.abortTimeout): ++ connection.dataReceived(frameFactory.buildRstStreamFrame(1).serialize()) ++ memoryReactor.advance(1) ++ ++ # Invalid frames don't reset any timeouts, so the above has ++ # forcibly disconnected us via abortConnection. ++ self.assertTrue(transport.disconnected) diff -Nru twisted-18.9.0/debian/patches/CVE-2020-1010x.patch twisted-18.9.0/debian/patches/CVE-2020-1010x.patch --- twisted-18.9.0/debian/patches/CVE-2020-1010x.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2020-1010x.patch 2020-03-16 16:51:10.000000000 +0000 @@ -0,0 +1,248 @@ +From 4a7d22e490bb8ff836892cc99a1f54b85ccb0281 Mon Sep 17 00:00:00 2001 +From: Mark Williams +Date: Sun, 16 Feb 2020 19:00:10 -0800 +Subject: [PATCH] Fix several request smuggling attacks. + +1. Requests with multiple Content-Length headers were allowed (thanks +to Jake Miller from Bishop Fox and ZeddYu Lu) and now fail with a 400; + +2. Requests with a Content-Length header and a Transfer-Encoding +header honored the first header (thanks to Jake Miller from Bishop +Fox) and now fail with a 400; + +3. Requests whose Transfer-Encoding header had a value other than +"chunked" and "identity" (thanks to ZeddYu Lu) were allowed and now fail +with a 400. +--- + src/twisted/web/http.py | 64 +++++++--- + src/twisted/web/newsfragments/9770.bugfix | 1 + + src/twisted/web/test/test_http.py | 137 ++++++++++++++++++++++ + 3 files changed, 187 insertions(+), 15 deletions(-) + create mode 100644 src/twisted/web/newsfragments/9770.bugfix + +--- a/src/twisted/web/http.py ++++ b/src/twisted/web/http.py +@@ -2115,6 +2115,51 @@ class HTTPChannel(basic.LineReceiver, po + self.allContentReceived() + self._dataBuffer.append(data) + ++ def _maybeChooseTransferDecoder(self, header, data): ++ """ ++ If the provided header is C{content-length} or ++ C{transfer-encoding}, choose the appropriate decoder if any. ++ ++ Returns L{True} if the request can proceed and L{False} if not. ++ """ ++ ++ def fail(): ++ self._respondToBadRequestAndDisconnect() ++ self.length = None ++ ++ # Can this header determine the length? ++ if header == b'content-length': ++ try: ++ length = int(data) ++ except ValueError: ++ fail() ++ return False ++ newTransferDecoder = _IdentityTransferDecoder( ++ length, self.requests[-1].handleContentChunk, self._finishRequestBody) ++ elif header == b'transfer-encoding': ++ # XXX Rather poorly tested code block, apparently only exercised by ++ # test_chunkedEncoding ++ if data.lower() == b'chunked': ++ length = None ++ newTransferDecoder = _ChunkedTransferDecoder( ++ self.requests[-1].handleContentChunk, self._finishRequestBody) ++ elif data.lower() == b'identity': ++ return True ++ else: ++ fail() ++ return False ++ else: ++ # It's not a length related header, so exit ++ return True ++ ++ if self._transferDecoder is not None: ++ fail() ++ return False ++ else: ++ self.length = length ++ self._transferDecoder = newTransferDecoder ++ return True ++ + + def headerReceived(self, line): + """ +@@ -2136,21 +2181,10 @@ class HTTPChannel(basic.LineReceiver, po + + header = header.lower() + data = data.strip() +- if header == b'content-length': +- try: +- self.length = int(data) +- except ValueError: +- self._respondToBadRequestAndDisconnect() +- self.length = None +- return False +- self._transferDecoder = _IdentityTransferDecoder( +- self.length, self.requests[-1].handleContentChunk, self._finishRequestBody) +- elif header == b'transfer-encoding' and data.lower() == b'chunked': +- # XXX Rather poorly tested code block, apparently only exercised by +- # test_chunkedEncoding +- self.length = None +- self._transferDecoder = _ChunkedTransferDecoder( +- self.requests[-1].handleContentChunk, self._finishRequestBody) ++ ++ if not self._maybeChooseTransferDecoder(header, data): ++ return False ++ + reqHeaders = self.requests[-1].requestHeaders + values = reqHeaders.getRawHeaders(header) + if values is not None: +--- a/src/twisted/web/test/test_http.py ++++ b/src/twisted/web/test/test_http.py +@@ -2018,6 +2018,143 @@ Hello, + self.flushLoggedErrors(AttributeError) + + ++ def assertDisconnectingBadRequest(self, request): ++ """ ++ Assert that the given request bytes fail with a 400 bad ++ request without calling L{Request.process}. ++ ++ @param request: A raw HTTP request ++ @type request: L{bytes} ++ """ ++ class FailedRequest(http.Request): ++ processed = False ++ def process(self): ++ FailedRequest.processed = True ++ ++ channel = self.runRequest(request, FailedRequest, success=False) ++ self.assertFalse(FailedRequest.processed, "Request.process called") ++ self.assertEqual( ++ channel.transport.value(), ++ b"HTTP/1.1 400 Bad Request\r\n\r\n") ++ self.assertTrue(channel.transport.disconnecting) ++ ++ ++ def test_duplicateContentLengths(self): ++ """ ++ A request which includes multiple C{content-length} headers ++ fails with a 400 response without calling L{Request.process}. ++ """ ++ self.assertRequestRejected([ ++ b'GET /a HTTP/1.1', ++ b'Content-Length: 56', ++ b'Content-Length: 0', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ ]) ++ ++ ++ def test_duplicateContentLengthsWithPipelinedRequests(self): ++ """ ++ Two pipelined requests, the first of which includes multiple ++ C{content-length} headers, trigger a 400 response without ++ calling L{Request.process}. ++ """ ++ self.assertRequestRejected([ ++ b'GET /a HTTP/1.1', ++ b'Content-Length: 56', ++ b'Content-Length: 0', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ b'GET /a HTTP/1.1', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ ]) ++ ++ ++ def test_contentLengthAndTransferEncoding(self): ++ """ ++ A request that includes both C{content-length} and ++ C{transfer-encoding} headers fails with a 400 response without ++ calling L{Request.process}. ++ """ ++ self.assertRequestRejected([ ++ b'GET /a HTTP/1.1', ++ b'Transfer-Encoding: chunked', ++ b'Content-Length: 0', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ ]) ++ ++ ++ def test_contentLengthAndTransferEncodingWithPipelinedRequests(self): ++ """ ++ Two pipelined requests, the first of which includes both ++ C{content-length} and C{transfer-encoding} headers, triggers a ++ 400 response without calling L{Request.process}. ++ """ ++ self.assertRequestRejected([ ++ b'GET /a HTTP/1.1', ++ b'Transfer-Encoding: chunked', ++ b'Content-Length: 0', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ b'GET /a HTTP/1.1', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ ]) ++ ++ ++ def test_unknownTransferEncoding(self): ++ """ ++ A request whose C{transfer-encoding} header includes a value ++ other than C{chunked} or C{identity} fails with a 400 response ++ without calling L{Request.process}. ++ """ ++ self.assertRequestRejected([ ++ b'GET /a HTTP/1.1', ++ b'Transfer-Encoding: unknown', ++ b'Host: host.invalid', ++ b'', ++ b'', ++ ]) ++ ++ ++ def test_transferEncodingIdentity(self): ++ """ ++ A request with a valid C{content-length} and a ++ C{transfer-encoding} whose value is C{identity} succeeds. ++ """ ++ body = [] ++ ++ class SuccessfulRequest(http.Request): ++ processed = False ++ def process(self): ++ body.append(self.content.read()) ++ self.setHeader(b'content-length', b'0') ++ self.finish() ++ ++ request = b'''\ ++GET / HTTP/1.1 ++Host: host.invalid ++Content-Length: 2 ++Transfer-Encoding: identity ++ ++ok ++''' ++ channel = self.runRequest(request, SuccessfulRequest, False) ++ self.assertEqual(body, [b'ok']) ++ self.assertEqual( ++ channel.transport.value(), ++ b'HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n', ++ ) ++ ++ + + class QueryArgumentsTests(unittest.TestCase): + def testParseqs(self): diff -Nru twisted-18.9.0/debian/patches/CVE-2020-1010x-pre1.patch twisted-18.9.0/debian/patches/CVE-2020-1010x-pre1.patch --- twisted-18.9.0/debian/patches/CVE-2020-1010x-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ twisted-18.9.0/debian/patches/CVE-2020-1010x-pre1.patch 2020-03-16 16:51:06.000000000 +0000 @@ -0,0 +1,135 @@ +Backport of: + +From d2f6dd9b3766509f40c980aac67ca8475da67c6f Mon Sep 17 00:00:00 2001 +From: Tom Most +Date: Mon, 3 Jun 2019 22:03:22 -0700 +Subject: [PATCH] Refactor to reduce duplication + +--- + src/twisted/web/test/test_http.py | 116 +++++++++++------------------- + 1 file changed, 42 insertions(+), 74 deletions(-) + +--- a/src/twisted/web/test/test_http.py ++++ b/src/twisted/web/test/test_http.py +@@ -1370,7 +1370,8 @@ class ParsingTests(unittest.TestCase): + """ + Execute a web request based on plain text content. + +- @param httpRequest: Content for the request which is processed. ++ @param httpRequest: Content for the request which is processed. Each ++ L{"\n"} will be replaced with L{"\r\n"}. + @type httpRequest: C{bytes} + + @param requestFactory: 2-argument callable returning a Request. +@@ -1409,6 +1410,32 @@ class ParsingTests(unittest.TestCase): + return channel + + ++ def assertRequestRejected(self, requestLines): ++ """ ++ Execute a HTTP request and assert that it is rejected with a 400 Bad ++ Response and disconnection. ++ ++ @param requestLines: Plain text lines of the request. These lines will ++ be joined with newlines to form the HTTP request that is processed. ++ @type requestLines: C{list} of C{bytes} ++ """ ++ httpRequest = b"\n".join(requestLines) ++ processed = [] ++ ++ class MyRequest(http.Request): ++ def process(self): ++ processed.append(self) ++ self.finish() ++ ++ channel = self.runRequest(httpRequest, MyRequest, success=False) ++ self.assertEqual( ++ channel.transport.value(), ++ b"HTTP/1.1 400 Bad Request\r\n\r\n", ++ ) ++ self.assertTrue(channel.transport.disconnecting) ++ self.assertEqual(processed, []) ++ ++ + def test_invalidNonAsciiMethod(self): + """ + When client sends invalid HTTP method containing +@@ -1478,45 +1505,24 @@ class ParsingTests(unittest.TestCase): + + def test_tooManyHeaders(self): + """ +- L{HTTPChannel} enforces a limit of C{HTTPChannel.maxHeaders} on the ++ C{HTTPChannel} enforces a limit of C{HTTPChannel.maxHeaders} on the + number of headers received per request. + """ +- processed = [] +- class MyRequest(http.Request): +- def process(self): +- processed.append(self) +- + requestLines = [b"GET / HTTP/1.0"] + for i in range(http.HTTPChannel.maxHeaders + 2): + requestLines.append(networkString("%s: foo" % (i,))) + requestLines.extend([b"", b""]) + +- channel = self.runRequest(b"\n".join(requestLines), MyRequest, 0) +- self.assertEqual(processed, []) +- self.assertEqual( +- channel.transport.value(), +- b"HTTP/1.1 400 Bad Request\r\n\r\n") ++ self.assertRequestRejected(requestLines) + + + def test_invalidContentLengthHeader(self): + """ +- If a Content-Length header with a non-integer value is received, a 400 +- (Bad Request) response is sent to the client and the connection is +- closed. ++ If a I{Content-Length} header with a non-integer value is received, ++ a 400 (Bad Request) response is sent to the client and the connection ++ is closed. + """ +- processed = [] +- class MyRequest(http.Request): +- def process(self): +- processed.append(self) +- self.finish() +- +- requestLines = [b"GET / HTTP/1.0", b"Content-Length: x", b"", b""] +- channel = self.runRequest(b"\n".join(requestLines), MyRequest, 0) +- self.assertEqual( +- channel.transport.value(), +- b"HTTP/1.1 400 Bad Request\r\n\r\n") +- self.assertTrue(channel.transport.disconnecting) +- self.assertEqual(processed, []) ++ self.assertRequestRejected([b"GET / HTTP/1.0", b"Content-Length: x", b"", b""]) + + + def test_invalidHeaderNoColon(self): +@@ -1524,24 +1530,12 @@ class ParsingTests(unittest.TestCase): + If a header without colon is received a 400 (Bad Request) response + is sent to the client and the connection is closed. + """ +- processed = [] +- class MyRequest(http.Request): +- def process(self): +- processed.append(self) +- self.finish() +- +- requestLines = [b"GET / HTTP/1.0", b"HeaderName ", b"", b""] +- channel = self.runRequest(b"\n".join(requestLines), MyRequest, 0) +- self.assertEqual( +- channel.transport.value(), +- b"HTTP/1.1 400 Bad Request\r\n\r\n") +- self.assertTrue(channel.transport.disconnecting) +- self.assertEqual(processed, []) ++ self.assertRequestRejected([b"GET / HTTP/1.0", b"HeaderName ", b"", b""]) + + + def test_headerLimitPerRequest(self): + """ +- L{HTTPChannel} enforces the limit of C{HTTPChannel.maxHeaders} per ++ C{HTTPChannel} enforces the limit of C{HTTPChannel.maxHeaders} per + request so that headers received in an earlier request do not count + towards the limit when processing a later request. + """ diff -Nru twisted-18.9.0/debian/patches/series twisted-18.9.0/debian/patches/series --- twisted-18.9.0/debian/patches/series 2018-12-07 10:23:30.000000000 +0000 +++ twisted-18.9.0/debian/patches/series 2020-03-16 16:51:10.000000000 +0000 @@ -13,3 +13,22 @@ 0013-Drop-test_givesMeaningfulErrorMessageIfNoCipherMatch.patch 0014-OpenSSL-may-not-use-ECDH-by-default-thus-drop-this-t.patch 0015-Fix-tests-to-expect-new-web-request-logging-format.patch +CVE-2019-12387.patch +CVE-2019-12855-01.patch +CVE-2019-12855-02.patch +CVE-2019-12855-03.patch +CVE-2019-12855-04.patch +CVE-2019-12855-05.patch +CVE-2019-12855-06.patch +CVE-2019-12855-07.patch +CVE-2019-12855-09.patch +CVE-2019-12855-10.patch +CVE-2019-12855-11.patch +CVE-2019-12855-12.patch +CVE-2019-12855-13.patch +CVE-2019-12855-14.patch +CVE-2019-12855-15.patch +CVE-2019-12855-17.patch +CVE-2019-951x.patch +CVE-2020-1010x-pre1.patch +CVE-2020-1010x.patch