[Twisted-Python] Twisted 19.2.0rc1 Release Candidate Announcement
![](https://secure.gravatar.com/avatar/3d37232726396a1d3c7412dd915095ea.jpg?s=120&d=mm&r=g)
Hello from PyCascades! Straight from the Pacific North-West, a new Twisted release candidate! In this release, there is: - twisted.web.client.HostnameCachingHTTPSPolicy was added as a new contextFactory option. This reduces the performance overhead for making many TLS connections to the same host. - twisted.conch.ssh.keys can now read private keys in the new "openssh-key-v1" format, introduced in OpenSSH 6.5 and made the default in OpenSSH 7.8. - The sample code in the "Twisted Web In 60 Seconds" tutorial runs on Python 3. - DeferredLock and DeferredSemaphore can be used as asynchronous context managers on Python 3.5+. - twisted.internet.ssl.CertificateOptions now uses 32 random bytes instead of an MD5 hash for the ssl session identifier context. - twisted.python.failure.Failure.getTracebackObject now returns traceback objects whose frames can be passed into traceback.print_stack for better debugging of where the exception came from. - Much more! 20+ tickets closed overall. You can get the tarball and the NEWS file at https://twistedmatrix.com/Releases/rc/19.2.0rc1/ , or you can try it out from PyPI: python -m pip install Twisted==19.2.0rc1 Please test it, and let me know how your applications fare, good or bad! If nothing comes up, 19.2 will release in a week. Twisted regards, Amber Brown (hawkowl)
![](https://secure.gravatar.com/avatar/bcb6ef473ff1644fddee1b4e7c730b01.jpg?s=120&d=mm&r=g)
Hi Amber, I wanted to make sure you've seen this: https://twistedmatrix.com/trac/ticket/9592 Twisted now references a symbol not present in its minimal crypography requirement. ---Tom On February 24, 2019 11:19:28 AM PST, Amber Brown <hawkowl@atleastfornow.net> wrote:
![](https://secure.gravatar.com/avatar/bcb6ef473ff1644fddee1b4e7c730b01.jpg?s=120&d=mm&r=g)
Another note:
twisted.web.client.Request and twisted.web.client.HTTPClient were both vulnerable to header injection attacks. They now replace linear whitespace ('r', 'n', and 'rn') with a single space. (#9421)
Headers now assumes the value is a list of string (or bytes). It used to accept a list of arbitrary values. When using the twisted.web resource model (the IRequest.setHeader API) the value would be coerced. This change actually broke some of my tests, though not any production code. I was passing a list where a scalar string was required (this, precisely: https://github.com/twisted/treq/pull/237). The result was a response with a header like: Foo: ['value'] That's not a useful feature in this case so I am happy to have caught the bug but it does seem like there may be real-world code this breaks. For example, request.setHeader('Retry-After', 10) would produce a valid header. (Also the release note seems to be missing some backslashes in the bit I quoted.) ---Tom
![](https://secure.gravatar.com/avatar/bcb6ef473ff1644fddee1b4e7c730b01.jpg?s=120&d=mm&r=g)
Hi Amber, I wanted to make sure you've seen this: https://twistedmatrix.com/trac/ticket/9592 Twisted now references a symbol not present in its minimal crypography requirement. ---Tom On February 24, 2019 11:19:28 AM PST, Amber Brown <hawkowl@atleastfornow.net> wrote:
![](https://secure.gravatar.com/avatar/bcb6ef473ff1644fddee1b4e7c730b01.jpg?s=120&d=mm&r=g)
Another note:
twisted.web.client.Request and twisted.web.client.HTTPClient were both vulnerable to header injection attacks. They now replace linear whitespace ('r', 'n', and 'rn') with a single space. (#9421)
Headers now assumes the value is a list of string (or bytes). It used to accept a list of arbitrary values. When using the twisted.web resource model (the IRequest.setHeader API) the value would be coerced. This change actually broke some of my tests, though not any production code. I was passing a list where a scalar string was required (this, precisely: https://github.com/twisted/treq/pull/237). The result was a response with a header like: Foo: ['value'] That's not a useful feature in this case so I am happy to have caught the bug but it does seem like there may be real-world code this breaks. For example, request.setHeader('Retry-After', 10) would produce a valid header. (Also the release note seems to be missing some backslashes in the bit I quoted.) ---Tom
participants (3)
-
Amber Brown
-
Glyph
-
Tom Most