CVE-2022-24801

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

The Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230: 1. The Content-Length header value could have a `+` or `-` prefix. 2. Illegal characters were permitted in chunked extensions, such as the LF (`\n`) character. 3. Chunk lengths, which are expressed in hexadecimal format, could have a prefix of `0x`. 4. HTTP headers were stripped of all leading and trailing ASCII whitespace, rather than only space and HTAB (`\t`). This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. ### Impact You may be affected if: 1. You use Twisted Web's HTTP 1.1 server and/or proxy 2. You also pass requests through a different HTTP server and/or proxy The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. ### Patches The issue has been addressed in Twisted 22.4.0rc1 and later. ### Workarounds Other than upgrading Twisted, you could: * Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them * Filter malformed requests by other means, such as configuration of an upstream proxy ### Credits This issue was initially reported by [Zhang Zeyu](https://github.com/zeyu2001).

Twisted es un marco de trabajo basado en eventos para aplicaciones de Internet, que soporta Python versión 3.6+. versiones hasta 22.4.0rc1, el servidor Twisted Web HTTP 1.1, ubicado en el módulo "twisted.web.http", analizaba varias construcciones de peticiones HTTP de forma más indulgente de lo permitido por el RFC 7230. Este análisis no conforme puede conllevar a una desincronización si las peticiones pasan por varios analizadores HTTP, resultando potencialmente en un contrabando de peticiones HTTP. Los usuarios que pueden verse afectados usan el servidor y/o proxy HTTP versión 1.1 de Twisted Web y también pasan peticiones mediante un servidor y/o proxy HTTP diferente. El cliente de Twisted Web no está afectado. El servidor HTTP versión 2.0 usa un parser diferente, por lo que no está afectado. El problema ha sido abordado en Twisted 22.4.0rc1. Se presentan dos medidas de mitigación disponibles: Asegurarse de que ha sido abordada cualquier vulnerabilidad en los proxies de subida, por ejemplo, actualizándolos; o filtrar las peticiones malformadas por otros medios, como la configuración de un proxy de subida