-
Notifications
You must be signed in to change notification settings - Fork 5.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Release notes and version bump for version 6.4.1
- Loading branch information
Showing
3 changed files
with
44 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
What's new in Tornado 6.4.1 | ||
=========================== | ||
|
||
Jun 6, 2024 | ||
----------- | ||
|
||
Security Improvements | ||
~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
- Parsing of the ``Transfer-Encoding`` header is now stricter. Unexpected transfer-encoding values | ||
were previously ignored and treated as the HTTP/1.0 default of read-until-close. This can lead to | ||
framing issues with certain proxies. We now treat any unexpected value as an error. | ||
- Handling of whitespace in headers now matches the RFC more closely. Only space and tab characters | ||
are treated as whitespace and stripped from the beginning and end of header values. Other unicode | ||
whitespace characters are now left alone. This could also lead to framing issues with certain | ||
proxies. | ||
- ``tornado.curl_httpclient`` now prohibits carriage return and linefeed headers in HTTP headers | ||
(matching the behavior of ``simple_httpclient``). These characters could be used for header | ||
injection or request smuggling if untrusted data were used in headers. | ||
|
||
General Changes | ||
~~~~~~~~~~~~~~~ | ||
|
||
`tornado.iostream` | ||
~~~~~~~~~~~~~~~~~~ | ||
|
||
- `.SSLIOStream` now understands changes to error codes from OpenSSL 3.2. The main result of this | ||
change is to reduce the noise in the logs for certain errors. | ||
|
||
``tornado.simple_httpclient`` | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
- ``simple_httpclient`` now prohibits carriage return characters in HTTP headers. It had previously | ||
prohibited only linefeed characters. | ||
|
||
`tornado.testing` | ||
~~~~~~~~~~~~~~~~~ | ||
|
||
- `.AsyncTestCase` subclasses can now be instantiated without being associated with a test | ||
method. This improves compatibility with test discovery in Pytest 8.2. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters