Rooba
/
tornado
mirror of https://github.com/tornadoweb/tornado.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3388 from bdarnell/release-641 

Release notes and version bump for version 6.4.1
This commit is contained in:
Ben Darnell 2024-06-06 14:11:31 -04:00 committed by GitHub
parent d65f6e71a7 b7af4e8f5e
commit 2a0e1d13b5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/releases.rst
View File

@ -4,6 +4,7 @@ Release notes
.. toctree::
:maxdepth: 2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2

41
docs/releases/v6.4.1.rst Normal file
View File

@ -0,0 +1,41 @@
What's new in Tornado 6.4.1
===========================
Jun 6, 2024
-----------
Security Improvements
~~~~~~~~~~~~~~~~~~~~~
- Parsing of the ``Transfer-Encoding`` header is now stricter. Unexpected transfer-encoding values
were previously ignored and treated as the HTTP/1.0 default of read-until-close. This can lead to
framing issues with certain proxies. We now treat any unexpected value as an error.
- Handling of whitespace in headers now matches the RFC more closely. Only space and tab characters
are treated as whitespace and stripped from the beginning and end of header values. Other unicode
whitespace characters are now left alone. This could also lead to framing issues with certain
proxies.
- ``tornado.curl_httpclient`` now prohibits carriage return and linefeed headers in HTTP headers
(matching the behavior of ``simple_httpclient``). These characters could be used for header
injection or request smuggling if untrusted data were used in headers.
General Changes
~~~~~~~~~~~~~~~
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
- `.SSLIOStream` now understands changes to error codes from OpenSSL 3.2. The main result of this
change is to reduce the noise in the logs for certain errors.
``tornado.simple_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ``simple_httpclient`` now prohibits carriage return characters in HTTP headers. It had previously
prohibited only linefeed characters.
`tornado.testing`
~~~~~~~~~~~~~~~~~
- `.AsyncTestCase` subclasses can now be instantiated without being associated with a test
method. This improves compatibility with test discovery in Pytest 8.2.

4
tornado/__init__.py
View File

@ -22,8 +22,8 @@
# is zero for an official release, positive for a development branch,
# or negative for a release candidate or beta (after the base version
# number has been incremented)
version = "6.4"
version_info = (6, 4, 0, 0)
version = "6.4.1"
version_info = (6, 4, 0, 1)
import importlib
import typing