From b7af4e8f5ee578b78e1be5ade43fdb1103659a0e Mon Sep 17 00:00:00 2001 From: Ben Darnell Date: Thu, 6 Jun 2024 13:56:41 -0400 Subject: [PATCH] Release notes and version bump for version 6.4.1 --- docs/releases.rst | 1 + docs/releases/v6.4.1.rst | 41 ++++++++++++++++++++++++++++++++++++++++ tornado/__init__.py | 4 ++-- 3 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 docs/releases/v6.4.1.rst diff --git a/docs/releases.rst b/docs/releases.rst index da8dd597..8a0fad4c 100644 --- a/docs/releases.rst +++ b/docs/releases.rst @@ -4,6 +4,7 @@ Release notes .. toctree:: :maxdepth: 2 + releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 diff --git a/docs/releases/v6.4.1.rst b/docs/releases/v6.4.1.rst new file mode 100644 index 00000000..8d72b2b2 --- /dev/null +++ b/docs/releases/v6.4.1.rst @@ -0,0 +1,41 @@ +What's new in Tornado 6.4.1 +=========================== + +Jun 6, 2024 +----------- + +Security Improvements +~~~~~~~~~~~~~~~~~~~~~ + +- Parsing of the ``Transfer-Encoding`` header is now stricter. Unexpected transfer-encoding values + were previously ignored and treated as the HTTP/1.0 default of read-until-close. This can lead to + framing issues with certain proxies. We now treat any unexpected value as an error. +- Handling of whitespace in headers now matches the RFC more closely. Only space and tab characters + are treated as whitespace and stripped from the beginning and end of header values. Other unicode + whitespace characters are now left alone. This could also lead to framing issues with certain + proxies. +- ``tornado.curl_httpclient`` now prohibits carriage return and linefeed headers in HTTP headers + (matching the behavior of ``simple_httpclient``). These characters could be used for header + injection or request smuggling if untrusted data were used in headers. + +General Changes +~~~~~~~~~~~~~~~ + +`tornado.iostream` +~~~~~~~~~~~~~~~~~~ + +- `.SSLIOStream` now understands changes to error codes from OpenSSL 3.2. The main result of this + change is to reduce the noise in the logs for certain errors. + +``tornado.simple_httpclient`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- ``simple_httpclient`` now prohibits carriage return characters in HTTP headers. It had previously + prohibited only linefeed characters. + +`tornado.testing` +~~~~~~~~~~~~~~~~~ + +- `.AsyncTestCase` subclasses can now be instantiated without being associated with a test + method. This improves compatibility with test discovery in Pytest 8.2. + diff --git a/tornado/__init__.py b/tornado/__init__.py index a0ae714d..f542de35 100644 --- a/tornado/__init__.py +++ b/tornado/__init__.py @@ -22,8 +22,8 @@ # is zero for an official release, positive for a development branch, # or negative for a release candidate or beta (after the base version # number has been incremented) -version = "6.4" -version_info = (6, 4, 0, 0) +version = "6.4.1" +version_info = (6, 4, 0, 1) import importlib import typing