Skip to content

Commit

Permalink
Release notes and version bump for version 6.4.1
Browse files Browse the repository at this point in the history
  • Loading branch information
bdarnell committed Jun 6, 2024
1 parent d65f6e7 commit b7af4e8
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 2 deletions.
1 change: 1 addition & 0 deletions docs/releases.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ Release notes
.. toctree::
:maxdepth: 2

releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
Expand Down
41 changes: 41 additions & 0 deletions docs/releases/v6.4.1.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
What's new in Tornado 6.4.1
===========================

Jun 6, 2024
-----------

Security Improvements
~~~~~~~~~~~~~~~~~~~~~

- Parsing of the ``Transfer-Encoding`` header is now stricter. Unexpected transfer-encoding values
were previously ignored and treated as the HTTP/1.0 default of read-until-close. This can lead to
framing issues with certain proxies. We now treat any unexpected value as an error.
- Handling of whitespace in headers now matches the RFC more closely. Only space and tab characters
are treated as whitespace and stripped from the beginning and end of header values. Other unicode
whitespace characters are now left alone. This could also lead to framing issues with certain
proxies.
- ``tornado.curl_httpclient`` now prohibits carriage return and linefeed headers in HTTP headers
(matching the behavior of ``simple_httpclient``). These characters could be used for header
injection or request smuggling if untrusted data were used in headers.

General Changes
~~~~~~~~~~~~~~~

`tornado.iostream`
~~~~~~~~~~~~~~~~~~

- `.SSLIOStream` now understands changes to error codes from OpenSSL 3.2. The main result of this
change is to reduce the noise in the logs for certain errors.

``tornado.simple_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- ``simple_httpclient`` now prohibits carriage return characters in HTTP headers. It had previously
prohibited only linefeed characters.

`tornado.testing`
~~~~~~~~~~~~~~~~~

- `.AsyncTestCase` subclasses can now be instantiated without being associated with a test
method. This improves compatibility with test discovery in Pytest 8.2.

4 changes: 2 additions & 2 deletions tornado/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@
# is zero for an official release, positive for a development branch,
# or negative for a release candidate or beta (after the base version
# number has been incremented)
version = "6.4"
version_info = (6, 4, 0, 0)
version = "6.4.1"
version_info = (6, 4, 0, 1)

import importlib
import typing
Expand Down

0 comments on commit b7af4e8

Please sign in to comment.