Permalink
...
- 6 commits
- 6 files changed
- 1 contributor
Commits on May 14, 2023
Commits on Aug 11, 2023
http1connection: Make content-length parsing more strict
Content-length and chunk size parsing now strictly matches the RFCs. We previously used the python int() function which accepted leading plus signs and internal underscores, which are not allowed by the HTTP RFCs (it also accepts minus signs, but these are less problematic in this context since they'd result in errors elsewhere) It is important to fix this because when combined with certain proxies, the lax parsing could result in a request smuggling vulnerability (if both Tornado and the proxy accepted an invalid content-length but interpreted it differently). This is known to occur with old versions of haproxy, although the current version of haproxy is unaffected.
bdarnell committedAug 11, 2023 httpserver_test: Add ExpectLog to fix CI
The security advisory feature lets you make private PRs but it apparently doesn't support CI so this log failure wasn't caught until after the PR was merged.
bdarnell committedAug 11, 2023 - bdarnell committed
Aug 11, 2023 ci: Don't test py312 in branch6.3
bdarnell committedAug 11, 2023
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:git diff v6.3.2...v6.3.3
Uh oh!
There was an error while loading. Please reload this page.