Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: tornadoweb/tornado
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: tornadoweb/tornado
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: branch6.3
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 8 commits
  • 8 files changed
  • 1 contributor

Commits on May 14, 2023

  1. web: Fix an open redirect in StaticFileHandler 

    Under some configurations the default_filename redirect could be exploited
to redirect to an attacker-controlled site. This change refuses to redirect
to URLs that could be misinterpreted.

A test case for the specific vulnerable configuration will follow after the
patch has been available.
    @bdarnell
    bdarnell committed May 14, 2023
    Configuration menu
    Copy the full SHA
    32ad07c View commit details
    Browse the repository at this point in the history

  2. Version 6.3.2

    @bdarnell
    bdarnell committed May 14, 2023
    Configuration menu
    Copy the full SHA
    34f5c1c View commit details
    Browse the repository at this point in the history

  3. Merge pull request #3267 from bdarnell/branch6.3 

    Version 6.3.2
    @bdarnell
    bdarnell authored May 14, 2023
    Configuration menu
    Copy the full SHA
    e3aa6c5 View commit details
    Browse the repository at this point in the history

Commits on Aug 11, 2023

  1. http1connection: Make content-length parsing more strict 

    Content-length and chunk size parsing now strictly matches the RFCs.
We previously used the python int() function which accepted leading
plus signs and internal underscores, which are not allowed by the
HTTP RFCs (it also accepts minus signs, but these are less problematic
in this context since they'd result in errors elsewhere)

It is important to fix this because when combined with certain proxies,
the lax parsing could result in a request smuggling vulnerability (if
both Tornado and the proxy accepted an invalid content-length but
interpreted it differently). This is known to occur with old versions
of haproxy, although the current version of haproxy is unaffected.
    @bdarnell
    bdarnell committed Aug 11, 2023
    Configuration menu
    Copy the full SHA
    217295b View commit details
    Browse the repository at this point in the history

  2. httpserver_test: Add ExpectLog to fix CI 

    The github security advisory feature lets you make private PRs but
it apparently doesn't support CI so this log failure wasn't caught
until after the PR was merged.
    @bdarnell
    bdarnell committed Aug 11, 2023
    Configuration menu
    Copy the full SHA
    7dfe8b5 View commit details
    Browse the repository at this point in the history

  3. Set version to 6.3.3

    @bdarnell
    bdarnell committed Aug 11, 2023
    Configuration menu
    Copy the full SHA
    5c8a9a4 View commit details
    Browse the repository at this point in the history

  4. ci: Don't test py312 in branch6.3

    @bdarnell
    bdarnell committed Aug 11, 2023
    Configuration menu
    Copy the full SHA
    6a9e6fb View commit details
    Browse the repository at this point in the history

  5. Merge pull request #3307 from bdarnell/branch6.3 

    Version 6.3.3
    @bdarnell
    bdarnell authored Aug 11, 2023
    Configuration menu
    Copy the full SHA
    e4d6984 View commit details
    Browse the repository at this point in the history
Loading