Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Version 6.3.3 #3307

Merged
merged 4 commits into from
Aug 11, 2023
Merged

Version 6.3.3 #3307

merged 4 commits into from
Aug 11, 2023

Conversation

bdarnell
Copy link
Member

No description provided.

Content-length and chunk size parsing now strictly matches the RFCs.
We previously used the python int() function which accepted leading
plus signs and internal underscores, which are not allowed by the
HTTP RFCs (it also accepts minus signs, but these are less problematic
in this context since they'd result in errors elsewhere)

It is important to fix this because when combined with certain proxies,
the lax parsing could result in a request smuggling vulnerability (if
both Tornado and the proxy accepted an invalid content-length but
interpreted it differently). This is known to occur with old versions
of haproxy, although the current version of haproxy is unaffected.
The github security advisory feature lets you make private PRs but
it apparently doesn't support CI so this log failure wasn't caught
until after the PR was merged.
@bdarnell bdarnell changed the title Branch6.3 Version 6.3.3 Aug 11, 2023
@bdarnell bdarnell merged commit e4d6984 into tornadoweb:branch6.3 Aug 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant