Merge pull request #3388 from bdarnell/release-641

Release notes and version bump for version 6.4.1
tornadoweb · Jun 6, 2024 · 2a0e1d1 · 2a0e1d1
2 parents d65f6e7 + b7af4e8
commit 2a0e1d1
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 2 deletions.
diff --git a/docs/releases.rst b/docs/releases.rst
@@ -4,6 +4,7 @@ Release notes
 .. toctree::
    :maxdepth: 2
 
+   releases/v6.4.1
    releases/v6.4.0
    releases/v6.3.3
    releases/v6.3.2

diff --git a/docs/releases/v6.4.1.rst b/docs/releases/v6.4.1.rst
@@ -0,0 +1,41 @@
+What's new in Tornado 6.4.1
+===========================
+
+Jun 6, 2024
+-----------
+
+Security Improvements
+~~~~~~~~~~~~~~~~~~~~~
+
+- Parsing of the ``Transfer-Encoding`` header is now stricter. Unexpected transfer-encoding values
+  were previously ignored and treated as the HTTP/1.0 default of read-until-close. This can lead to
+  framing issues with certain proxies. We now treat any unexpected value as an error.
+- Handling of whitespace in headers now matches the RFC more closely. Only space and tab characters
+  are treated as whitespace and stripped from the beginning and end of header values. Other unicode
+  whitespace characters are now left alone. This could also lead to framing issues with certain
+  proxies. 
+- ``tornado.curl_httpclient`` now prohibits carriage return and linefeed headers in HTTP headers
+  (matching the behavior of ``simple_httpclient``). These characters could be used for header
+  injection or request smuggling if untrusted data were used in headers.
+
+General Changes
+~~~~~~~~~~~~~~~
+
+`tornado.iostream`
+~~~~~~~~~~~~~~~~~~
+
+- `.SSLIOStream` now understands changes to error codes from OpenSSL 3.2. The main result of this
+  change is to reduce the noise in the logs for certain errors.
+
+``tornado.simple_httpclient``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- ``simple_httpclient`` now prohibits carriage return characters in HTTP headers. It had previously
+  prohibited only linefeed characters.
+
+`tornado.testing`
+~~~~~~~~~~~~~~~~~
+
+- `.AsyncTestCase` subclasses can now be instantiated without being associated with a test
+  method. This improves compatibility with test discovery in Pytest 8.2.
+
diff --git a/tornado/__init__.py b/tornado/__init__.py
@@ -22,8 +22,8 @@
 # is zero for an official release, positive for a development branch,
 # or negative for a release candidate or beta (after the base version
 # number has been incremented)
-version = "6.4"
-version_info = (6, 4, 0, 0)
+version = "6.4.1"
+version_info = (6, 4, 0, 1)
 
 import importlib
 import typing