Announcing Tornado 6.3.3

[Ben Darnell]

I've just released Tornado 6.3.3. This release improves parsing of the Content-Length header and chunked Transfer-Encoding chunk sizes to more strictly match the RFCs and avoid a potential request smuggling vulnerability when deployed behind certain proxies. 

Release notes are at https://www.tornadoweb.org/en/stable/releases/v6.3.3.html

Thanks to Ben Kallus for finding and reporting this issue.

-Ben

[Jack Hegman]

Hi Ben,

Just stated with Tornado and loving it so far. I ran into the "task was destroyed but it's pending message" yesterday and it's causing some performance issues on our application where requests are stuck pending until timing out. I've tested your fix: https://github.com/tornadoweb/tornado/pull/3269 and it's solved our problem. I'm wondering if there are plans to bring that commit over to the 6.3 branch, so it is included in the pip package? I'm happy to open a PR for this, but not sure how you decide what to include in each release and if this is in scope.

Thanks for all your hard work!

Jack

[Ben Darnell]

It's about time for the next full release. There's a lot of changes related to Python 3.12 compatibility so we need to release Tornado 6.4 before Python 3.12 in October, so I'll start preparing that release soon. 

-Ben

--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python-tornado/42f974fc-49db-4819-a75b-92a89a722ef0n%40googlegroups.com.