--- /dev/null
+What's new in Tornado 6.5.6
+===========================
+
+May 27, 2026
+------------
+
+Security fixes
+~~~~~~~~~~~~~~
+
+- ``SimpleAsyncHTTPClient`` now strips the ``Authorization`` and ``Cookie`` headers from the request
+ when following a redirect to a different origin. This matches the default behavior of
+ ``CurlAsyncHTTPClient``. Applications that need different behavior here can set
+ ``follow_redirects=False`` and handle redirects manually. Thanks to [Yannick
+ Wang](https://github.com/noobone123) for being first to report this issue, as well as additional
+ reporters [Kai Aizen](https://github.com/SnailSploit), [HunSec](https://github.com/0xHunSec), and
+ [Thai Son Dinh](https://github.com/sondt99).
+- ``SimpleAsyncHTTPClient`` now enforces ``max_body_size`` on the decompressed size of the response,
+ rather than the compressed size. This prevents a denial-of-service attack via a very large
+ compressed response. Thanks to [Yuichiro Kedashiro](https://github.com/yuui25) for reporting this
+ issue.
+- Fixed a bug in the C extension that could have read up to three bytes past the end of an input
+ array. Thanks to [Thai Son Dinh](https://github.com/sondt99) for reporting this issue.
+- ``OpenIDMixin`` has improved parsing for the ``check_authentication`` response. Thanks to
+ [Yannick Wang](https://github.com/noobone123) for reporting this issue.
+
+Bug fixes
+~~~~~~~~~
+
+- ``CurlAsyncHTTPClient`` has been updated to use non-deprecated APIs, avoiding deprecation
+ warnings with recent versions of ``pycurl``.
projects / thirdparty / tornado.git / commitdiff
