Ben Darnell [Wed, 27 May 2026 01:30:28 +0000 (21:30 -0400)]
simple_httpclient: Strip auth headers on cross-origin redirects
When following a redirect to a different origin (scheme, host, or port),
auth-related headers (Authorization and Cookie) should be stripped to
avoid exposing them to the new host.
Ben Darnell [Tue, 26 May 2026 17:39:53 +0000 (13:39 -0400)]
http1connection: Enforce max_body_size in _GzipMessageDelegate
This ensures we limit the post-decompression size of the body, and not
only the compressed size (which is enforced via the Content-Length
header at header-processing time).
This previously used substring search, which is incorrect, although
unlikely to be a vulnerability because there are no free-form text
fields allowed in this response format.
mokashang [Tue, 19 May 2026 16:22:52 +0000 (09:22 -0700)]
test/process: run test_multi_process in a clean subprocess
When `python3 -m tornado.test` is run in an environment where some test
earlier in the suite has left a thread running, the `os.fork()` inside
`fork_processes()` triggers `DeprecationWarning: This process (pid=...)
is multi-threaded, use of fork() may lead to deadlocks in the child` on
Python 3.12+. The test suite turns DeprecationWarnings from tornado
into errors, so `test_multi_process` then fails. This has been observed
in the Fedora rpm build of tornado on Python 3.15.0b1 (#3623), where it
does not reproduce under tox.
Rather than chase down every thread leak across the suite, isolate
`test_multi_process` so it always starts from a single-threaded state.
The actual fork-and-serve logic is moved into a script string that is
executed via `python -c` in a fresh interpreter, following the pattern
established in autoreload_test for tests that need a clean process. The
outer test method just launches the subprocess and asserts a clean
exit. PYTHONPATH is propagated so the source tree under test is
importable. The script keeps the existing `signal.alarm(5)` timers and
`subprocess.run(timeout=30)` is added as a backstop in case the script
hangs in a way the alarms don't catch.
Tested locally on macOS / Python 3.13 with the full suite plus a
deliberately leaked thread before the test to confirm the new isolation
holds. The `tearDown` / `get_app` helpers and the `asyncio`, `logging`,
and HTTP-related top-level imports are no longer needed and are
removed.
Ben Darnell [Fri, 20 Mar 2026 15:18:03 +0000 (11:18 -0400)]
ci: Update versions of github actions
These actions are generating deprecation warnings due to an old node.js
version, and for some reason github marks this upgrade as a major
version change even when there is no behavior change.
Ben Darnell [Fri, 20 Mar 2026 01:36:17 +0000 (21:36 -0400)]
ci: Build wheels for more architectures under emulation
This commit also fixes the macos build to use universal2 wheels,
which was broken with the addition of riscv64 support.
Support for these architectures is experimental, but we have had
a request for ppc64le in #3449. As long as emulation gives us a turnkey
solution, we might as well build for them, but if the emulation
pipeline turns out to be unstable we will reconsider. (armv7l is also
experimentally supported by cibuildwheel and even shows up more
frequently in our download stats than ppc64le and s390x, but I got
a cryptic failure when I tried it so I'm leaving it out for now.)
This commit reduces the amount of testing we do for emulated
builds because they are otherwise the slowest part of the build
pipeline.
Ben Darnell [Fri, 20 Mar 2026 03:05:22 +0000 (23:05 -0400)]
*: Rewrite imports with isort
Today's type import changes have caused a lot of churn in the import
statements and we've never had a consistent style. Run a one-time
cleanup with isort to tidy things up. I'm not (currently) planning
to make this a CI-enforced rule.
Julien Stephan [Wed, 26 Nov 2025 17:09:48 +0000 (18:09 +0100)]
ci: add riscv64 manylinux/musllinux wheels
Now that cibuildwheel and PyPI support riscv64, we can start building
riscv64 wheels for Tornado.
Because there is no native riscv64 runner available, this PR adds a
QEMU-based riscv64 job to the cibuildwheel workflow.
Due to emulation, we need to:
- Increase ASYNC_TEST_TIMEOUT to 30s to accommodate slower runs
- Increase timeout for test_request_timeout
- Skip test_unquote_large
Signed-off-by: Julien Stephan <jstephan@baylibre.com>
Ben Darnell [Thu, 19 Mar 2026 19:03:46 +0000 (15:03 -0400)]
*: Remove most typing.TYPE_CHECKING guards and F401 noqa comments
Flake8 now understands type annotations and no longer emits
"unused import" warnings for type imports. Most imports that
were previously behind TYPE_CHECKING guards are no longer
needed, or can be moved to unguarded imports.
In 8.19.0-rc2, the error logic has been changed so any later errors are
preserved. This changes what is returned by curl and therefore what tornado
sees. For HTTPError variant of the test, which uses CurlAsyncHTTPClient, we get
the error from pycurl and now it contains "Failed binding local connection
end". This logic handles both the old version of libcurl and also the newer
one.
Co-Authored-By: Samuel Henrique <samueloph@debian.org>
Ben Darnell [Tue, 10 Mar 2026 16:19:50 +0000 (12:19 -0400)]
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE
I think these were omitted due to quirks of an older version of the
parsing code. Linefeeds are already effectively prohibited within
header values since they are interpreted as delimiters, so the net
effect of this change is to prohibit bare carriage returns within
header values. This RE is used only when parsing headers inside
multipart/form-data bodies; for HTTP headers CR was already prohibited.
Ben Darnell [Fri, 6 Mar 2026 19:50:25 +0000 (14:50 -0500)]
web: Validate characters in all cookie attributes.
Our previous control character check was missing a check for
U+007F, and also semicolons, which are only allowed in quoted
parts of values. This commit checks all attributes and
updates the set of disallowed characters.
Ben Darnell [Tue, 3 Mar 2026 19:36:14 +0000 (14:36 -0500)]
httputil: Add limits on multipart form data parsing
The new default limits prevent a DoS vulnerability involving
requests with many multipart parts. It also adds a defense-in-depth
limit on the size of multipart headers, which would have mitigated
the vulnerability fixed in 6.5.3.
New data structures are added to allow users to configure these limits,
and to disable multipart parsing entirely if they choose. However,
due to the complexity of the plumbing required to pass these
configuration options through the stack, the only configuration
provided in this commit is the ability to set a global default.
Ben Darnell [Thu, 11 Dec 2025 03:00:03 +0000 (22:00 -0500)]
test: Use time.perf_counter instead of time.time for performance tests
On windows, time.time has low resolution (about 15ms), which makes
performance tests flaky. time.perf_counter has much higher resolution
and is the recommended way to measure elapsed time.
Ben Darnell [Wed, 10 Dec 2025 20:15:25 +0000 (15:15 -0500)]
web: Harden against invalid HTTP reason phrases
We allow applications to set custom reason phrases for the HTTP status
line (to support custom status codes), but if this were exposed to
untrusted data it could be exploited in various ways. This commit
guards against invalid reason phrases in both HTTP headers and in
error pages.
Ben Darnell [Wed, 10 Dec 2025 15:55:02 +0000 (10:55 -0500)]
httputil: Fix quadratic behavior in _parseparam
Prior to this change, _parseparam had O(n^2) behavior when parsing
certain inputs, which could be a DoS vector. This change adapts
logic from the equivalent function in the python standard library
in https://github.com/python/cpython/pull/136072/files
Ben Darnell [Tue, 9 Dec 2025 18:27:27 +0000 (13:27 -0500)]
httputil: Fix quadratic performance of repeated header lines
Previouisly, when many header lines with the same name were found
in an HTTP request or response, repeated string concatenation would
result in quadratic performance. This change does the concatenation
lazily (with a cache) so that repeated headers can be processed
efficiently.
Security: The previous behavior allowed a denial of service attack
via a maliciously crafted HTTP message, but only if the
max_header_size was increased from its default of 64kB.
Ben Darnell [Tue, 9 Dec 2025 17:10:18 +0000 (12:10 -0500)]
process_test: Use isolated mode for subprocess tests
Prompt customizations (notably the PYTHONSTARTUP file used by
vscode's terminal integration) can interfere with tests that run
interactive interpreters in a subprocess. Run those interpreters
in isolated mode to avoid this problem.)
Ben Darnell [Tue, 9 Dec 2025 15:19:34 +0000 (10:19 -0500)]
demos: Remove s3server demo
This program does not demonstrate anything particularly interesting
about Tornado, nor is it a good stylistic example to follow. Its
handling of path validation is rudimentary and can be insecure in
some configurations. It makes more sense to remove it than to
try and improve it.
projects / thirdparty / tornado.git / log
