File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -4,6 +4,7 @@ Release notes
44.. toctree ::
55 :maxdepth: 2
66
7+ releases/v6.5.5
78 releases/v6.5.4
89 releases/v6.5.3
910 releases/v6.5.2
Original file line number Diff line number Diff line change 1+ What's new in Tornado 6.5.5
2+ ===========================
3+
4+ Mar 10, 2026
5+ ------------
6+
7+ Security fixes
8+ ~~~~~~~~~~~~~~
9+
10+ - ``multipart/form-data `` requests are now limited to 100 parts by default, to prevent a
11+ denial-of-service attack via very large requests with many parts. This limit is configurable
12+ via `tornado.httputil.ParseMultipartConfig `. Multipart parsing can also be disabled completely
13+ if not required for the application. Thanks to [0x-Apollyon](https://github.com/0x-Apollyon) and
14+ [bekkaze](https://github.com/bekkaze) for reporting this issue.
15+ - The ``domain ``, ``path ``, and ``samesite `` arguments to `.RequestHandler.set_cookie ` are now
16+ validated for illegal characters, which could be abused to inject other attributes on the cookie.
17+ Thanks to Dhiral Vyas (Praetorian) for reporting this issue.
18+ - Carriage return characters are no longer accepted in ``multipart/form-data `` headers. Thanks to
19+ [sergeykochanov](https://github.com/sergeykochanov) for reporting this issue.
Original file line number Diff line number Diff line change 2222# is zero for an official release, positive for a development branch,
2323# or negative for a release candidate or beta (after the base version
2424# number has been incremented)
25- version = "6.5.4 "
26- version_info = (6 , 5 , 4 , 0 )
25+ version = "6.5.5 "
26+ version_info = (6 , 5 , 5 , 0 )
2727
2828import importlib
2929import typing
You can’t perform that action at this time.
0 commit comments