python · tornadoHeads-up
tornado CurlAsyncHTTPClient leaks TLS certs and proxy credentials across requests
CurlAsyncHTTPClient reuses pycurl handles without resetting per-request options, causing client TLS certificates (SSLCERT/SSLKEY) and proxy credentials (PROXYUS
What changed
CurlAsyncHTTPClient reuses pycurl handles without resetting per-request options, causing client TLS certificates (SSLCERT/SSLKEY) and proxy credentials (PROXYUSERPWD) to leak across requests.
Who it affects
Applications using CurlAsyncHTTPClient with per-request client_cert/client_key or proxy_username/proxy_password on a shared client instance.
What to do today
Upgrade to a patched version once available, or manually call curl.reset() before each request in _curl_setup_request.
The trail
Collected→
Audited→
Written→
Published