python · tornadoCritical
Tornado gzip decompression memory exhaustion fix
Gzip decompression now enforces max_body_size on both compressed and cumulative decompressed size, preventing memory exhaustion.
What changed
Gzip decompression now enforces max_body_size on both compressed and cumulative decompressed size, preventing memory exhaustion.
Who it affects
Users of SimpleAsyncHTTPClient (default) and HTTPServer with decompress_request=True.
What to do today
Upgrade to Tornado 6.5.6 or later. If unable, set decompress_response=False or use CurlAsyncHTTPClient.
The trail
Collected→
Audited→
Written→
Published