python · tornadoCritical
Tornado SimpleAsyncHTTPClient strips credentials on cross-origin redirects
SimpleAsyncHTTPClient now removes Authorization and Cookie headers on cross-origin redirects, matching libcurl behavior.
What changed
SimpleAsyncHTTPClient now removes Authorization and Cookie headers on cross-origin redirects, matching libcurl behavior.
Who it affects
Users of Tornado's SimpleAsyncHTTPClient with follow_redirects=True (default) who rely on credentials being stripped on redirect.
What to do today
Update Tornado to version 6.5.6 or later to prevent credential leakage on cross-origin redirects.
The trail
Collected→
Audited→
Written→
Published