Dominique Leuenberger
07a17e42d3
- Update to 6.5.5 (CVE-2026-31958, bsc#1259553)
* ``multipart/form-data`` requests are now limited to 100 parts by default,
to prevent a denial-of-service attack via very large requests with many
parts. This limit is configurable via
`tornado.httputil.ParseMultipartConfig`. Multipart parsing can also be
disabled completely if not required for the application.
Thanks to 0x-Apollyon and bekkaze for reporting this issue
* The ``domain``, ``path``, and ``samesite`` arguments to
`.RequestHandler.set_cookie` are now validated for illegal characters, which
could be abused to inject other attributes on the cookie.
Thanks to Dhiral Vyas (Praetorian) for reporting this issue.
* Carriage return characters are no longer accepted in ``multipart/form-data``
headers.
Thanks to sergeykochanov for reporting this issue.
- add fix-tests-with-curl-8-19.patch to fix tests with curl 8.19
OBS-URL: https://build.opensuse.org/request/show/1338684
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=22