Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total compressed size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration. HTTPServer is not affected in its default configuration, but it is if decompress_request=True is set.
This bug is fixed in Tornado 6.5.6. max_body_size is now checked both for the compressed and cumulative decompressed size of the response.
Prior to upgrading, this issue can be mitigated by setting decompress_response=False or using CurlAsyncHTTPClient.
Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total compressed size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration.
HTTPServeris not affected in its default configuration, but it is ifdecompress_request=Trueis set.This bug is fixed in Tornado 6.5.6.
max_body_sizeis now checked both for the compressed and cumulative decompressed size of the response.Prior to upgrading, this issue can be mitigated by setting
decompress_response=Falseor usingCurlAsyncHTTPClient.