Release notes for 6.3.3

httpserver_test: Add ExpectLog to fix CI

The github security advisory feature lets you make private PRs but
it apparently doesn't support CI so this log failure wasn't caught
until after the PR was merged.

http1connection: Make content-length parsing more strict

Content-length and chunk size parsing now strictly matches the RFCs.
We previously used the python int() function which accepted leading
plus signs and internal underscores, which are not allowed by the
HTTP RFCs (it also accepts minus signs, but these are less problematic
in this context since they'd result in errors elsewhere)

It is important to fix this because when combined with certain proxies,
the lax parsing could result in a request smuggling vulnerability (if
both Tornado and the proxy accepted an invalid content-length but
interpreted it differently). This is known to occur with old versions
of haproxy, although the current version of haproxy is unaffected.

web_test: Fix open redirect test on windows

Drive letters in windows absolute paths mess up this test,
so remove them and use a path relative to the drive root instead.

Fix syntax error in docstring

Update mypy/typeshed, update a few types

This required a recent update to typeshed/mypy.

Fixes #3093

Fixes a conflict between pip-tools and pip.

autoreload: Various updates

This flag terminates the autoreload loop after the first successful
run. This makes it possible to cleanly shut down a process that is using
"python -m tornado.autoreload" without printing a traceback.

Fixes #2398

build(deps): bump certifi from 2022.12.7 to 2023.7.22

Bumps [certifi](https://github.com/certifi/python-certifi) from 2022.12.7 to 2023.7.22.
- [Commits](https://github.com/certifi/python-certifi/compare/2022.12.07...2023.07.22)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: indirect
...
Signed-off-by: Ndependabot[bot] <support@github.com>

A previous commit added support for using autoreload within programs
that were started as directories; this commit supports them when
run with the -m tornado.autoreload wrapper.

This change may have side effects for file mode since we now use
runpy.run_path instead of executing the file by hand (I don't think
the run_path function existed when this code was originally written).

This will make it easier to add other options (for #2398)

Running a directory has some but not all of the behavior of
running a module, including setting __spec__, so we must be careful
not to break things by assuming that __spec__ means module mode.

Fixes #2855

build(deps): bump pygments from 2.14.0 to 2.15.0

Bumps [pygments](https://github.com/pygments/pygments) from 2.14.0 to 2.15.0.
- [Release notes](https://github.com/pygments/pygments/releases)
- [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES)
- [Commits](https://github.com/pygments/pygments/compare/2.14.0...2.15.0)

---
updated-dependencies:
- dependency-name: pygments
  dependency-type: indirect
...
Signed-off-by: Ndependabot[bot] <support@github.com>

asyncio: Remove atexit hook

This hook was added because of an only-in-CI issue, but we have since
improved our cleanup of the selector thread. As long as this passes
CI, I think we can remove the atexit hook.

Fixes #3291

auth: Various updates

Matches a change made to the Google auth mixin in a previous commit.

Fixes #756

The read_stream scope was replaced with user_posts; this change
was made to demos/facebook/facebook.py in #1674 but the corresponding
comment was not updated. The offline_access scope has also been removed
but seems irrelvant to this comment.

Fixes #1566

Add some more detail to app registration docs.

This was done mainly to verify that we don't need to introduce
new parameters as requested in #2140

Closes #2140

It's unclear to what extent this class still works given Twitter's
recent API changes. Deprecate it since I don't intend to track
future changes here.

OAuth2Mixin.authorize_redirect has never used this argument
and similar methods in this module don't have it.

Closes #1122

test: Add test for open redirect fixed in 6.3.2