Tornado 6.1.0

Tornado is a Python web framework and asynchronous networking library. By using non-blocking network I/O, Tornado can scale to tens of thousands of open connections, making it ideal for long polling, WebSockets, and other applications that require a long-lived connection to each user. It's comprised of a web framework, a HTTP client and server implementation based on an asynchronous networking core, and it coroutine library. As whole it can supplant WSGI setups, but the web framework itself may be run with traditional servers.

Tags python web-framework http-server
License Apache
State stable

Recent Releases

6.1.031 Oct 2020 03:16 minor feature: What's new in Tornado 6.1.0 Oct 30, 2020. Deprecation notice. This is the last release of Tornado to support Python 3.5. Future versions. will require Python 3.6 or newer. General changes. Windows support has been improved. Tornado is now compatible with the proactor. event loop (which became the default in Python 3.8) by automatically falling. back to running a selector in a second thread. This means that it is no longer. necessary to explicitly configure a selector event loop, although doing so may. improve performance. This does not change the fact that Tornado is significantly. less scalable on Windows than on other platforms. Binary wheels are now provided for Windows, MacOS, and Linux (amd64 and arm64). `tornado.gen`. `.coroutine` now has better support for the Python 3.7+ `contextvars` module. In particular, the `ContextVar.reset` method is now supported. `tornado.http1connection`. `HEAD` requests to handlers that used chunked encoding no longer produce malformed output. Certain kinds of malformed `gzip` data no longer cause an infinite loop. `tornado.httpclient`. Setting `decompress_response=False` now works correctly with. `curl_httpclient`. Mixing requests with and without proxies works correctly in `curl_httpclient`. (assuming the version of pycurl is recent enough). A default `User-Agent` of `Tornado/ VERSION` is now used if the. `user_agent` parameter is not specified. After a 303 redirect, `tornado.simple_httpclient` always uses `GET`. Previously this would use `GET` if the original request was a `POST` and. would otherwise reuse the original request method. For `curl_httpclient`, the. behavior depends on the version of `libcurl` (with the most recent versions. using `GET` after 303 regardless of the original method). Setting `request_timeout` and/or `connect_timeout` to zero is now supported. to disable the timeout. `tornado.httputil`. Header parsing is now faster. `.pa
6.1.0b130 Sep 2020 10:05 minor feature: What's new in Tornado 6.1.0 Oct X, 2020. General changes. Windows support has been improved. Tornado is now compatible with the proactor. event loop (which became the default in Python 3.8) by automatically falling. back to running a selector in a second thread. This means that it is no longer. necessary to explicitly configure a selector event loop, although doing so may. improve performance. This does not change the fact that Tornado is significantly. less scalable on Windows than on other platforms. Binary wheels are now provided for Windows, MacOS, and Linux (amd64 and arm64). `tornado.http1connection`. `HEAD` requests to handlers that used chunked encoding no longer produce malformed output. Certain kinds of malformed `gzip` data no longer cause an infinite loop. `tornado.httpclient`. Setting `decompress_response=False` now works correctly with. `curl_httpclient`. Mixing requests with and without proxies works correctly in `curl_httpclient`. (assuming the version of pycurl is recent enough). A default `User-Agent` of `Tornado/ VERSION` is now used if the. `user_agent` parameter is not specified. After a 303 redirect, `tornado.simple_httpclient` always uses `GET`. Previously this would use `GET` if the original request was a `POST` and. would otherwise reuse the original request method. For `curl_httpclient`, the. behavior depends on the version of `libcurl` (with the most recent versions. using `GET` after 303 regardless of the original method). Setting `request_timeout` and/or `connect_timeout` to zero is now supported. to disable the timeout. `tornado.httputil`. Header parsing is now faster. `.parse_body_arguments` now accepts incompletely-escaped non-ASCII inputs. `tornado.iostream`. `ssl.CertificateError` during the SSL handshake is now handled correctly. Reads that are resolved while the stream is closing are now handled correctly. `tornado.log`. When colored logging is enabled, `logging.C
6.0.224 Mar 2019 16:05 minor feature: What's new in Tornado 6.0.2 Mar 23, 2019. `.WebSocketHandler.set_nodelay` works again. Accessing `HTTPResponse.body` now returns an empty byte string. instead of raising `ValueError` for error responses that don't. have a body (it returned None in this case in Tornado 5).
6.0.106 Mar 2019 03:45 minor feature: What's new in Tornado 6.0.1 Mar 3, 2019. With type annotations that caused errors while. Importing Tornado on Python 3.5.2.
6.0.002 Mar 2019 16:45 minor feature: What's new in Tornado 6.0 Mar 1, 2019. Backwards-incompatible changes. Python 2.7 and 3.4 are no longer supported; the minimum supported. Python version is 3.5.2. APIs deprecated in Tornado 5.1 have been removed. This includes the. `tornado.stack_context` module and most `callback` arguments. throughout the package. All removed APIs emitted. `DeprecationWarning` when used in Tornado 5.1, so running your. application with the `-Wd` Python command-line flag or the. environment variable `PYTHONWARNINGS=d` should tell you whether. your application is ready to move to Tornado 6.0. `.WebSocketHandler.get` is now a coroutine and must be called. accordingly in any subclasses that override this method (but note. that overriding `get` is not recommended; either `prepare` or. `open` should be used instead). General changes. Tornado now includes type annotations compatible with `mypy`. These annotations will be used when type-checking your application. with `mypy`, and may be usable in editors and other tools. Tornado now uses native coroutines internally, improving performance. `tornado.auth`. All `callback` arguments in this package have been removed. Use. the coroutine interfaces instead. The `OAuthMixin._oauth_get_user` method has been removed. Override ` .OAuthMixin._oauth_get_user_future` instead. `tornado.concurrent`. The `callback` argument to `.run_on_executor` has been removed. `return_future` has been removed. `tornado.gen`. Some older portions of this module have been removed. This includes. `engine`, `YieldPoint`, `Callback`, `Wait`, `WaitAll`. `MultiYieldPoint`, and `Task`. Functions decorated with `@gen.coroutine` no longer accept. `callback` arguments. `tornado.httpclient`. The behavior of `raise_error=False` has changed. Now only. suppresses the errors raised due to completed responses with non-200. status codes (previously it suppressed all errors). The `callback` argument to `.AsyncHTTPCl
5.1.118 Sep 2018 07:25 minor feature: What's new in Tornado 5.1.1 Sep 16, 2018. an case in which the `.Future` returned by. `.RequestHandler.finish` could fail to resolve. The `.TwitterMixin.authenticate_redirect` method works again. Improved error handling in the `tornado.auth` module, ing hanging. requests when a network or other error occurs.
5.1.012 Jul 2018 12:05 minor feature: What's new in Tornado 5.1 July 12, 2018. Deprecation notice. Tornado 6.0 will drop support for Python 2.7 and 3.4. The minimum. Supported Python version will be 3.5.2. The `tornado.stack_context` module is deprecated and will be removed. in Tornado 6.0. The reason for this is that it is not feasible to. Provide this module's semantics in the presence of `async def`. Native coroutines. `.ExceptionStackContext` is mainly obsolete. Thanks to coroutines. `.StackContext` lacks a direct replacement. Although the new `contextvars` package (in the Python standard. Library beginning in Python 3.7) may be an alternative. Callback-oriented code often relies on `.ExceptionStackContext` to. Handle errors and prevent leaked connections. In order to avoid the. Risk of silently introducing subtle leaks (and to consolidate all of. Tornado's interfaces behind the coroutine pattern), `callback`. Arguments throughout the package are deprecated and will be removed. in version 6.0. All functions that had a `callback` argument. Removed now return a `.Future` which should be used instead. Where possible, deprecation warnings are emitted when any of these. Deprecated interfaces is used. However, Python does not display. Deprecation warnings by default. To prepare your application for. Tornado 6.0, run Python with the `-Wd` argument or set the. Environment variable `PYTHONWARNINGS` to `d`. If your. Application runs on Python 3 without deprecation warnings, it should. be able to move to Tornado 6.0 without disruption. `tornado.auth`. `.OAuthMixin._oauth_get_user_future` may now be a native coroutine. All `callback` arguments in this package are deprecated and will. be removed in 6.0. Use the coroutine interfaces instead. The `OAuthMixin._oauth_get_user` method is deprecated and will be removed in. 6.0. Override ` .OAuthMixin._oauth_get_user_future` instead. `tornado.autoreload`. The command-line autoreload wrapper is now preser
5.1.0b112 Jun 2018 11:25 minor feature: Accept header parameters in RFC 2231 format. . Format doctest suitable for Python 2. . Remove disabled code, and test for backslash removal. . Update options in order to have same behavior from config file or com . . Parse option in config file when value is str. . Test_options refactoring. . Only invoke select_subprotocol() when the client requests it. . Bump master version to 5.1.dev1. . Asyncio: Support Python 3.4.2 for compatibility with Debian jessie. . . . . . Websocket: Make ping() argument optional. . Concurrent: run_on_executor returns async futures, not concurrent ones. . Httputil: Clean up error handling in HTTPHeaders.parse. . . . Update running.rst. . . . Merge remote-tracking branch 'origin/branch5.0'. . Bump maint requirements. . Run new autopep8. . Update warning for missing C compiler on macOS. . Websocket_test: Wrap a long line. . . . Auth: Add deprecation warnings for anything using auth_return_future. . Concurrent,auth: Add deprecation warnings to concurrent.return_future. . Auth: Deprecated _oauth_get_user. . Auth: Accept native coroutines in _oauth_get_user_future. . Auth: Touch up docs. . . . Concurrent: Deprecate callback argument with run_on_executor. . Escape: doc formatting. . . . Gen: Deprecate gen.engine. . Gen: Deprecate callback argument to coroutines. . Gen: Deprecate YieldPoint and its subclasses. . Gen: Deprecate Task. . Gen: Doc touchups. . Gen_test: Port some tests to non-deprecated interfaces. . . . Testing: Don't the event loop if we didn't create it. . . Asyncio: a leak when event loops are created and destroyed. . Httpclient: Document inability to use sync HTTPClient in async app. . . . Ioloop: Factor out the math of PeriodicCallback for easier testing. . Ioloop: PeriodicCallback when system clock moves backwards. . . . Release notes for 5.0.2. . Typo on release notes page. . Added RequestHandler.on_finish() to FallbackHandler.preapre(). . Httpclient:
5.0.208 Apr 2018 08:45 minor feature: What's new in Tornado 5.0.1 Apr 7, 2018. a memory leak when `.IOLoop` objects are created and destroyed. If `.AsyncTestCase.get_new_ioloop` returns a reference to a. Preexisting event loop (typically when it has been overridden to. Return `.IOLoop.current()`), the test's `tearDown` method will not. This loop. a confusing error message when the synchronous `.HTTPClient`. Fails to initialize because an event loop is already running. `.PeriodicCallback` no longer executes twice in a row due to. Backwards clock adjustments.
5.0.119 Mar 2018 03:18 minor feature: What's new in Tornado 5.0.1 Mar 18, 2018. This release restores support for versions of Python 3.4 prior to. 3.4.4. This is important for compatibility with Debian Jessie which. has 3.4.2 as its version of Python 3.
5.0.006 Mar 2018 09:25 minor feature: What's new in Tornado 5.0 Mar 5, 2018. Highlights. The focus of this release is improving integration with `asyncio`. On Python 3, the `.IOLoop` is always a wrapper around the `asyncio`. Event loop, and `asyncio.Future` and `asyncio.Task` are used instead. of their Tornado counterparts. This means that libraries based on. `asyncio` can be mixed relatively seamlessly with those using. Tornado. While care has been taken to minimize the disruption from. This change, code changes may be required for compatibility with. Tornado 5.0, as detailed in the following section. Tornado 5.0 supports Python 2.7.9+ and 3.4+. Python 2.7 and 3.4 are. Deprecated and support for them will be removed in Tornado 6.0. Which will require Python 3.5+. Backwards-compatibility notes. Python 3.3 is no longer supported. Versions of Python 2.7 that predate the `ssl` module update are no. Longer supported. (The `ssl` module was updated in version 2.7.9. Although in some distributions the updates are present in builds. With a lower version number. Tornado requires `ssl.SSLContext`. `ssl.create_default_context`, and `ssl.match_hostname`). Versions of Python 3.5 prior to 3.5.2 are no longer supported due to. a change in the async iterator protocol in that version. The `trollius` project (`asyncio` backported to Python 2) is no. Longer supported. `tornado.concurrent.Future` is now an alias for `asyncio.Future`. When running on Python 3. This results in a number of minor. Behavioral changes: - `.Future` objects can only be created while there is a current. `.IOLoop`. - The timing of callbacks scheduled with. `Future.add_done_callback` has changed. `tornado.concurrent.future_add_done_callback` can be used to. Make the behavior more like older versions of Tornado (but not. Identical). Some of these changes are also present in the Python. 2 version of `tornado.concurrent.Future` to minimize the. Difference between Python 2 and 3. - Cancella
4.5.308 Jan 2018 03:25 minor feature: What's new in Tornado 4.5.3 Jan 6, 2018. `tornado.curl_httpclient`. Improved delogging on Python 3. `tornado.httpserver`. `Content-Length` and `Transfer-Encoding` headers are no longer. sent with 1xx or 204 responses (this was already true of 304. responses). Reading chunked requests no longer leaves the connection in a broken. state. `tornado.iostream`. Writing a `memoryview` can no longer result in "BufferError: Existing exports of data: object cannot be re-sized". `tornado.options`. Duplicate option names are now detected properly whether they use. hyphens or underscores. `tornado.testing`. `.AsyncHTTPTestCase.fetch` now uses `` instead of. `localhost`, improving compatibility with systems that have. partially-working ipv6 stacks. `tornado.web`. It is no longer allowed to send a body with 1xx or 204 responses. `tornado.websocket`. Requests with invalid websocket headers now get a response with. status code 400 instead of a connection.
4.5.228 Aug 2017 12:45 minor feature: What's new in Tornado 4.5.2 Aug 27, 2017. Tornado now sets the `FD_CLOEXEC` flag on all file descriptors it creates. This prevents hanging client connections and resource leaks when the `tornado.autoreload` module (or `Application(de=True)`) is used.
4.5.121 Apr 2017 19:05 minor feature: What's new in Tornado 4.5 Apr 16, 2017. `tornado.log`. Improved detection of libraries for colorized logging. `tornado.httputil`. `.url_concat` once again treats None as equivalent to an empty sequence.
4.5.017 Apr 2017 09:25 minor feature: What's new in Tornado 4.5 Apr 16, 2017. Backwards-compatibility warning. The `tornado.websocket` module now imposes a limit on the size of incoming. messages, which defaults to 10MiB. New module. `tornado.routing` provides a more flexible routing system than the one built in. to `.Application`. General changes. Reduced the number of circular references, reducing memory usage and. improving performance. `tornado.auth`. The `tornado.auth` module has been updated for compatibility with `a. change to Facebook's access_token endpoint. lt;#1977 gt;`_. This includes both. the changes initially released in Tornado 4.4.3 and an additional change. to support the ``session_expires` field in the new format. The `session_expires` field is currently a string; it should be accessed. as `int(user 'session_expires' )` because it will change from a string to. an int in Tornado 5.0. `tornado.autoreload`. Autoreload is now compatible with the `asyncio` event loop. Autoreload no longer attempts to the `.IOLoop` and all registered. file descriptors before restarting; it relies on the `CLOEXEC` flag. being set instead. `tornado.concurrent`. Suppressed some "'NoneType' object not callback" messages that could. be logged at shutdown. `tornado.gen`. `yield None` is now equivalent to `yield gen.moment`. ` tornado.gen.moment` is deprecated. This improves compatibility with. `asyncio`. an in which a generator object could be garbage. collected prematurely (most often when weak references are used. New function `.is_coroutine_function` identifies functions wrapped. by `.coroutine` or `.engine`. `tornado.http1connection`. The `Transfer-Encoding` header is now parsed case-insensitively. `tornado.httpclient`. `SimpleAsyncHTTPClient` now follows 308 redirects. `CurlAsyncHTTPClient` will no longer accept protocols other than. `http` and `https`. To override this, set `pycurl.PROTOCOLS`. and `pycurl.REDIR_PROTOCOLS` i
4.4.331 Mar 2017 06:05 minor feature: What's new in Tornado 4.4.3 Mar 30, 2017. The `tornado.auth` module has been updated for compatibility with `a. change to Facebook's access_token endpoint. lt;#1977 gt;`_.
4.4.202 Oct 2016 19:25 minor feature: What's new in Tornado 4.4.2 Oct 1, 2016. Security. A difference in cookie parsing between Tornado and web browsers. (especially when combined with Google Analytics) could allow an. Attacker to set arbitrary cookies and bypass XSRF protection. The. Cookie parser has been rewritten to this attack. Backwards-compatibility notes. Cookies containing certain special characters (in particular semicolon. And square brackets) are now parsed differently. If the cookie header contains a combination of valid and invalid cookies. The valid ones will be returned (older versions of Tornado would reject the. Entire header for a single invalid cookie).
4.4.125 Jul 2016 05:25 minor feature: What's new in Tornado 4.4.1 Jul 23, 2016. `tornado.web`. a regression in Tornado 4.4 which caused URL regexes. Containing backslash escapes outside capturing groups to be. Rejected.
4.4.017 Jul 2016 14:45 minor feature: What's new in Tornado 4.4 Jul 15, 2016. General. Tornado now requires Python 2.7 or 3.3+; versions 2.6 and 3.2 are no. longer supported. Pypy3 is still supported even though its latest. release is mainly based on Python 3.2. The `monotonic lt; gt;`_ package is. now supported as an alternative to `Monotime. lt; gt;`_ for monotonic clock support. on Python 2. `tornado.curl_httpclient`. Failures in `_curl_setup_request` no longer cause the. `max_clients` pool to be exhausted. Non-ascii header values are now handled correctly. `tornado.gen`. `.with_timeout` now accepts any yieldable object (except. `.YieldPoint`), not just `tornado.concurrent.Future`. `tornado.httpclient`. The errors raised by timeouts now indicate what state the request. was in; the error message is no longer simply "599 Timeout". Calling `repr` on a `tornado.httpclient.HTTPError` no longer raises. an error. `tornado.httpserver`. Int-like enums (including `http.HTTPStatus`) can now be used as. status codes. Responses with status code `204 No Content` no longer emit a. `Content-Length: 0` header. `tornado.ioloop`. Improved performance when there are large numbers of active timeouts. `tornado.netutil`. All included `.Resolver` implementations raise `IOError` (or a. subclass) for any resolution failure. `tornado.options`. Options can now be modified with subscript syntax in addition to. attribute syntax. The special variable `__file__` is now available inside config files. `tornado.simple_httpclient`. HTTP/1.0 (not 1.1) responses without a `Content-Length` header now. work correctly. `tornado.tcpserver`. `.TCPServer.bind` now accepts a `reuse_port` argument. `tornado.testing`. Test sockets now always use `` instead of `localhost`. This avoids conflicts when the automatically-assigned port is. available on IPv4 but not IPv6, o
4.4.0b109 Jul 2016 13:45 minor feature: Cast start_line.code to an integer. Make __getitem__ and __setitem__ mirror behavior of __getattr__ and _?. Unset executable bit. Use `` when binding test server socket. Bump master version number to 4.4.dev1. Drop Python 2.6 support. Drop support for Python 3.2. Invert _unicode_literal to switch back to real literals. Convert all uses of t.util.u() to real unicode literals. Remove the u() function and a few uses the script missed. Streamline travis-ci build. Add monotonic as an alternative to Monotime. CurlAsyncHTTPClient: free_list starvation if setup fails. test failure to set up curl http requests. httpclient: Document that HTTPError is not the only possible error. Correct version change in Lock docstring. Missing hint in documentation. Add reuse_port flag to TCPServer.bind method. Use super() to call super "__init__()". Update Update Update logging when running tests with twisted installed. Use super() to call super "__init__()". make kwargs always work in AsyncHTTPClient.fetch(). add more detailed information to HTTP Timeout error raised by SimpleA?. refractor test_connect_timeout with a never finished future. replace BlockingResolver with Resolver and update timeout value becau?. raise ValueError if supply both a request object and kwargs. reverse_url should unescape regex string. Update hints for popular operating systems. re_unescape with a much simpler method; raise TypeError on invalid input. Move towards mypy-friendly patterns. Added SVG to compressible mime types. Add a test for path arguments in websockets. Improve docs of URLSpec capturing groups. Improve grammar in docs. Add defaults to template.ParseError arguments. Define `httpclient.HTTPError.__repr__`. Update docs for re_unescape. Document and test ` #!` syntax. Handle non-ascii headers correctly in curl_httpclient. HTTP1Connection for responses without content-length. Add a test for HTTPError.__str__ when it uses httputils.
4.3.007 Nov 2015 13:25 minor feature: Tornado 4.3 Nov 6, 2015. Highlights. The new async/await keywords in Python 3.5 are supported. In most cases. `async def` can be used in place of the `@gen.coroutine` decorator. Inside a function defined with `async def`, use `await` instead of. `yield` to wait on an asynchronous operation. Coroutines defined with. async/await will be faster than those defined with `@gen.coroutine` and. `yield`, but do not support some features including `.Callback`/`.Wait` or. the ability to yield a Twisted `Deferred`. See :ref:`the users'. guide lt;native_coroutines gt;` for more. The async/await keywords are also available when compiling with Cython in. older versions of Python. Deprecation notice. This will be the last release of Tornado to support Python 2.6 or 3.2. Note that PyPy3 will continue to be supported even though it implements. a mix of Python 3.2 and 3.3 features. Installation. Tornado has several new dependencies: `ordereddict` on Python 2.6. `singledispatch` on all Python versions prior to 3.4 (This was an. optional dependency in prior versions of Tornado, and is now. mandatory), and `backports_abc gt;=0.4` on all versions prior to. 3.5. These dependencies will be installed automatically when installing. with `pip` or ` install`. These dependencies will not. be required when running on Google App Engine. Binary wheels are provided for Python 3.5 on Windows (32 and 64 bit). `tornado.auth`. New method `.OAuth2Mixin.oauth2_request` can be used to make authenticated. requests with an access token. Now compatible with callbacks that have been compiled with Cython. `tornado.autoreload`. an with the autoreload command-line wrapper in which. imports would be incorrectly interpreted as relative. `tornado.curl_httpclient`. parsing of multi-line headers. `allow_nonstandard_methods=True` now bypasses body sanity checks. in the same way as in `simple_httpclient`. The `PATCH` method now allows a body wi
4.3.0b225 Oct 2015 07:45 minor feature: Return HTTPServer in Application.listen. PEP8 docs/ E122 continuation line missing indentatio?. Check for Content-Length and Transfer-Encoding. Restrict header check to SimpleAsyncHTTPClient. Make test_root_static_path more robust. Added xsrf_cookie_kwargs to control xsrf cookie settings. Update tests and docs for recent changes. Find 'httponly' case-insensitively. Set version number to 4.3b2.
4.3.0b120 Oct 2015 17:25 minor feature: Bump version number to 4.3.dev1. Get the tests passing under Python 3.5b2. Support Python 3.5 async/await native coroutines. Consistently format the three "Hello, world" examples (docs and README). Clarify the role and meaning of self.fetch() in AsyncHTTPTestCase. Tie the example for AsyncHTTPTestCase to real code. Clear __package__ in script run by autoreload CLI. Document StaticFileHandler's default_filename option. Introduce OAuth2Mixin.oauth2_request. Update outdated comment. Add Google OAuth2 user info request. unicode syntax for Python 3. Remove _OAUTH_USERINFO_URL. doctests. Merge branch 'pr1456'. Add filename to template.ParseError messages. Use unittest.mock in test_gaierror. Make dashes and underscores interchangeable in option names. Support pickling of HTTPHeaders. Update URL in comment. Reduce logging of errors inside IOStream (especially SSLError). Relax a test for SSL errors in start_tls. Add support for UTF-16 and UTF-8-with-BOM to CSV locale. Start next-release notes. Move compress_whitespace setting from template writer to reader. Add Loader parameter to control whitespace mode. Introduce `oneline` template whitespace mode. Add ` whitespace ` template directive. Merge branch 'branch4.2'. Update copyright line in docs. Remove an useless line. incorrect check in IOLoop(make_current=True). Remove arbitrary cap on length of outgoing headers. Correctly clear IOLoop.current() after TwistedIOLoop exits. Restore IOLoop.current() when AsyncIOLoop exits. test Content-Type for static compressed files. Content-Type for compressed StaticFileHandler file. Remove hidden testsetup blocks from otherwise self-contained doctests. Reduce default compression to level 6; raise min compressible length. Add docs about calling coroutines. Mention async/await in coroutine docs. Support other yieldables in `yield list`/`multi_future`. Implement the async context manager protocol in tornado.locks. Reduce duplication in exec-based tests. Support async i
4.2.118 Jul 2015 23:05 minor bugfix: This release fixes a path traversal vulnerability in `.StaticFileHandler`, in which files whose names *started with the `static_path` directory but were not actually *in that directory could be accessed.
4.2.027 May 2015 15:25 minor feature: `SSLIOStream.connect` and `.IOStream.start_tls` now validate certificates by default. Certificate validation will now use the system CA root certificates instead of `certifi` when possible (i.e. Python 2.7.9+ or 3.4+). This includes. `.IOStream` and `simple_httpclient`, but not `curl_httpclient`. The default SSL configuration has become stricter, using. `ssl.create_default_context` where available on the client side. (On the server side, applications are encouraged to migrate from the. `ssl_options` dict-based API to pass an `ssl.SSLContext` instead). The deprecated classes in the `tornado.auth` module, `GoogleMixin`,. `FacebookMixin`, and `FriendFeedMixin` have been removed. New modules:`tornado.locks` and `tornado.queues`. These modules provide classes for coordinating coroutines, merged from. `Toro lt;http:/ gt;`_. To port your code from Toro's queues to Tornado 4.2, import `.Queue`,. `.PriorityQueue`, or `.LifoQueue` from `tornado.queues` instead of from. `toro`. Use `.Queue` instead of Toro's `JoinableQueue`. In Tornado the methods. ` .Queue.join` and ` .Queue.task_done` are available on all queues, not on a. special `JoinableQueue`. Tornado queues raise exceptions specific to Tornado instead of reusing. exceptions from the Python standard library. Therefore instead of catching the standard `queue.Empty` exception from `.Queue.get_nowait`, catch the special `tornado.queues.QueueEmpty` exception,. and instead of catching the standard `queue.Full` from `.Queue.get_nowait`, catch `tornado.queues.QueueFull`. To port from Toro's locks to Tornado 4.2, import `.Condition`, `.Event`,. `.Semaphore`, `.BoundedSemaphore`, or `.Lock` from `tornado.locks`. instead of from `toro`. Toro's `Semaphore.wait` allowed a coroutine to wait for the semaphore to. be unlocked *without acquiring it. This encouraged unorthodox patterns; in Tornado, just use ` .Semaphore.acquire`. Toro's `Event.wait` raised a `Timeout` exception after a timeo
4.2.0b111 May 2015 13:25 minor feature: add pgettext, npgettext. add pgettext, npgettext docstrings. merge pgettext and npgettext into one pgettext. Skip falsy values for SimpleCookie flags. Add unit tests for new cookie behavior. some modifications in demos/benchmark so it can run both in py2 and py3. Bump master branch version number. Allow unicode strings in import_object in python 2. Update requirement versions; add flake8 and twine. Run autopep8. More flake8 cleanup. Enable the sphinx doctest extension. Make many doc code blocks into sphinx doctests. Enable sphinx doctests on travis-ci. modified method _schedule_next of PeriodicCallback to handle sudden c?. Added logging for debugging and fixes for flake8. Added logging for debugging and fixes for flake8. merge. flake8 cleanup. Coroutine exception __context__ leak in python 3. Increase the timeout on a test that's failing on travis-ci. Add tornado.locks.Condition. _on_close_called is set to True (was always False). Document the limitations of read_until_close(streaming_callback=). Update ssl_options docs to use SSLContext. Validate SSL certs by default at the IOStream level. Add ssl_options argument for simple_httpclient. Document that allow_ipv6 is now true in simple_httpclient. Reuse a global SSLContext by default in simple_httpclient. Fix tests on py26. Disable SSL compression on py32-33. Fix docs and relax a test. Unused imports in Add tornado.locks.Event. Event.io_loop is unused. Event.wait raises TimeoutError instead of returning False. Combine lock tests into Bind options argument in define_logging_options. Start next-release notes. Make "certifi" optional on py34. Fix multiple calls to Event.clear. Import unittest2 in locks_test if needed. Fix SSLIOStream in Python 3.5a1. Fix web_test for python 3.5a1. Remove long-forgotten (and overly pessimistic) README. Fix simple typo in httpclient exception message. Simpler markup in Event.wait docstring. Rename TestEvent to EventTest. Add tornado.locks.Semaphore
4.1.009 Feb 2015 15:05 minor feature: If a Future contains an exception but that exception is never examined or re-raised (e.g. by yielding the Future), a stack trace will be logged when the Future is garbage-collected. New class tornado.gen.WaitIterator provides a way to iterate over Futures in the order they resolve. The tornado.websocket module now supports compression via the permessage-deflate extension. Override WebSocketHandler.get_compression_options to enable on the server side, and use the compression_options keyword argument to websocket_connect on the client side. When the appropriate packages are installed, it is possible to yield asyncio.Future or Twisted Defered objects in Tornado coroutines.
4.1.0b203 Feb 2015 02:45 minor feature: Update running.rst. adding hint to supervisord minfds. Include the ability to yield asyncio and twisted objects in highlights. Replace most testing uses of 'localhost' with ''. a wrong describle. Merge branch 'stable'. Add syntax highlighting to Hello World example. Fix a DeprecationWarning in twisted_test with Twisted 15.0. Disable twisted_web tests on python 3. Merge branch 'master' of Silence a warning on freebsd. Use self.io_loop in with_timeout tests. Update docs for UIModule. Set version number to 4.1b2
4.1.0b125 Jan 2015 11:25 minor feature: Added support for on_message_callback for WebSocket clients. Fixed bad Sphinx target reference. Make options.parse_config_file supporting custom encoding. Assume all config files are encoded in UTF-8. Improve curl_httpclient so it supports custom methods with payload. Merge branch 'master' of Fixes bug disallowing custom-made reason phrase. remove dead code. Bump master branch version number. Merge branch 'branch4.0'. Read config file in binary mode instead of try/except TypeError. make IOCMD_RESTARTREAD available for PUT requests. Fall back to pure-python mode on any exception during the build. Add test for curl_httpclient ioctl change. Add a default value to a getaddr() call in HTTPServerRequest. Add missing return statements to call_at and call_later. Disable test_post_307 due to a libcurl bug that manifests with Twiste?. Merge branch 'branch4.0'. Refactor Resolver error tests to mock getaddrinfo. Add an ubuntu 14.04 vagrant config; drop 12.10. Merge branch 'master' of Refactor: simplify patch test according to @bdarnell recommendations at . Move patch test to httpclient_test, according to @bdarnell recommenda?. Fix tests so they are compatible with python 3.x. Added a test for extra CRLF lines in keep-alive connections. Support for non-RFC compliant header prefixes. Added a regression test for keep-alive chunked POST. Fixed a bug with keep-alive chunked requests. Fix a potential leak of an unclosed AsyncHTTPClient. Cite RFC 2730 when stripping extraneous line breaks. Code cleanup with guided by @bdarnell at #1090. Merge branch 'master' of Merge branch 'branch4.0'. Add "sudo: false" to .travis.yml in an attempt to stop the random bui?. Improve error handling during ssl handshake. Merge branch 'branch4.0'. Implement permessage-deflate websocket extension. Support the max_wbits websocket deflate parameters. Add code from asyncio that detects whether a future object is d
4.0.220 Nov 2014 03:18 minor feature: Set version number in branch4.0 to 4.0.2.dev1. Fix a regression in which a timeout could fire after being cancelled. Fixed support for test generators. Fix a regression in gzip output for StaticFileHandler. Add missing argument max_buffer_size to TCPClient.connect in SimpleAs?. Fix a subtle reference cycle that can lead to increased memory consum?. Limit the number of connections we will accept per call to accept_han?. Fix an erroneous return of None in IOStream.connect. Add release notes for 4.0.2. Set version number to 4.0.2
4.0.0b303 Aug 2014 03:15 minor feature: Split overview.rst into separate files.. Fix binary websocket connections. Merge pull request #1091 from xose/patch-1. Merge branch 'master' of Add tests for both binary and unicode messages in websockets.. Disable twisted tests on pypy on travis-ci since they seem to be flaky.. Expand and rewrite the guide docs.. Merge branch 'guide'. Rewrite chatdemo to use a coroutine instead of callbacks.. Add a test for exception in websocket callbacks.. Fix outdated variable name in docs.. Remove length requirement from v1 XSRF tokens. Turn short and hex XSRF tests into success tests. Don't raise when failing to hex decode XSRF v1. Catch `binascii.a2b_hex` errors on Python 3. Merge remote-tracking branch 'tictail/branch3.2'. Add XSRF change to the release notes.. Set version number to 4.0b3.