Merge commit 'v1.1.1'

Conflicts:
	setup.py

setup.py

@@ -31,7 +31,7 @@
     extensions.append(distutils.core.Extension(
         "tornado.epoll", ["tornado/epoll.c"]))
 
-version = "1.1"
+version = "1.1.1"
 
 distutils.core.setup(
     name="tornado",

tornado/__init__.py

@@ -16,5 +16,5 @@
 
 """The Tornado web server and tools."""
 
-version = "1.1"
-version_info = (1, 1, 0)
+version = "1.1.1"
+version_info = (1, 1, 1)

tornado/web.py

@@ -726,16 +726,27 @@ def xsrf_token(self):
     def check_xsrf_cookie(self):
         """Verifies that the '_xsrf' cookie matches the '_xsrf' argument.
 
-        To prevent cross-site request forgery, we set an '_xsrf' cookie
-        and include the same '_xsrf' value as an argument with all POST
-        requests. If the two do not match, we reject the form submission
-        as a potential forgery.
+        To prevent cross-site request forgery, we set an '_xsrf'
+        cookie and include the same value as a non-cookie
+        field with all POST requests. If the two do not match, we
+        reject the form submission as a potential forgery.
+
+        The _xsrf value may be set as either a form field named _xsrf
+        or in a custom HTTP header named X-XSRFToken or X-CSRFToken
+        (the latter is accepted for compatibility with Django).
 
         See http://en.wikipedia.org/wiki/Cross-site_request_forgery
+
+        Prior to release 1.1.1, this check was ignored if the HTTP header
+        "X-Requested-With: XMLHTTPRequest" was present.  This exception
+        has been shown to be insecure and has been removed.  For more
+        information please see
+        http://www.djangoproject.com/weblog/2011/feb/08/security/
+        http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
         """
-        if self.request.headers.get("X-Requested-With") == "XMLHttpRequest":
-            return
-        token = self.get_argument("_xsrf", None)
+        token = (self.get_argument("_xsrf", None) or
+                 self.request.headers.get("X-Xsrftoken") or
+                 self.request.headers.get("X-Csrftoken"))
         if not token:
             raise HTTPError(403, "'_xsrf' argument missing from POST")
         if self.xsrf_token != token:

website/templates/documentation.txt

@@ -50,12 +50,12 @@ Download
 --------
 Download the most recent version of Tornado from GitHub:
 
-> [tornado-1.1.tar.gz](http://github.com/downloads/facebook/tornado/tornado-1.1.tar.gz)
+> [tornado-1.1.1.tar.gz](http://github.com/downloads/facebook/tornado/tornado-1.1.1.tar.gz)
 
 You can also [browse the source](http://github.com/facebook/tornado) on GitHub. To install Tornado:
 
-    tar xvzf tornado-1.1.tar.gz
-    cd tornado-1.1
+    tar xvzf tornado-1.1.1.tar.gz
+    cd tornado-1.1.1
     python setup.py build
     sudo python setup.py install
 

website/templates/index.html

@@ -6,9 +6,9 @@
   <p>See the <a href="/documentation">Tornado documentation</a> for a detailed walkthrough of the framework.</p>
 
   <h2>Download and install</h2>
-  <p><b>Download:</b> <a href="http://github.com/downloads/facebook/tornado/tornado-1.1.tar.gz">tornado-1.1.tar.gz</a></p>
-  <pre><code>tar xvzf tornado-1.1.tar.gz
-cd tornado-1.1
+  <p><b>Download:</b> <a href="http://github.com/downloads/facebook/tornado/tornado-1.1.1.tar.gz">tornado-1.1.1.tar.gz</a></p>
+  <pre><code>tar xvzf tornado-1.1.1.tar.gz
+cd tornado-1.1.1
 python setup.py build
 sudo python setup.py install</code></pre>
   <p>The Tornado source code is <a href="http://github.com/facebook/tornado">hosted on GitHub</a>.  On Python 2.6+, it is also possible to simply add the tornado directory to your <code>PYTHONPATH</code> instead of building with <code>setup.py</code>, since the standard library includes <code>epoll</code> support.</p>