Skip to content

Tags: ripingit/tornado

Tags

v4.4.2

Toggle v4.4.2's commit message
What's new in Tornado 4.4.2

===========================

Oct 1, 2016
------------

Security fixes
~~~~~~~~~~~~~~

* A difference in cookie parsing between Tornado and web browsers
  (especially when combined with Google Analytics) could allow an
  attacker to set arbitrary cookies and bypass XSRF protection. The
  cookie parser has been rewritten to fix this attack.

Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Cookies containing certain special characters (in particular semicolon
  and square brackets) are now parsed differently.
* If the cookie header contains a combination of valid and invalid cookies,
  the valid ones will be returned (older versions of Tornado would reject the
  entire header for a single invalid cookie).

v4.4.1

Toggle v4.4.1's commit message
What's new in Tornado 4.4.1

===========================

Jul 23, 2016
------------

`tornado.web`
~~~~~~~~~~~~~

* Fixed a regression in Tornado 4.4 which caused URL regexes
  containing backslash escapes outside capturing groups to be
  rejected.

v4.4.0

Toggle v4.4.0's commit message
What's new in Tornado 4.4

=========================

Jul 15, 2016
------------

General
~~~~~~~

* Tornado now requires Python 2.7 or 3.3+; versions 2.6 and 3.2 are no
  longer supported. Pypy3 is still supported even though its latest
  release is mainly based on Python 3.2.
* The `monotonic <https://pypi.python.org/pypi/monotonic>`_ package is
  now supported as an alternative to `Monotime
  <https://pypi.python.org/pypi/Monotime>`_ for monotonic clock support
  on Python 2.

``tornado.curl_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Failures in ``_curl_setup_request`` no longer cause the
  ``max_clients`` pool to be exhausted.
* Non-ascii header values are now handled correctly.

`tornado.gen`
~~~~~~~~~~~~~

* `.with_timeout` now accepts any yieldable object (except
  `.YieldPoint`), not just `tornado.concurrent.Future`.

`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~

* The errors raised by timeouts now indicate what state the request
  was in; the error message is no longer simply "599 Timeout".
* Calling `repr` on a `tornado.httpclient.HTTPError` no longer raises
  an error.

`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~

* Int-like enums (including `http.HTTPStatus`) can now be used as
  status codes.
* Responses with status code ``204 No Content`` no longer emit a
  ``Content-Length: 0`` header.

`tornado.ioloop`
~~~~~~~~~~~~~~~~

* Improved performance when there are large numbers of active timeouts.

`tornado.netutil`
~~~~~~~~~~~~~~~~~

* All included `.Resolver` implementations raise `IOError` (or a
  subclass) for any resolution failure.

`tornado.options`
~~~~~~~~~~~~~~~~~

* Options can now be modified with subscript syntax in addition to
  attribute syntax.
* The special variable ``__file__`` is now available inside config files.

``tornado.simple_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* HTTP/1.0 (not 1.1) responses without a ``Content-Length`` header now
  work correctly.

`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~

* `.TCPServer.bind` now accepts a ``reuse_port`` argument.

`tornado.testing`
~~~~~~~~~~~~~~~~~

* Test sockets now always use ``127.0.0.1`` instead of ``localhost``.
  This avoids conflicts when the automatically-assigned port is
  available on IPv4 but not IPv6, or in unusual network configurations
  when ``localhost`` has multiple IP addresses.

`tornado.web`
~~~~~~~~~~~~~

* ``image/svg+xml`` is now on the list of compressible mime types.
* Fixed an error on Python 3 when compression is used with multiple
  ``Vary`` headers.

`tornado.websocket`
~~~~~~~~~~~~~~~~~~~

* ``WebSocketHandler.__init__`` now uses `super`, which improves
  support for multiple inheritance.

v4.4.0b1

Toggle v4.4.0b1's commit message
Set version number to 4.4b1

v4.3.0

Toggle v4.3.0's commit message
Tornado 4.3

Nov 6, 2015
-----------

Highlights
~~~~~~~~~~

* The new async/await keywords in Python 3.5 are supported. In most cases,
  ``async def`` can be used in place of the ``@gen.coroutine`` decorator.
  Inside a function defined with ``async def``, use ``await`` instead of
  ``yield`` to wait on an asynchronous operation. Coroutines defined with
  async/await will be faster than those defined with ``@gen.coroutine`` and
  ``yield``, but do not support some features including `.Callback`/`.Wait` or
  the ability to yield a Twisted ``Deferred``. See :ref:`the users'
  guide <native_coroutines>` for more.
* The async/await keywords are also available when compiling with Cython in
  older versions of Python.

Deprecation notice
~~~~~~~~~~~~~~~~~~

* This will be the last release of Tornado to support Python 2.6 or 3.2.
  Note that PyPy3 will continue to be supported even though it implements
  a mix of Python 3.2 and 3.3 features.

Installation
~~~~~~~~~~~~

* Tornado has several new dependencies: ``ordereddict`` on Python 2.6,
  ``singledispatch`` on all Python versions prior to 3.4 (This was an
  optional dependency in prior versions of Tornado, and is now
  mandatory), and ``backports_abc>=0.4`` on all versions prior to
  3.5. These dependencies will be installed automatically when installing
  with ``pip`` or ``setup.py install``. These dependencies will not
  be required when running on Google App Engine.
* Binary wheels are provided for Python 3.5 on Windows (32 and 64 bit).

`tornado.auth`
~~~~~~~~~~~~~~

* New method `.OAuth2Mixin.oauth2_request` can be used to make authenticated
  requests with an access token.
* Now compatible with callbacks that have been compiled with Cython.

`tornado.autoreload`
~~~~~~~~~~~~~~~~~~~~

* Fixed an issue with the autoreload command-line wrapper in which
  imports would be incorrectly interpreted as relative.

`tornado.curl_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~

* Fixed parsing of multi-line headers.
* ``allow_nonstandard_methods=True`` now bypasses body sanity checks,
  in the same way as in ``simple_httpclient``.
* The ``PATCH`` method now allows a body without
  ``allow_nonstandard_methods=True``.

`tornado.gen`
~~~~~~~~~~~~~

* `.WaitIterator` now supports the ``async for`` statement on Python 3.5.
* ``@gen.coroutine`` can be applied to functions compiled with Cython.
  On python versions prior to 3.5, the ``backports_abc`` package must
  be installed for this functionality.
* ``Multi`` and `.multi_future` are deprecated and replaced by
  a unified function `.multi`.

`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~

* `tornado.httpclient.HTTPError` is now copyable with the `copy` module.

`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~

* Requests containing both ``Content-Length`` and ``Transfer-Encoding``
  will be treated as an error.

`tornado.httputil`
~~~~~~~~~~~~~~~~~~

* `.HTTPHeaders` can now be pickled and unpickled.

`tornado.ioloop`
~~~~~~~~~~~~~~~~

* ``IOLoop(make_current=True)`` now works as intended instead
  of raising an exception.
* The Twisted and asyncio IOLoop implementations now clear
  ``current()`` when they exit, like the standard IOLoops.
* `.IOLoop.add_callback` is faster in the single-threaded case.
* `.IOLoop.add_callback` no longer raises an error when called on
  a closed IOLoop, but the callback will not be invoked.

`tornado.iostream`
~~~~~~~~~~~~~~~~~~

* Coroutine-style usage of `.IOStream` now converts most errors into
  `.StreamClosedError`, which has the effect of reducing log noise from
  exceptions that are outside the application's control (especially
  SSL errors).
* `.StreamClosedError` now has a ``real_error`` attribute which indicates
  why the stream was closed. It is the same as the ``error`` attribute of
  `.IOStream` but may be more easily accessible than the `.IOStream` itself.
* Improved error handling in `~.BaseIOStream.read_until_close`.
* Logging is less noisy when an SSL server is port scanned.
* ``EINTR`` is now handled on all reads.

`tornado.locale`
~~~~~~~~~~~~~~~~

* `tornado.locale.load_translations` now accepts encodings other than
  UTF-8. UTF-16 and UTF-8 will be detected automatically if a BOM is
  present; for other encodings `.load_translations` has an ``encoding``
  parameter.

`tornado.locks`
~~~~~~~~~~~~~~~

* `.Lock` and `.Semaphore` now support the ``async with`` statement on
  Python 3.5.

`tornado.log`
~~~~~~~~~~~~~

* A new time-based log rotation mode is available with
  ``--log_rotate_mode=time``, ``--log-rotate-when``, and
  ``log-rotate-interval``.

`tornado.netutil`
~~~~~~~~~~~~~~~~~

* `.bind_sockets` now supports ``SO_REUSEPORT`` with the ``reuse_port=True``
  argument.

`tornado.options`
~~~~~~~~~~~~~~~~~

* Dashes and underscores are now fully interchangeable in option names.

`tornado.queues`
~~~~~~~~~~~~~~~~

* `.Queue` now supports the ``async for`` statement on Python 3.5.

`tornado.simple_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* When following redirects, ``streaming_callback`` and
  ``header_callback`` will no longer be run on the redirect responses
  (only the final non-redirect).
* Responses containing both ``Content-Length`` and ``Transfer-Encoding``
  will be treated as an error.

`tornado.template`
~~~~~~~~~~~~~~~~~~

* `tornado.template.ParseError` now includes the filename in addition to
  line number.
* Whitespace handling has become more configurable. The `.Loader`
  constructor now has a ``whitespace`` argument, there is a new
  ``template_whitespace`` `.Application` setting, and there is a new
  ``{% whitespace %}`` template directive. All of these options take
  a mode name defined in the `tornado.template.filter_whitespace` function.
  The default mode is ``single``, which is the same behavior as prior
  versions of Tornado.
* Non-ASCII filenames are now supported.

`tornado.testing`
~~~~~~~~~~~~~~~~~

* `.ExpectLog` objects now have a boolean ``logged_stack`` attribute to
  make it easier to test whether an exception stack trace was logged.

`tornado.web`
~~~~~~~~~~~~~

* The hard limit of 4000 bytes per outgoing header has been removed.
* `.StaticFileHandler` returns the correct ``Content-Type`` for files
  with ``.gz``, ``.bz2``, and ``.xz`` extensions.
* Responses smaller than 1000 bytes will no longer be compressed.
* The default gzip compression level is now 6 (was 9).
* Fixed a regression in Tornado 4.2.1 that broke `.StaticFileHandler`
  with a ``path`` of ``/``.
* `tornado.web.HTTPError` is now copyable with the `copy` module.
* The exception `.Finish` now accepts an argument which will be passed to
  the method `.RequestHandler.finish`.
* New `.Application` setting ``xsrf_cookie_kwargs`` can be used to set
  additional attributes such as ``secure`` or ``httponly`` on the
  XSRF cookie.
* `.Application.listen` now returns the `.HTTPServer` it created.

`tornado.websocket`
~~~~~~~~~~~~~~~~~~~

* Fixed handling of continuation frames when compression is enabled.

v4.3.0b2

Toggle v4.3.0b2's commit message
Set version number to 4.3b2

v4.3.0b1

Toggle v4.3.0b1's commit message
Set version number to 4.3b1

v4.2.1

Toggle v4.2.1's commit message
Tornado 4.2.1

Jul 17, 2015
------------

Security fix
~~~~~~~~~~~~

* This release fixes a path traversal vulnerability in `.StaticFileHandler`,
  in which files whose names *started with* the ``static_path`` directory
  but were not actually *in* that directory could be accessed.

v4.2.0

Toggle v4.2.0's commit message
What's new in Tornado 4.2

=========================

May 26, 2015
------------

Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* ``SSLIOStream.connect`` and `.IOStream.start_tls` now validate certificates
  by default.
* Certificate validation will now use the system CA root certificates instead
  of ``certifi`` when possible (i.e. Python 2.7.9+ or 3.4+). This includes
  `.IOStream` and ``simple_httpclient``, but not ``curl_httpclient``.
* The default SSL configuration has become stricter, using
  `ssl.create_default_context` where available on the client side.
  (On the server side, applications are encouraged to migrate from the
  ``ssl_options`` dict-based API to pass an `ssl.SSLContext` instead).
* The deprecated classes in the `tornado.auth` module, ``GoogleMixin``,
  ``FacebookMixin``, and ``FriendFeedMixin`` have been removed.

New modules: `tornado.locks` and `tornado.queues`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

These modules provide classes for coordinating coroutines, merged from
`Toro <http://toro.readthedocs.org>`_.

To port your code from Toro's queues to Tornado 4.2, import `.Queue`,
`.PriorityQueue`, or `.LifoQueue` from `tornado.queues` instead of from
``toro``.

Use `.Queue` instead of Toro's ``JoinableQueue``. In Tornado the methods
`~.Queue.join` and `~.Queue.task_done` are available on all queues, not on a
special ``JoinableQueue``.

Tornado queues raise exceptions specific to Tornado instead of reusing
exceptions from the Python standard library.
Therefore instead of catching the standard `queue.Empty` exception from
`.Queue.get_nowait`, catch the special `tornado.queues.QueueEmpty` exception,
and instead of catching the standard `queue.Full` from `.Queue.get_nowait`,
catch `tornado.queues.QueueFull`.

To port from Toro's locks to Tornado 4.2, import `.Condition`, `.Event`,
`.Semaphore`, `.BoundedSemaphore`, or `.Lock` from `tornado.locks`
instead of from ``toro``.

Toro's ``Semaphore.wait`` allowed a coroutine to wait for the semaphore to
be unlocked *without* acquiring it. This encouraged unorthodox patterns; in
Tornado, just use `~.Semaphore.acquire`.

Toro's ``Event.wait`` raised a ``Timeout`` exception after a timeout. In
Tornado, `.Event.wait` raises `tornado.gen.TimeoutError`.

Toro's ``Condition.wait`` also raised ``Timeout``, but in Tornado, the `.Future`
returned by `.Condition.wait` resolves to False after a timeout::

    @gen.coroutine
    def await_notification():
        if not (yield condition.wait(timeout=timedelta(seconds=1))):
            print('timed out')
        else:
            print('condition is true')

In lock and queue methods, wherever Toro accepted ``deadline`` as a keyword
argument, Tornado names the argument ``timeout`` instead.

Toro's ``AsyncResult`` is not merged into Tornado, nor its exceptions
``NotReady`` and ``AlreadySet``. Use a `.Future` instead. If you wrote code like
this::

    from tornado import gen
    import toro

    result = toro.AsyncResult()

    @gen.coroutine
    def setter():
        result.set(1)

    @gen.coroutine
    def getter():
        value = yield result.get()
        print(value)  # Prints "1".

Then the Tornado equivalent is::

    from tornado import gen
    from tornado.concurrent import Future

    result = Future()

    @gen.coroutine
    def setter():
        result.set_result(1)

    @gen.coroutine
    def getter():
        value = yield result
        print(value)  # Prints "1".

`tornado.autoreload`
~~~~~~~~~~~~~~~~~~~~

* Improved compatibility with Windows.
* Fixed a bug in Python 3 if a module was imported during a reload check.

`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~

* `.run_on_executor` now accepts arguments to control which attributes
  it uses to find the `.IOLoop` and executor.

`tornado.curl_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~

* Fixed a bug that would cause the client to stop processing requests
  if an exception occurred in certain places while there is a queue.

`tornado.escape`
~~~~~~~~~~~~~~~~

* `.xhtml_escape` now supports numeric character references in hex
  format (``&#x20;``)

`tornado.gen`
~~~~~~~~~~~~~

* `.WaitIterator` no longer uses weak references, which fixes several
  garbage-collection-related bugs.
* `tornado.gen.Multi` and `tornado.gen.multi_future` (which are used when
  yielding a list or dict in a coroutine) now log any exceptions after the
  first if more than one `.Future` fails (previously they would be logged
  when the `.Future` was garbage-collected, but this is more reliable).
  Both have a new keyword argument ``quiet_exceptions`` to suppress
  logging of certain exception types; to use this argument you must
  call ``Multi`` or ``multi_future`` directly instead of simply yielding
  a list.
* `.multi_future` now works when given multiple copies of the same `.Future`.
* On Python 3, catching an exception in a coroutine no longer leads to
  leaks via ``Exception.__context__``.

`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~

* The ``raise_error`` argument now works correctly with the synchronous
  `.HTTPClient`.
* The synchronous `.HTTPClient` no longer interferes with `.IOLoop.current()`.

`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~

* `.HTTPServer` is now a subclass of `tornado.util.Configurable`.

`tornado.httputil`
~~~~~~~~~~~~~~~~~~

* `.HTTPHeaders` can now be copied with `copy.copy` and `copy.deepcopy`.

`tornado.ioloop`
~~~~~~~~~~~~~~~~

* The `.IOLoop` constructor now has a ``make_current`` keyword argument
  to control whether the new `.IOLoop` becomes `.IOLoop.current()`.
* Third-party implementations of `.IOLoop` should accept ``**kwargs``
  in their `~.IOLoop.initialize` methods and pass them to the superclass
  implementation.
* `.PeriodicCallback` is now more efficient when the clock jumps forward
  by a large amount.

`tornado.iostream`
~~~~~~~~~~~~~~~~~~

* ``SSLIOStream.connect`` and `.IOStream.start_tls` now validate certificates
  by default.
* New method `.SSLIOStream.wait_for_handshake` allows server-side applications
  to wait for the handshake to complete in order to verify client certificates
  or use NPN/ALPN.
* The `.Future` returned by ``SSLIOStream.connect`` now resolves after the
  handshake is complete instead of as soon as the TCP connection is
  established.
* Reduced logging of SSL errors.
* `.BaseIOStream.read_until_close` now works correctly when a
  ``streaming_callback`` is given but ``callback`` is None (i.e. when
  it returns a `.Future`)

`tornado.locale`
~~~~~~~~~~~~~~~~

* New method `.GettextLocale.pgettext` allows additional context to be
  supplied for gettext translations.

`tornado.log`
~~~~~~~~~~~~~

* `.define_logging_options` now works correctly when given a non-default
  ``options`` object.

`tornado.process`
~~~~~~~~~~~~~~~~~

* New method `.Subprocess.wait_for_exit` is a coroutine-friendly
  version of `.Subprocess.set_exit_callback`.

`tornado.simple_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Improved performance on Python 3 by reusing a single `ssl.SSLContext`.
* New constructor argument ``max_body_size`` controls the maximum response
  size the client is willing to accept. It may be bigger than
  ``max_buffer_size`` if ``streaming_callback`` is used.

`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~

* `.TCPServer.handle_stream` may be a coroutine (so that any exceptions
  it raises will be logged).

`tornado.util`
~~~~~~~~~~~~~~

* `.import_object` now supports unicode strings on Python 2.
* `.Configurable.initialize` now supports positional arguments.

`tornado.web`
~~~~~~~~~~~~~

* Key versioning support for cookie signing. ``cookie_secret`` application
  setting can now contain a dict of valid keys with version as key. The
  current signing key then must be specified via ``key_version`` setting.
* Parsing of the ``If-None-Match`` header now follows the RFC and supports
  weak validators.
* Passing ``secure=False`` or ``httponly=False`` to
  `.RequestHandler.set_cookie` now works as expected (previously only the
  presence of the argument was considered and its value was ignored).
* `.RequestHandler.get_arguments` now requires that its ``strip`` argument
  be of type bool. This helps prevent errors caused by the slightly dissimilar
  interfaces between the singular and plural methods.
* Errors raised in ``_handle_request_exception`` are now logged more reliably.
* `.RequestHandler.redirect` now works correctly when called from a handler
  whose path begins with two slashes.
* Passing messages containing ``%`` characters to `tornado.web.HTTPError`
  no longer causes broken error messages.

`tornado.websocket`
~~~~~~~~~~~~~~~~~~~

* The ``on_close`` method will no longer be called more than once.
* When the other side closes a connection, we now echo the received close
  code back instead of sending an empty close frame.

v4.2.0b1

Toggle v4.2.0b1's commit message
Fix title of 4.2 release notes page