Tags: tornadoweb/tornado
Tags
What's new in Tornado 6.5.4 Dec 15, 2025 ------------ Bug fixes ~~~~~~~~~ - The ``in`` operator for ``HTTPHeaders`` was incorrectly case-sensitive, causing lookups to fail for headers with different casing than the original header name. This was a regression in version 6.5.3 and has been fixed to restore the intended case-insensitive behavior from version 6.5.2 and earlier.
What's new in Tornado 6.5.3 Dec 10, 2025 ------------ Security fixes ~~~~~~~~~~~~~~ - Fixed a denial-of-service vulnerability involving quadratic computation when parsing ``multipart/form-data`` request bodies. `CVE-2025-67726 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8>`_ Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue. - Fixed a denial-of-service vulnerability involving quadratic computation when parsing repeated HTTP headers. `CVE-2025-67725 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64>`_. Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue. - Fixed a header injection and XSS vulnerability involving the ``reason`` argument to `.RequestHandler.set_status` and `tornado.web.HTTPError`. `CVE-2025-67724 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f>`_. Thanks to `Finder16 <https://github.com/Finder16>`_ and `Cheshire1225 <https://github.com/Cheshire1225>`_ for reporting this issue. Demo changes ~~~~~~~~~~~~ - Several demo applications bundled with the Tornado repo (``blog``, ``chat``, ``facebook``) had an open redirect vulnerability which has been fixed. This is not covered by a CVE or security advisory since the demo applications are not included as a part of the Tornado package when installed, but developers who have copied code from these demos may which to review their own applications for open redirects. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for reporting this issue. - The ``s3server`` demo application contained some path traversal vulnerabilities. Since this demo application was not demonstrating any interesting aspects of Tornado, it has been deleted rather than being fixed. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for reporting this issue.
What's new in Tornado 6.5.2 Aug 8, 2025 ----------- Bug fixes ~~~~~~~~~ - Fixed a bug that resulted in WebSocket pings not being sent at the configured interval. - Improved logging for invalid ``Host`` headers. This was previouisly logged as an uncaught exception with a stack trace, now it is simply a 400 response (logged as a warning in the access log) - Restored the ``host`` argument to ``.HTTPServerRequest``. This argument is deprecated and will be removed in the future, but its removal with no warning in 6.5.0 was a mistake. - Removed a debugging print statement that was left in the code. - Improved type hints for ``gen.multi``.
What's new in Tornado 6.5.0 May 15, 2025 ------------ Security Improvements ~~~~~~~~~~~~~~~~~~~~~ - Previously, malformed ``multipart-form-data`` requests could log multiple warnings and constitute a denial-of-service attack. Now an exception is raised at the first error, so there is only one log message per request. This fixes `CVE-2025-47287 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m>`_. General Changes ~~~~~~~~~~~~~~~ - Python 3.14 is now supported. Older versions of Tornado will work on Python 3.14 but may log deprecation warnings. - The free-threading mode of Python 3.13 is now supported on an experimental basis. Prebuilt wheels are not yet available for this configuration, but it can be built from source. - The minimum supported Python version is 3.9. Deprecation Notices ~~~~~~~~~~~~~~~~~~~ - Support for ``obs-fold`` continuation lines in HTTP headers is deprecated and will be removed in Tornado 7.0, as is the use of carriage returns without line feeds as header separators. - The ``callback`` argument to `.websocket_connect` is deprecated and will be removed in Tornado 7.0. Note that ``on_message_callback`` is not deprecated. - The ``log_message`` and ``args`` attributes of `tornado.web.HTTPError` are deprecated. Use the new ``get_message`` method instead. Type Annotation Changes ~~~~~~~~~~~~~~~~~~~~~~~ - `tornado.concurrent.chain_future` is now typed as accepting both asyncio and concurrent Futures. - `tornado.gen.multi` and ``multi_future`` now take ``Sequences`` and ``Mappings`` instead of ``List`` and ``Dict``. - `tornado.httputil.RequestStartLine` and `.ResponseStartLine` now have type annotations for their attributes. - `.HTTPHeaders` now has type annotations for its elements. - The ``autoescape`` argument to `tornado.template.BaseLoader` is now marked as optional. - ``tornado.routing._RuleList`` is now a ``Sequence`` for more flexibility. - ``.RequestHandler.SUPPPORTED_METHODS`` is now typed to support overriding in a subclass. - Types for `.RequestHandler.get_body_argument` and ``get_query_argument`` are improved and now match the ``get_argument`` method. - `.RequestHandler.get_cookie` now has more accurate types. - The return type of `.UIModule.render` may now be either `str` or `bytes`. `tornado.httputil` ~~~~~~~~~~~~~~~~~~ - Support for ``obs-fold`` continuation lines in HTTP headers is deprecated and will be removed in Tornado 7.0, as is the use of carriage returns without line feeds as header separators. - Request start lines may no longer include control characters. - Method names containing invalid characters now return error code 400 instead of 405. - Header names are now restricted to the set of characters permitted by the RFCs. - Control characters are no longer allowed in (incoming) header values. - Handling of trailing whitespace in headers has been improved, especially with ``obs-fold`` continuation lines. - The ``Host`` header is now restricted to the set of characters permitted by the RFCs. It is now an error to send more than one ``Host`` header, or to omit a ``Host`` header for a request that is not using HTTP/1.0. `tornado.ioloop` ~~~~~~~~~~~~~~~~ - Fixed a bug in which `contextvars` that were set when the event loop was created were not available inside the event loop on Windows. `tornado.netutil` ~~~~~~~~~~~~~~~~~ - `.bind_unix_socket` now supports the Linux abstract namespace. `tornado.platform.twisted` ~~~~~~~~~~~~~~~~~~~~~~~~~~ - ``TwistedResolver`` has been deleted. It was already deprecated and scheduled for removal in Tornado 7.0, but due to the adoption of RFC 8482 it no longer works for most domain names. This class was primarily intended to provide thread-free non-blocking DNS resolution. If that is still required, ``tornado.platform.caresresolver`` is the next best option, although it has its own limitations which differ from TwistedResolver, and it is also deprecated. Most users should switch to the default resolver, which uses threads. `tornado.web` ~~~~~~~~~~~~~ - The set of characters allowed in (outgoing) HTTP headers now matches the RFCs. Specifically, tab characters are now allowed and DEL is not. - Invalid ``If-Modified-Since`` headers are now ignored instead of causing a 500 error. - ``%`` characters in the log message of `tornado.web.HTTPError` are no longer doubled when no additional arguments are passed. This matches the behavior of `logging.LogRecord`. A new method ``get_message`` has been added to ``HTTPError`` to allow access to the fully-substituted message; directly accessing ``log_message`` and ``args`` is deprecated. `tornado.websocket` ~~~~~~~~~~~~~~~~~~~ - Some bugs involving ``ping_interval`` and ``ping_timeout`` have been fixed. Setting the ``ping_timeout`` greater than the ``ping_interval`` is no longer supported. The default ``ping_timeout`` is now equal to the ``ping_interval``. - The ``callback`` argument to ``websocket_connect`` is deprecated and will be removed in Tornado 7.0. Note that ``on_message_callback`` is not deprecated.
What's new in Tornado 6.4.2 Nov 21, 2024 ------------ Security Improvements ~~~~~~~~~~~~~~~~~~~~~ - Parsing of the cookie header is now much more efficient. The older algorithm sometimes had quadratic performance which allowed for a denial-of-service attack in which the server would spend excessive CPU time parsing cookies and block the event loop. This change fixes CVE-2024-7592.
What's new in Tornado 6.4.1 Jun 6, 2024 ----------- Security Improvements ~~~~~~~~~~~~~~~~~~~~~ - Parsing of the ``Transfer-Encoding`` header is now stricter. Unexpected transfer-encoding values were previously ignored and treated as the HTTP/1.0 default of read-until-close. This can lead to framing issues with certain proxies. We now treat any unexpected value as an error. - Handling of whitespace in headers now matches the RFC more closely. Only space and tab characters are treated as whitespace and stripped from the beginning and end of header values. Other unicode whitespace characters are now left alone. This could also lead to framing issues with certain proxies. - ``tornado.curl_httpclient`` now prohibits carriage return and linefeed headers in HTTP headers (matching the behavior of ``simple_httpclient``). These characters could be used for header injection or request smuggling if untrusted data were used in headers. General Changes ~~~~~~~~~~~~~~~ `tornado.iostream` ~~~~~~~~~~~~~~~~~~ - `.SSLIOStream` now understands changes to error codes from OpenSSL 3.2. The main result of this change is to reduce the noise in the logs for certain errors. ``tornado.simple_httpclient`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - ``simple_httpclient`` now prohibits carriage return characters in HTTP headers. It had previously prohibited only linefeed characters. `tornado.testing` ~~~~~~~~~~~~~~~~~ - `.AsyncTestCase` subclasses can now be instantiated without being associated with a test method. This improves compatibility with test discovery in Pytest 8.2.
What's new in Tornado 6.4.0 Nov 28, 2023 ------------ General Changes ~~~~~~~~~~~~~~~ - Python 3.12 is now supported. Older versions of Tornado will work on Python 3.12 but may log deprecation warnings. Deprecation Notices ~~~~~~~~~~~~~~~~~~~ - `.IOLoop.add_callback_from_signal` is suspected to have been broken since Tornado 5.0 and will be removed in version 7.0. Use `asyncio.loop.add_signal_handler` instead. - The ``client_secret`` argument to `.OAuth2Mixin.authorize_redirect` is deprecated and will be removed in Tornado 7.0. This argument has never been used and other similar methods in this module don't have it. - `.TwitterMixin` is deprecated and will be removed in the future. ``tornado.auth`` ~~~~~~~~~~~~~~~~ - The ``client_secret`` argument to `.OAuth2Mixin.authorize_redirect` is deprecated and will be removed in Tornado 7.0. This argument has never been used and other similar methods in this module don't have it. - `.TwitterMixin` is deprecated and will be removed in the future. ``tornado.autoreload`` ~~~~~~~~~~~~~~~~~~~~~~ - Autoreload can now be used when the program is run as a directory rather than a file or module. - New CLI flag ``--until-success`` re-runs the program on any failure but stops after the first successful run. ``tornado.concurrent`` ~~~~~~~~~~~~~~~~~~~~~~ - Fixed reference cycles that could lead to increased memory usage. ``tornado.escape`` ~~~~~~~~~~~~~~~~~~ - Several methods in this module now simply pass through to their equivalents in the standard library. ``tornado.gen`` ~~~~~~~~~~~~~~~ - This module now holds a strong reference to all running `asyncio.Task` objects it creates. This prevents premature garbage collection which could cause warnings like "Task was destroyed but it is pending!". ``tornado.ioloop`` ~~~~~~~~~~~~~~~~~~ - `.IOLoop.add_callback_from_signal` is suspected to have been broken since Tornado 5.0 and will be removed in version 7.0. Use `asyncio.loop.add_signal_handler` instead. - The type annotation for `.IOLoop.run_in_executor` has been updated to match the updated signature of `asyncio.loop.run_in_executor`. - Fixed reference cycles that could lead to increased memory usage. ``tornado.locale`` ~~~~~~~~~~~~~~~~~~ - `.format_timestamp` now supports "aware" datetime objects. ``tornado.platform.asyncio`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The shutdown protocol for `.AddThreadSelectorEventLoop` now requires the use of `asyncio.run` or `asyncio.loop.shutdown_asyncgens` to avoid leaking the thread. - Introduced `.SelectorThread` class containing the core functionality of `.AddThreadSelectorEventLoop`. - The ``close()`` method of `.AddThreadSelectorEventLoop` is now idempotent. ``tornado.web`` ~~~~~~~~~~~~~~~ - `.StaticFileHandler.get_modified_time` now supports "aware" datetime objects and the default implementation now returns aware objects. ``tornado.websocket`` ~~~~~~~~~~~~~~~~~~~~~ - Unclosed client connections now reliably log a warning. Previously the warning was dependent on garbage collection and whether the ``ping_interval`` option was used. - The ``subprotocols`` argument to `.WebSocketClientConnection` now defaults to None instead of an empty list (which was mutable and reused)
What's new in Tornado 6.4.0 In Progress ----------- General Changes ~~~~~~~~~~~~~~~ - Python 3.12 is now supported. Older versions of Tornado will work on Python 3.12 but may log deprecation warnings. Deprecation Notices ~~~~~~~~~~~~~~~~~~~ - `.IOLoop.add_callback_from_signal` is suspected to have been broken since Tornado 5.0 and will be removed in version 7.0. Use `asyncio.loop.add_signal_handler` instead. - The ``client_secret`` argument to `.OAuth2Mixin.authorize_redirect` is deprecated and will be removed in Tornado 7.0. This argument has never been used and other similar methods in this module don't have it. - `.TwitterMixin` is deprecated and will be removed in the future. ``tornado.auth`` ~~~~~~~~~~~~~~~~ - The ``client_secret`` argument to `.OAuth2Mixin.authorize_redirect` is deprecated and will be removed in Tornado 7.0. This argument has never been used and other similar methods in this module don't have it. - `.TwitterMixin` is deprecated and will be removed in the future. ``tornado.autoreload`` ~~~~~~~~~~~~~~~~~~~~~~ - Autoreload can now be used when the program is run as a directory rather than a file or module. - New CLI flag ``--until-success`` re-runs the program on any failure but stops after the first successful run. ``tornado.concurrent`` ~~~~~~~~~~~~~~~~~~~~~~ - Fixed reference cycles that could lead to increased memory usage. ``tornado.escape`` ~~~~~~~~~~~~~~~~~~ - Several methods in this module now simply pass through to their equivalents in the standard library. ``tornado.gen`` ~~~~~~~~~~~~~~~ - This module now holds a strong reference to all running `asyncio.Task` objects it creates. This prevents premature garbage collection which could cause warnings like "Task was destroyed but it is pending!". ``tornado.ioloop`` ~~~~~~~~~~~~~~~~~~ - `.IOLoop.add_callback_from_signal` is suspected to have been broken since Tornado 5.0 and will be removed in version 7.0. Use `asyncio.loop.add_signal_handler` instead. - The type annotation for `.IOLoop.run_in_executor` has been updated to match the updated signature of `asyncio.loop.run_in_executor`. - Fixed reference cycles that could lead to increased memory usage. ``tornado.locale`` ~~~~~~~~~~~~~~~~~~ - `.format_timestamp` now supports "aware" datetime objects. ``tornado.platform.asyncio`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - The shutdown protocol for `.AddThreadSelectorEventLoop` now requires the use of `asyncio.run` or `asyncio.loop.shutdown_asyncgens` to avoid leaking the thread. - Introduced `.SelectorThread` class containing the core functionality of `.AddThreadSelectorEventLoop`. - The ``close()`` method of `.AddThreadSelectorEventLoop` is now idempotent. ``tornado.web`` ~~~~~~~~~~~~~~~ - `.StaticFileHandler.get_modified_time` now supports "aware" datetime objects and the default implementation now returns aware objects. ``tornado.websocket`` ~~~~~~~~~~~~~~~~~~~~~ - Unclosed client connections now reliably log a warning. Previously the warning was dependent on garbage collection and whether the ``ping_interval`` option was used. - The ``subprotocols`` argument to `.WebSocketClientConnection` now defaults to None instead of an empty list (which was mutable and reused)
PreviousNext