--- /dev/null
+What's new in Tornado 3.2.1
+===========================
+
+May 5, 2014
+-----------
+
+Security fixes
+~~~~~~~~~~~~~~
+
+* The signed-value format used by `.RequestHandler.set_secure_cookie`
+ and `.RequestHandler.get_secure_cookie` has changed to be more secure.
+ **This is a disruptive change**. The ``secure_cookie`` functions
+ take new ``version`` parameters to support transitions between cookie
+ formats.
+* The new cookie format fixes a vulnerability that may be present in
+ applications that use multiple cookies where the name of one cookie
+ is a prefix of the name of another.
+* To minimize disruption, cookies in the older format will be accepted
+ by default until they expire. Applications that may be vulnerable
+ can reject all cookies in the older format by passing ``min_version=2``
+ to `.RequestHandler.get_secure_cookie`.
+
+Backwards-compatibility notes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Signed cookies issued by `.RequestHandler.set_secure_cookie` in Tornado
+ 3.2.1 cannot be read by older releases. If you need to run 3.2.1
+ in parallel with older releases, you can pass ``version=1`` to
+ `.RequestHandler.set_secure_cookie` to issue cookies that are
+ backwards-compatible (but have a known weakness, so this option
+ should only be used for a transitional period).
+
+Other changes
+~~~~~~~~~~~~~
+
+* The C extension used to speed up the websocket module now compiles
+ correctly on Windows with MSVC and 64-bit mode. The fallback to
+ the pure-Python alternative now works correctly on Mac OS X machines
+ with no C compiler installed.
projects / thirdparty / tornado.git / commitdiff
