]> git.ipfire.org Git - thirdparty/tornado.git/commitdiff
projects / thirdparty / tornado.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cb247cb)
Release notes and version bump for 4.4.2 1852/head
authorBen Darnell <ben@bendarnell.com>
Fri, 30 Sep 2016 16:03:23 +0000 (00:03 +0800)
committerBen Darnell <ben@bendarnell.com>
Fri, 30 Sep 2016 16:35:37 +0000 (00:35 +0800)
docs/releases.rst patch | blob | blame | history
docs/releases/v4.4.2.rst [new file with mode: 0644] patch | blob
setup.py patch | blob | blame | history
tornado/__init__.py patch | blob | blame | history

diff --git a/docs/releases.rst b/docs/releases.rst
index f61d1ccb7f24832c7d1661e1069e6fd3655745d1..a9bfa1c51f0ed532fdc6ca6183ea417aefcfee41 100644 (file)
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -4,6 +4,7 @@ Release notes
 .. toctree::
    :maxdepth: 2
 
+   releases/v4.4.2
    releases/v4.4.1
    releases/v4.4.0
    releases/v4.3.0
diff --git a/docs/releases/v4.4.2.rst b/docs/releases/v4.4.2.rst
new file mode 100644 (file)
index 0000000..66349a3
--- /dev/null
+++ b/docs/releases/v4.4.2.rst
@@ -0,0 +1,22 @@
+What's new in Tornado 4.4.2
+===========================
+
+Oct 1, 2016
+------------
+
+Security fixes
+~~~~~~~~~~~~~~
+
+* A difference in cookie parsing between Tornado and web browsers
+  (especially when combined with Google Analytics) could allow an
+  attacker to set arbitrary cookies and bypass XSRF protection. The
+  cookie parser has been rewritten to fix this attack.
+
+Backwards-compatibility notes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Cookies containing certain special characters (in particular semicolon
+  and square brackets) are now parsed differently.
+* If the cookie header contains a combination of valid and invalid cookies,
+  the valid ones will be returned (older versions of Tornado would reject the
+  entire header for a single invalid cookie).
diff --git a/setup.py b/setup.py
index 9eddaeff39b721fe03acbdc45b8e670db6fc4320..8d8109555687191b56f00cddd2ebf92f6b1657a2 100644 (file)
--- a/setup.py
+++ b/setup.py
@@ -103,7 +103,7 @@ http://api.mongodb.org/python/current/installation.html#osx
 
 kwargs = {}
 
-version = "4.4.1"
+version = "4.4.2"
 
 with open('README.rst') as f:
     kwargs['long_description'] = f.read()
diff --git a/tornado/__init__.py b/tornado/__init__.py
index 9778f65868966a9694a719cc1ea6cd16e4698f8b..3b10da51fad08ba03a22670ed142ea21266a0ed1 100644 (file)
--- a/tornado/__init__.py
+++ b/tornado/__init__.py
@@ -25,5 +25,5 @@ from __future__ import absolute_import, division, print_function, with_statement
 # is zero for an official release, positive for a development branch,
 # or negative for a release candidate or beta (after the base version
 # number has been incremented)
-version = "4.4.1"
-version_info = (4, 4, 1, 0)
+version = "4.4.2"
+version_info = (4, 4, 2, 0)
Mirror of https://github.com/tornadoweb/tornado.git