What's new in Tornado 6.5.0
===========================
-In progress
------------
+May 15, 2025
+------------
+
+Security Improvements
+~~~~~~~~~~~~~~~~~~~~~
+
+- Previously, malformed ``multipart-form-data`` requests could log multiple warnings and
+ constitute a denial-of-service attack. Now an exception is raised at the first error, so there
+ is only one log message per request. This fixes
+ `CVE-2025-47287 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m>`_.
General Changes
~~~~~~~~~~~~~~~
- Python 3.14 is now supported. Older versions of Tornado will work on Python 3.14 but may log
deprecation warnings.
+- The free-threading mode of Python 3.13 is now supported on an experimental basis. Prebuilt
+ wheels are not yet available for this configuration, but it can be built from source.
- The minimum supported Python version is 3.9.
Deprecation Notices
- Support for ``obs-fold`` continuation lines in HTTP headers is deprecated and will be removed in
Tornado 7.0, as is the use of carriage returns without line feeds as header separators.
-- The ``callback`` argument to ``websocket_connect`` is deprecated and will be removed in
+- The ``callback`` argument to `.websocket_connect` is deprecated and will be removed in
Tornado 7.0. Note that ``on_message_callback`` is not deprecated.
- The ``log_message`` and ``args`` attributes of `tornado.web.HTTPError` are deprecated. Use the
new ``get_message`` method instead.
- `.RequestHandler.get_cookie` now has more accurate types.
- The return type of `.UIModule.render` may now be either `str` or `bytes`.
-``tornado.httputil``
-~~~~~~~~~~~~~~~~~~~~
+`tornado.httputil`
+~~~~~~~~~~~~~~~~~~
- Support for ``obs-fold`` continuation lines in HTTP headers is deprecated and will be removed in
Tornado 7.0, as is the use of carriage returns without line feeds as header separators.
error to send more than one ``Host`` header, or to omit a ``Host`` header for a request that is
not using HTTP/1.0.
-``tornado.netutil``
-~~~~~~~~~~~~~~~~~~~
+`tornado.ioloop`
+~~~~~~~~~~~~~~~~
-- ``.bind_unix_socket`` now supports the Linux abstract namespace.
+- Fixed a bug in which `contextvars` that were set when the event loop was created were not
+ available inside the event loop on Windows.
+`tornado.netutil`
+~~~~~~~~~~~~~~~~~
-``tornado.platform.twisted``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+- `.bind_unix_socket` now supports the Linux abstract namespace.
+
+
+`tornado.platform.twisted`
+~~~~~~~~~~~~~~~~~~~~~~~~~~
- ``TwistedResolver`` has been deleted. It was already deprecated and scheduled for removal
in Tornado 7.0, but due to the adoption of RFC 8482 it no longer works for most
and it is also deprecated. Most users should switch to the default resolver, which uses
threads.
-``tornado.web``
-~~~~~~~~~~~~~~~
+`tornado.web`
+~~~~~~~~~~~~~
- The set of characters allowed in (outgoing) HTTP headers now matches the RFCs. Specifically, tab
characters are now allowed and DEL is not.
- Invalid ``If-Modified-Since`` headers are now ignored instead of causing a 500 error.
-- ``%`` characters in the log message of ``tornado.web.HTTPError`` are no longer doubled when no
+- ``%`` characters in the log message of `tornado.web.HTTPError` are no longer doubled when no
additional arguments are passed. This matches the behavior of `logging.LogRecord`. A new method
``get_message`` has been added to ``HTTPError`` to allow access to the fully-substituted message;
directly accessing ``log_message`` and ``args`` is deprecated.
-``tornado.websocket``
-~~~~~~~~~~~~~~~~~~~~~
+`tornado.websocket`
+~~~~~~~~~~~~~~~~~~~
- Some bugs involving ``ping_interval`` and ``ping_timeout`` have been fixed. Setting the
``ping_timeout`` greater than the ``ping_interval`` is no longer supported. The default
projects / thirdparty / tornado.git / commitdiff
