From: Ben Darnell Date: Tue, 6 May 2014 02:27:20 +0000 (-0400) Subject: v3.2.1 release notes X-Git-Tag: v3.2.1~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3488413e9d29613a9414e8251f6b1653987dbd43;p=thirdparty%2Ftornado.git v3.2.1 release notes --- diff --git a/docs/releases.rst b/docs/releases.rst index a4d12a703..dd39af90a 100644 --- a/docs/releases.rst +++ b/docs/releases.rst @@ -4,6 +4,7 @@ Release notes .. toctree:: :maxdepth: 2 + releases/v3.2.1 releases/v3.2.0 releases/v3.1.1 releases/v3.1.0 diff --git a/docs/releases/v3.2.1.rst b/docs/releases/v3.2.1.rst new file mode 100644 index 000000000..b63641102 --- /dev/null +++ b/docs/releases/v3.2.1.rst @@ -0,0 +1,39 @@ +What's new in Tornado 3.2.1 +=========================== + +May 5, 2014 +----------- + +Security fixes +~~~~~~~~~~~~~~ + +* The signed-value format used by `.RequestHandler.set_secure_cookie` + and `.RequestHandler.get_secure_cookie` has changed to be more secure. + **This is a disruptive change**. The ``secure_cookie`` functions + take new ``version`` parameters to support transitions between cookie + formats. +* The new cookie format fixes a vulnerability that may be present in + applications that use multiple cookies where the name of one cookie + is a prefix of the name of another. +* To minimize disruption, cookies in the older format will be accepted + by default until they expire. Applications that may be vulnerable + can reject all cookies in the older format by passing ``min_version=2`` + to `.RequestHandler.get_secure_cookie`. + +Backwards-compatibility notes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* Signed cookies issued by `.RequestHandler.set_secure_cookie` in Tornado + 3.2.1 cannot be read by older releases. If you need to run 3.2.1 + in parallel with older releases, you can pass ``version=1`` to + `.RequestHandler.set_secure_cookie` to issue cookies that are + backwards-compatible (but have a known weakness, so this option + should only be used for a transitional period). + +Other changes +~~~~~~~~~~~~~ + +* The C extension used to speed up the websocket module now compiles + correctly on Windows with MSVC and 64-bit mode. The fallback to + the pure-Python alternative now works correctly on Mac OS X machines + with no C compiler installed.