From: Ben Darnell Date: Wed, 14 May 2025 20:50:57 +0000 (-0400) Subject: Final release notes for 6.5.0 X-Git-Tag: v6.5.0^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3498%2Fhead;p=thirdparty%2Ftornado.git Final release notes for 6.5.0 --- diff --git a/docs/releases/v6.5.0.rst b/docs/releases/v6.5.0.rst index 3a7907af..e8dd02c9 100644 --- a/docs/releases/v6.5.0.rst +++ b/docs/releases/v6.5.0.rst @@ -1,14 +1,24 @@ What's new in Tornado 6.5.0 =========================== -In progress ------------ +May 15, 2025 +------------ + +Security Improvements +~~~~~~~~~~~~~~~~~~~~~ + +- Previously, malformed ``multipart-form-data`` requests could log multiple warnings and + constitute a denial-of-service attack. Now an exception is raised at the first error, so there + is only one log message per request. This fixes + `CVE-2025-47287 `_. General Changes ~~~~~~~~~~~~~~~ - Python 3.14 is now supported. Older versions of Tornado will work on Python 3.14 but may log deprecation warnings. +- The free-threading mode of Python 3.13 is now supported on an experimental basis. Prebuilt + wheels are not yet available for this configuration, but it can be built from source. - The minimum supported Python version is 3.9. Deprecation Notices @@ -16,7 +26,7 @@ Deprecation Notices - Support for ``obs-fold`` continuation lines in HTTP headers is deprecated and will be removed in Tornado 7.0, as is the use of carriage returns without line feeds as header separators. -- The ``callback`` argument to ``websocket_connect`` is deprecated and will be removed in +- The ``callback`` argument to `.websocket_connect` is deprecated and will be removed in Tornado 7.0. Note that ``on_message_callback`` is not deprecated. - The ``log_message`` and ``args`` attributes of `tornado.web.HTTPError` are deprecated. Use the new ``get_message`` method instead. @@ -38,8 +48,8 @@ Type Annotation Changes - `.RequestHandler.get_cookie` now has more accurate types. - The return type of `.UIModule.render` may now be either `str` or `bytes`. -``tornado.httputil`` -~~~~~~~~~~~~~~~~~~~~ +`tornado.httputil` +~~~~~~~~~~~~~~~~~~ - Support for ``obs-fold`` continuation lines in HTTP headers is deprecated and will be removed in Tornado 7.0, as is the use of carriage returns without line feeds as header separators. @@ -53,14 +63,20 @@ Type Annotation Changes error to send more than one ``Host`` header, or to omit a ``Host`` header for a request that is not using HTTP/1.0. -``tornado.netutil`` -~~~~~~~~~~~~~~~~~~~ +`tornado.ioloop` +~~~~~~~~~~~~~~~~ -- ``.bind_unix_socket`` now supports the Linux abstract namespace. +- Fixed a bug in which `contextvars` that were set when the event loop was created were not + available inside the event loop on Windows. +`tornado.netutil` +~~~~~~~~~~~~~~~~~ -``tornado.platform.twisted`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +- `.bind_unix_socket` now supports the Linux abstract namespace. + + +`tornado.platform.twisted` +~~~~~~~~~~~~~~~~~~~~~~~~~~ - ``TwistedResolver`` has been deleted. It was already deprecated and scheduled for removal in Tornado 7.0, but due to the adoption of RFC 8482 it no longer works for most @@ -70,19 +86,19 @@ Type Annotation Changes and it is also deprecated. Most users should switch to the default resolver, which uses threads. -``tornado.web`` -~~~~~~~~~~~~~~~ +`tornado.web` +~~~~~~~~~~~~~ - The set of characters allowed in (outgoing) HTTP headers now matches the RFCs. Specifically, tab characters are now allowed and DEL is not. - Invalid ``If-Modified-Since`` headers are now ignored instead of causing a 500 error. -- ``%`` characters in the log message of ``tornado.web.HTTPError`` are no longer doubled when no +- ``%`` characters in the log message of `tornado.web.HTTPError` are no longer doubled when no additional arguments are passed. This matches the behavior of `logging.LogRecord`. A new method ``get_message`` has been added to ``HTTPError`` to allow access to the fully-substituted message; directly accessing ``log_message`` and ``args`` is deprecated. -``tornado.websocket`` -~~~~~~~~~~~~~~~~~~~~~ +`tornado.websocket` +~~~~~~~~~~~~~~~~~~~ - Some bugs involving ``ping_interval`` and ``ping_timeout`` have been fixed. Setting the ``ping_timeout`` greater than the ``ping_interval`` is no longer supported. The default diff --git a/tornado/__init__.py b/tornado/__init__.py index d3ad3bea..29df4439 100644 --- a/tornado/__init__.py +++ b/tornado/__init__.py @@ -22,8 +22,8 @@ # is zero for an official release, positive for a development branch, # or negative for a release candidate or beta (after the base version # number has been incremented) -version = "6.5b1" -version_info = (6, 5, 0, -99) +version = "6.5" +version_info = (6, 5, 0, 0) import importlib import typing