Rooba
/
tornado
mirror of https://github.com/tornadoweb/tornado.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge commit 'v1.1.1' 

Conflicts:
	setup.py
This commit is contained in:
Ben Darnell 2011-02-08 22:53:59 -08:00
parent c32ad6b0e7 b91245427f
commit 4170d351d7
5 changed files with 27 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
setup.py
View File

@ -31,7 +31,7 @@ if "linux" in sys.platform.lower() and not python_26:
extensions.append(distutils.core.Extension(
"tornado.epoll", ["tornado/epoll.c"]))
version = "1.1"
version = "1.1.1"
distutils.core.setup(
name="tornado",

4
tornado/__init__.py
View File

@ -16,5 +16,5 @@
"""The Tornado web server and tools."""
version = "1.1"
version_info = (1, 1, 0)
version = "1.1.1"
version_info = (1, 1, 1)

25
tornado/web.py
View File

@ -726,16 +726,27 @@ class RequestHandler(object):
def check_xsrf_cookie(self):
"""Verifies that the '_xsrf' cookie matches the '_xsrf' argument.
To prevent cross-site request forgery, we set an '_xsrf' cookie
and include the same '_xsrf' value as an argument with all POST
requests. If the two do not match, we reject the form submission
as a potential forgery.
To prevent cross-site request forgery, we set an '_xsrf'
cookie and include the same value as a non-cookie
field with all POST requests. If the two do not match, we
reject the form submission as a potential forgery.
The _xsrf value may be set as either a form field named _xsrf
or in a custom HTTP header named X-XSRFToken or X-CSRFToken
(the latter is accepted for compatibility with Django).
See http://en.wikipedia.org/wiki/Cross-site_request_forgery
Prior to release 1.1.1, this check was ignored if the HTTP header
"X-Requested-With: XMLHTTPRequest" was present. This exception
has been shown to be insecure and has been removed. For more
information please see
http://www.djangoproject.com/weblog/2011/feb/08/security/
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
"""
if self.request.headers.get("X-Requested-With") == "XMLHttpRequest":
return
token = self.get_argument("_xsrf", None)
token = (self.get_argument("_xsrf", None) or
self.request.headers.get("X-Xsrftoken") or
self.request.headers.get("X-Csrftoken"))
if not token:
raise HTTPError(403, "'_xsrf' argument missing from POST")
if self.xsrf_token != token:

6
website/templates/documentation.txt
View File

@ -50,12 +50,12 @@ Download
--------
Download the most recent version of Tornado from GitHub:
> [tornado-1.1.tar.gz](http://github.com/downloads/facebook/tornado/tornado-1.1.tar.gz)
> [tornado-1.1.1.tar.gz](http://github.com/downloads/facebook/tornado/tornado-1.1.1.tar.gz)
You can also [browse the source](http://github.com/facebook/tornado) on GitHub. To install Tornado:
tar xvzf tornado-1.1.tar.gz
cd tornado-1.1
tar xvzf tornado-1.1.1.tar.gz
cd tornado-1.1.1
python setup.py build
sudo python setup.py install

6
website/templates/index.html
View File

@ -6,9 +6,9 @@
<p>See the <a href="/documentation">Tornado documentation</a> for a detailed walkthrough of the framework.</p>
<h2>Download and install</h2>
<p><b>Download:</b> <a href="http://github.com/downloads/facebook/tornado/tornado-1.1.tar.gz">tornado-1.1.tar.gz</a></p>
<pre><code>tar xvzf tornado-1.1.tar.gz
cd tornado-1.1
<p><b>Download:</b> <a href="http://github.com/downloads/facebook/tornado/tornado-1.1.1.tar.gz">tornado-1.1.1.tar.gz</a></p>
<pre><code>tar xvzf tornado-1.1.1.tar.gz
cd tornado-1.1.1
python setup.py build
sudo python setup.py install</code></pre>
<p>The Tornado source code is <a href="http://github.com/facebook/tornado">hosted on GitHub</a>. On Python 2.6+, it is also possible to simply add the tornado directory to your <code>PYTHONPATH</code> instead of building with <code>setup.py</code>, since the standard library includes <code>epoll</code> support.</p>