diff --git a/setup.py b/setup.py
index 5645ff3f..ebff6374 100644
--- a/setup.py
+++ b/setup.py
@@ -31,7 +31,7 @@ if "linux" in sys.platform.lower() and not python_26:
extensions.append(distutils.core.Extension(
"tornado.epoll", ["tornado/epoll.c"]))
-version = "1.1"
+version = "1.1.1"
distutils.core.setup(
name="tornado",
diff --git a/tornado/__init__.py b/tornado/__init__.py
index 1fbc1809..b5992116 100644
--- a/tornado/__init__.py
+++ b/tornado/__init__.py
@@ -16,5 +16,5 @@
"""The Tornado web server and tools."""
-version = "1.1"
-version_info = (1, 1, 0)
+version = "1.1.1"
+version_info = (1, 1, 1)
diff --git a/tornado/web.py b/tornado/web.py
index f5046a25..20dbcae7 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -726,16 +726,27 @@ class RequestHandler(object):
def check_xsrf_cookie(self):
"""Verifies that the '_xsrf' cookie matches the '_xsrf' argument.
- To prevent cross-site request forgery, we set an '_xsrf' cookie
- and include the same '_xsrf' value as an argument with all POST
- requests. If the two do not match, we reject the form submission
- as a potential forgery.
+ To prevent cross-site request forgery, we set an '_xsrf'
+ cookie and include the same value as a non-cookie
+ field with all POST requests. If the two do not match, we
+ reject the form submission as a potential forgery.
+
+ The _xsrf value may be set as either a form field named _xsrf
+ or in a custom HTTP header named X-XSRFToken or X-CSRFToken
+ (the latter is accepted for compatibility with Django).
See http://en.wikipedia.org/wiki/Cross-site_request_forgery
+
+ Prior to release 1.1.1, this check was ignored if the HTTP header
+ "X-Requested-With: XMLHTTPRequest" was present. This exception
+ has been shown to be insecure and has been removed. For more
+ information please see
+ http://www.djangoproject.com/weblog/2011/feb/08/security/
+ http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
"""
- if self.request.headers.get("X-Requested-With") == "XMLHttpRequest":
- return
- token = self.get_argument("_xsrf", None)
+ token = (self.get_argument("_xsrf", None) or
+ self.request.headers.get("X-Xsrftoken") or
+ self.request.headers.get("X-Csrftoken"))
if not token:
raise HTTPError(403, "'_xsrf' argument missing from POST")
if self.xsrf_token != token:
diff --git a/website/templates/documentation.txt b/website/templates/documentation.txt
index 9f2ed37a..b1a903a3 100644
--- a/website/templates/documentation.txt
+++ b/website/templates/documentation.txt
@@ -50,12 +50,12 @@ Download
--------
Download the most recent version of Tornado from GitHub:
-> [tornado-1.1.tar.gz](http://github.com/downloads/facebook/tornado/tornado-1.1.tar.gz)
+> [tornado-1.1.1.tar.gz](http://github.com/downloads/facebook/tornado/tornado-1.1.1.tar.gz)
You can also [browse the source](http://github.com/facebook/tornado) on GitHub. To install Tornado:
- tar xvzf tornado-1.1.tar.gz
- cd tornado-1.1
+ tar xvzf tornado-1.1.1.tar.gz
+ cd tornado-1.1.1
python setup.py build
sudo python setup.py install
diff --git a/website/templates/index.html b/website/templates/index.html
index 92c31b78..a409dade 100644
--- a/website/templates/index.html
+++ b/website/templates/index.html
@@ -6,9 +6,9 @@
See the Tornado documentation for a detailed walkthrough of the framework.
Download and install
- Download: tornado-1.1.tar.gz
- tar xvzf tornado-1.1.tar.gz
-cd tornado-1.1
+ Download: tornado-1.1.1.tar.gz
+ tar xvzf tornado-1.1.1.tar.gz
+cd tornado-1.1.1
python setup.py build
sudo python setup.py install
The Tornado source code is hosted on GitHub. On Python 2.6+, it is also possible to simply add the tornado directory to your PYTHONPATH instead of building with setup.py, since the standard library includes epoll support.