From 90b8078739c8166d26de723178fb2151043e8218 Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Tue, 8 Feb 2011 22:29:40 -0800
Subject: [PATCH 1/2] BACKWARDS-INCOMPATIBLE: Fix XSRF security vulnerability.

This is a backwards-incompatible change.  Applications that previously
relied on a blanket exception for XMLHTTPRequest may need to be modified
to explicitly include the XSRF token when making ajax requests.

The tornado chat demo application demonstrates one way of adding this
token (specifically the function postJSON in demos/chat/static/chat.js).

More information about this change and its justification can be found at
http://www.djangoproject.com/weblog/2011/feb/08/security/
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails

Closes #214.
---
 tornado/web.py | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/tornado/web.py b/tornado/web.py
index ee9cbd32..71603342 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -709,16 +709,27 @@ class RequestHandler(object):
     def check_xsrf_cookie(self):
         """Verifies that the '_xsrf' cookie matches the '_xsrf' argument.
 
-        To prevent cross-site request forgery, we set an '_xsrf' cookie
-        and include the same '_xsrf' value as an argument with all POST
-        requests. If the two do not match, we reject the form submission
-        as a potential forgery.
+        To prevent cross-site request forgery, we set an '_xsrf'
+        cookie and include the same value as a non-cookie
+        field with all POST requests. If the two do not match, we
+        reject the form submission as a potential forgery.
+
+        The _xsrf value may be set as either a form field named _xsrf
+        or in a custom HTTP header named X-XSRFToken or X-CSRFToken
+        (the latter is accepted for compatibility with Django).
 
         See http://en.wikipedia.org/wiki/Cross-site_request_forgery
+
+        Prior to release 1.1.1, this check was ignored if the HTTP header
+        "X-Requested-With: XMLHTTPRequest" was present.  This exception
+        has been shown to be insecure and has been removed.  For more
+        information please see
+        http://www.djangoproject.com/weblog/2011/feb/08/security/
+        http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
         """
-        if self.request.headers.get("X-Requested-With") == "XMLHttpRequest":
-            return
-        token = self.get_argument("_xsrf", None)
+        token = (self.get_argument("_xsrf", None) or
+                 self.request.headers.get("X-Xsrftoken") or
+                 self.request.headers.get("X-Csrftoken"))
         if not token:
             raise HTTPError(403, "'_xsrf' argument missing from POST")
         if self.xsrf_token != token:

From b91245427fac0672d94f7db26e59ec2bd0c46f57 Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Tue, 8 Feb 2011 22:43:07 -0800
Subject: [PATCH 2/2] Tag release 1.1.1

---
 setup.py                            | 2 +-
 tornado/__init__.py                 | 4 ++--
 website/templates/documentation.txt | 6 +++---
 website/templates/index.html        | 6 +++---
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/setup.py b/setup.py
index 265d46c1..59e46902 100644
--- a/setup.py
+++ b/setup.py
@@ -33,7 +33,7 @@ if "linux" in sys.platform.lower() and not python_26:
 
 distutils.core.setup(
     name="tornado",
-    version="1.1",
+    version="1.1.1",
     packages = ["tornado"],
     ext_modules = extensions,
     author="Facebook",
diff --git a/tornado/__init__.py b/tornado/__init__.py
index 1fbc1809..b5992116 100644
--- a/tornado/__init__.py
+++ b/tornado/__init__.py
@@ -16,5 +16,5 @@
 
 """The Tornado web server and tools."""
 
-version = "1.1"
-version_info = (1, 1, 0)
+version = "1.1.1"
+version_info = (1, 1, 1)
diff --git a/website/templates/documentation.txt b/website/templates/documentation.txt
index 2023ae77..cc3713db 100644
--- a/website/templates/documentation.txt
+++ b/website/templates/documentation.txt
@@ -52,12 +52,12 @@ Download
 --------
 Download the most recent version of Tornado from GitHub:
 
-> [tornado-1.1.tar.gz](http://github.com/downloads/facebook/tornado/tornado-1.1.tar.gz)
+> [tornado-1.1.1.tar.gz](http://github.com/downloads/facebook/tornado/tornado-1.1.1.tar.gz)
 
 You can also [browse the source](http://github.com/facebook/tornado) on GitHub. To install Tornado:
 
-    tar xvzf tornado-1.1.tar.gz
-    cd tornado-1.1
+    tar xvzf tornado-1.1.1.tar.gz
+    cd tornado-1.1.1
     python setup.py build
     sudo python setup.py install
 
diff --git a/website/templates/index.html b/website/templates/index.html
index 7d45cb12..1e469b1c 100644
--- a/website/templates/index.html
+++ b/website/templates/index.html
@@ -6,9 +6,9 @@
   <p>See the <a href="/documentation">Tornado documentation</a> for a detailed walkthrough of the framework.</p>
 
   <h2>Download and install</h2>
-  <p><b>Download:</b> <a href="http://github.com/downloads/facebook/tornado/tornado-1.1.tar.gz">tornado-1.1.tar.gz</a></p>
-  <pre><code>tar xvzf tornado-1.1.tar.gz
-cd tornado-1.1
+  <p><b>Download:</b> <a href="http://github.com/downloads/facebook/tornado/tornado-1.1.1.tar.gz">tornado-1.1.1.tar.gz</a></p>
+  <pre><code>tar xvzf tornado-1.1.1.tar.gz
+cd tornado-1.1.1
 python setup.py build
 sudo python setup.py install</code></pre>
   <p>The Tornado source code is <a href="http://github.com/facebook/tornado">hosted on GitHub</a>.  On Python 2.6+, it is also possible to simply add the tornado directory to your <code>PYTHONPATH</code> instead of building with <code>setup.py</code>, since the standard library includes <code>epoll</code> support.</p>