42 lines
1.6 KiB
ReStructuredText
42 lines
1.6 KiB
ReStructuredText
What's new in Tornado 3.2.1
|
|
===========================
|
|
|
|
May 5, 2014
|
|
-----------
|
|
|
|
Security fixes
|
|
~~~~~~~~~~~~~~
|
|
|
|
* The signed-value format used by `.RequestHandler.set_secure_cookie`
|
|
and `.RequestHandler.get_secure_cookie` has changed to be more secure.
|
|
**This is a disruptive change**. The ``secure_cookie`` functions
|
|
take new ``version`` parameters to support transitions between cookie
|
|
formats.
|
|
* The new cookie format fixes a vulnerability that may be present in
|
|
applications that use multiple cookies where the name of one cookie
|
|
is a prefix of the name of another.
|
|
* To minimize disruption, cookies in the older format will be accepted
|
|
by default until they expire. Applications that may be vulnerable
|
|
can reject all cookies in the older format by passing ``min_version=2``
|
|
to `.RequestHandler.get_secure_cookie`.
|
|
* Thanks to Joost Pol of `Certified Secure <https://www.certifiedsecure.com>`_
|
|
for reporting this issue.
|
|
|
|
Backwards-compatibility notes
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
* Signed cookies issued by `.RequestHandler.set_secure_cookie` in Tornado
|
|
3.2.1 cannot be read by older releases. If you need to run 3.2.1
|
|
in parallel with older releases, you can pass ``version=1`` to
|
|
`.RequestHandler.set_secure_cookie` to issue cookies that are
|
|
backwards-compatible (but have a known weakness, so this option
|
|
should only be used for a transitional period).
|
|
|
|
Other changes
|
|
~~~~~~~~~~~~~
|
|
|
|
* The C extension used to speed up the websocket module now compiles
|
|
correctly on Windows with MSVC and 64-bit mode. The fallback to
|
|
the pure-Python alternative now works correctly on Mac OS X machines
|
|
with no C compiler installed.
|