What's new in Tornado 6.2.0
===========================
Jul 3, 2022
-----------
Deprecation notice
~~~~~~~~~~~~~~~~~~
- Python 3.10 has begun the process of significant changes to the APIs for
managing the event loop. Calls to methods such as `asyncio.get_event_loop` may
now raise `DeprecationWarning` if no event loop is running. This has
significant impact on the patterns for initializing applications, and in
particular invalidates patterns that have long been the norm in Tornado's
documentation and actual usage. In the future (with some as-yet-unspecified
future version of Python), the old APIs will be removed. The new recommended
pattern is to start the event loop with `asyncio.run`. More detailed migration
guides will be coming in the future.
- The `.IOLoop` constructor is deprecated unless the ``make_current=False``
argument is used. Use `.IOLoop.current` when the loop is already running
instead.
- `.AsyncTestCase` (and `.AsyncHTTPTestCase`) are deprecated. Use
`unittest.IsolatedAsyncioTestCase` instead.
- Multi-process `.TCPServer.bind`/`.TCPServer.start` is deprecated. See
`.TCPServer` docs for supported alternatives.
- `.AnyThreadEventLoopPolicy` is deprecated. This class controls the creation of
the "current" event loop so it will be removed when that concept is no longer
supported.
- `.IOLoop.make_current` and `.IOLoop.clear_current` are deprecated. In the
future the concept of a "current" event loop as distinct from one that is
currently running will be removed.
- ``TwistedResolver`` and ``CaresResolver`` are deprecated and will be
removed in Tornado 7.0.
General changes
~~~~~~~~~~~~~~~
- The minimum supported Python version is now 3.7.
- Wheels are now published with the Python stable ABI (``abi3``) for
compatibility across versions of Python.
- SSL certificate verfication and hostname checks are now enabled by default in
more places (primarily in client-side usage of `.SSLIOStream`).
- Various improvements to type hints throughout the package.
- CI has moved from Travis and Appveyor to Github Actions.
`tornado.gen`
~~~~~~~~~~~~~
- Fixed a bug in which ``WaitIterator.current_index`` could be incorrect.
- ``tornado.gen.TimeoutError``` is now an alias for `asyncio.TimeoutError`.
`tornado.http1connection`
~~~~~~~~~~~~~~~~~~~~~~~~~
- ``max_body_size`` may now be set to zero to disallow a non-empty body.
- ``Content-Encoding: gzip`` is now recognized case-insensitively.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
- ``curl_httpclient`` now supports non-ASCII (ISO-8859-1) header values, same as
``simple_httpclient``.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
- `.PeriodicCallback` now understands coroutines and will not start multiple
copies if a previous invocation runs too long.
- `.PeriodicCallback` now accepts `datetime.timedelta` objects in addition to
numbers of milliseconds.
- Avoid logging "Event loop is closed" during shutdown-related race conditions.
- Tornado no longer calls `logging.basicConfig` when starting an IOLoop; this
has been unnecessary since Python 3.2 added a logger of last resort.
- The `.IOLoop` constructor now accepts an ``asyncio_loop`` keyword argument to
initialize with a specfied asyncio event loop.
- It is now possible to construct an `.IOLoop` on one thread (with
``make_current=False``) and start it on a different thread.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
- `.SSLIOStream` now supports reading more than 2GB at a time.
- ``IOStream.write`` now supports typed `memoryview` objects.
`tornado.locale`
~~~~~~~~~~~~~~~~
- `.load_gettext_translations` no longer logs errors when language directories
exist but do not contain the expected file.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
- `.is_valid_ip` no longer raises exceptions when the input is too long.
- The default resolver now uses the same methods (and thread pool) as `asyncio`.
`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~
- `.TCPServer.listen` now supports more arguments to pass through to
`.netutil.bind_sockets`.
`tornado.testing`
~~~~~~~~~~~~~~~~~
- `.bind_unused_port` now takes an optional ``address`` argument.
- Wrapped test methods now include the ``__wrapped__`` attribute.
`tornado.web`
~~~~~~~~~~~~~
- When using a custom `.StaticFileHandler` subclass, the ``reset()`` method is
now called on this subclass instead of the base class.
- Improved handling of the ``Accept-Language`` header.
- `.Application.listen` now supports more arguments to pass through to
`.netutil.bind_sockets`.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
- `.WebSocketClientConnection.write_message` now accepts `dict` arguments for
consistency with `.WebSocketHandler.write_message`.
- `.WebSocketClientConnection.write_message` now raises an exception as
documented if the connection is already closed.
What's new in Tornado 6.1.0
===========================
Oct 30, 2020
------------
Deprecation notice
~~~~~~~~~~~~~~~~~~
- This is the last release of Tornado to support Python 3.5. Future versions
will require Python 3.6 or newer.
General changes
~~~~~~~~~~~~~~~
- Windows support has been improved. Tornado is now compatible with the proactor
event loop (which became the default in Python 3.8) by automatically falling
back to running a selector in a second thread. This means that it is no longer
necessary to explicitly configure a selector event loop, although doing so may
improve performance. This does not change the fact that Tornado is significantly
less scalable on Windows than on other platforms.
- Binary wheels are now provided for Windows, MacOS, and Linux (amd64 and arm64).
`tornado.gen`
~~~~~~~~~~~~~
- `.coroutine` now has better support for the Python 3.7+ ``contextvars`` module.
In particular, the ``ContextVar.reset`` method is now supported.
`tornado.http1connection`
~~~~~~~~~~~~~~~~~~~~~~~~~
- ``HEAD`` requests to handlers that used chunked encoding no longer produce malformed output.
- Certain kinds of malformed ``gzip`` data no longer cause an infinite loop.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
- Setting ``decompress_response=False`` now works correctly with
``curl_httpclient``.
- Mixing requests with and without proxies works correctly in ``curl_httpclient``
(assuming the version of pycurl is recent enough).
- A default ``User-Agent`` of ``Tornado/$VERSION`` is now used if the
``user_agent`` parameter is not specified.
- After a 303 redirect, ``tornado.simple_httpclient`` always uses ``GET``.
Previously this would use ``GET`` if the original request was a ``POST`` and
would otherwise reuse the original request method. For ``curl_httpclient``, the
behavior depends on the version of ``libcurl`` (with the most recent versions
using ``GET`` after 303 regardless of the original method).
- Setting ``request_timeout`` and/or ``connect_timeout`` to zero is now supported
to disable the timeout.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
- Header parsing is now faster.
- `.parse_body_arguments` now accepts incompletely-escaped non-ASCII inputs.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
- `ssl.CertificateError` during the SSL handshake is now handled correctly.
- Reads that are resolved while the stream is closing are now handled correctly.
`tornado.log`
~~~~~~~~~~~~~
- When colored logging is enabled, ``logging.CRITICAL`` messages are now
recognized and colored magenta.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
- ``EADDRNOTAVAIL`` is now ignored when binding to ``localhost`` with IPv6. This
error is common in docker.
`tornado.platform.asyncio`
~~~~~~~~~~~~~~~~~~~~~~~~~~
- `.AnyThreadEventLoopPolicy` now also configures a selector event loop for
these threads (the proactor event loop only works on the main thread)
``tornado.platform.auto``
~~~~~~~~~~~~~~~~~~~~~~~~~
- The ``set_close_exec`` function has been removed.
`tornado.testing`
~~~~~~~~~~~~~~~~~
- `.ExpectLog` now has a ``level`` argument to ensure that the given log level
is enabled.
`tornado.web`
~~~~~~~~~~~~~
- ``RedirectHandler.get`` now accepts keyword arguments.
- When sending 304 responses, more headers (including ``Allow``) are now preserved.
- ``reverse_url`` correctly handles escaped characters in the regex route.
- Default ``Etag`` headers are now generated with SHA-512 instead of MD5.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
- The ``ping_interval`` timer is now stopped when the connection is closed.
- `.websocket_connect` now raises an error when it encounters a redirect instead of hanging.
What's new in Tornado 6.0.4
===========================
Mar 3, 2020
-----------
General changes
~~~~~~~~~~~~~~~
- Binary wheels are now available for Python 3.8 on Windows. Note that it is
still necessary to use
``asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())`` for
this platform/version.
Bug fixes
~~~~~~~~~
- Fixed an issue in `.IOStream` (introduced in 6.0.0) that resulted in
``StreamClosedError`` being incorrectly raised if a stream is closed mid-read
but there is enough buffered data to satisfy the read.
- `.AnyThreadEventLoopPolicy` now always uses the selector event loop on Windows.
What's new in Tornado 6.0.3
===========================
Jun 22, 2019
------------
Bug fixes
~~~~~~~~~
- `.gen.with_timeout` always treats ``asyncio.CancelledError`` as a
``quiet_exception`` (this improves compatibility with Python 3.8,
which changed ``CancelledError`` to a ``BaseException``).
- ``IOStream`` now checks for closed streams earlier, avoiding
spurious logged errors in some situations (mainly with websockets).
What's new in Tornado 6.0.2
===========================
Mar 23, 2019
------------
Bug fixes
~~~~~~~~~
- `.WebSocketHandler.set_nodelay` works again.
- Accessing ``HTTPResponse.body`` now returns an empty byte string
instead of raising ``ValueError`` for error responses that don't
have a body (it returned None in this case in Tornado 5).
What's new in Tornado 6.0.1
===========================
Mar 3, 2019
-----------
Bug fixes
~~~~~~~~~
- Fixed issues with type annotations that caused errors while
importing Tornado on Python 3.5.2.
What's new in Tornado 6.0
=========================
Mar 1, 2019
-----------
Backwards-incompatible changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Python 2.7 and 3.4 are no longer supported; the minimum supported
Python version is 3.5.2.
- APIs deprecated in Tornado 5.1 have been removed. This includes the
``tornado.stack_context`` module and most ``callback`` arguments
throughout the package. All removed APIs emitted
`DeprecationWarning` when used in Tornado 5.1, so running your
application with the ``-Wd`` Python command-line flag or the
environment variable ``PYTHONWARNINGS=d`` should tell you whether
your application is ready to move to Tornado 6.0.
- ``.WebSocketHandler.get`` is now a coroutine and must be called
accordingly in any subclasses that override this method (but note
that overriding ``get`` is not recommended; either ``prepare`` or
``open`` should be used instead).
General changes
~~~~~~~~~~~~~~~
- Tornado now includes type annotations compatible with ``mypy``.
These annotations will be used when type-checking your application
with ``mypy``, and may be usable in editors and other tools.
- Tornado now uses native coroutines internally, improving performance.
`tornado.auth`
~~~~~~~~~~~~~~
- All ``callback`` arguments in this package have been removed. Use
the coroutine interfaces instead.
- The ``OAuthMixin._oauth_get_user`` method has been removed.
Override `~.OAuthMixin._oauth_get_user_future` instead.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
- The ``callback`` argument to `.run_on_executor` has been removed.
- ``return_future`` has been removed.
`tornado.gen`
~~~~~~~~~~~~~
- Some older portions of this module have been removed. This includes
``engine``, ``YieldPoint``, ``Callback``, ``Wait``, ``WaitAll``,
``MultiYieldPoint``, and ``Task``.
- Functions decorated with ``@gen.coroutine`` no longer accept
``callback`` arguments.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
- The behavior of ``raise_error=False`` has changed. Now only
suppresses the errors raised due to completed responses with non-200
status codes (previously it suppressed all errors).
- The ``callback`` argument to `.AsyncHTTPClient.fetch` has been removed.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
- ``HTTPServerRequest.write`` has been removed. Use the methods of
``request.connection`` instead.
- Unrecognized ``Content-Encoding`` values now log warnings only for
content types that we would otherwise attempt to parse.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
- ``IOLoop.set_blocking_signal_threshold``,
``IOLoop.set_blocking_log_threshold``, ``IOLoop.log_stack``,
and ``IOLoop.handle_callback_exception`` have been removed.
- Improved performance of `.IOLoop.add_callback`.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
- All ``callback`` arguments in this module have been removed except
for `.BaseIOStream.set_close_callback`.
- ``streaming_callback`` arguments to `.BaseIOStream.read_bytes` and
`.BaseIOStream.read_until_close` have been removed.
- Eliminated unnecessary logging of "Errno 0".
`tornado.log`
~~~~~~~~~~~~~
- Log files opened by this module are now explicitly set to UTF-8 encoding.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
- The results of ``getaddrinfo`` are now sorted by address family to
avoid partial failures and deadlocks.
`tornado.platform.twisted`
~~~~~~~~~~~~~~~~~~~~~~~~~~
- ``TornadoReactor`` and ``TwistedIOLoop`` have been removed.
``tornado.simple_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The default HTTP client now supports the ``network_interface``
request argument to specify the source IP for the connection.
- If a server returns a 3xx response code without a ``Location``
header, the response is raised or returned directly instead of
trying and failing to follow the redirect.
- When following redirects, methods other than ``POST`` will no longer
be transformed into ``GET`` requests. 301 (permanent) redirects are
now treated the same way as 302 (temporary) and 303 (see other)
redirects in this respect.
- Following redirects now works with ``body_producer``.
``tornado.stack_context``
~~~~~~~~~~~~~~~~~~~~~~~~~
- The ``tornado.stack_context`` module has been removed.
`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~
- `.TCPServer.start` now supports a ``max_restarts`` argument (same as
`.fork_processes`).
`tornado.testing`
~~~~~~~~~~~~~~~~~
- `.AsyncHTTPTestCase` now drops all references to the `.Application`
during ``tearDown``, allowing its memory to be reclaimed sooner.
- `.AsyncTestCase` now cancels all pending coroutines in ``tearDown``,
in an effort to reduce warnings from the python runtime about
coroutines that were not awaited. Note that this may cause
``asyncio.CancelledError`` to be logged in other places. Coroutines
that expect to be running at test shutdown may need to catch this
exception.
`tornado.web`
~~~~~~~~~~~~~
- The ``asynchronous`` decorator has been removed.
- The ``callback`` argument to `.RequestHandler.flush` has been removed.
- `.StaticFileHandler` now supports large negative values for the
``Range`` header and returns an appropriate error for ``end >
start``.
- It is now possible to set ``expires_days`` in ``xsrf_cookie_kwargs``.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
- Pings and other messages sent while the connection is closing are
now silently dropped instead of logging exceptions.
- Errors raised by ``open()`` are now caught correctly when this method
is a coroutine.
`tornado.wsgi`
~~~~~~~~~~~~~~
- ``WSGIApplication`` and ``WSGIAdapter`` have been removed.
What's new in Tornado 5.1.1
===========================
Sep 16, 2018
------------
Bug fixes
~~~~~~~~~
- Fixed an case in which the `.Future` returned by
`.RequestHandler.finish` could fail to resolve.
- The `.TwitterMixin.authenticate_redirect` method works again.
- Improved error handling in the `tornado.auth` module, fixing hanging
requests when a network or other error occurs.
What's new in Tornado 5.1
=========================
July 12, 2018
-------------
Deprecation notice
~~~~~~~~~~~~~~~~~~
- Tornado 6.0 will drop support for Python 2.7 and 3.4. The minimum
supported Python version will be 3.5.2.
- The ``tornado.stack_context`` module is deprecated and will be removed
in Tornado 6.0. The reason for this is that it is not feasible to
provide this module's semantics in the presence of ``async def``
native coroutines. ``ExceptionStackContext`` is mainly obsolete
thanks to coroutines. ``StackContext`` lacks a direct replacement
although the new ``contextvars`` package (in the Python standard
library beginning in Python 3.7) may be an alternative.
- Callback-oriented code often relies on ``ExceptionStackContext`` to
handle errors and prevent leaked connections. In order to avoid the
risk of silently introducing subtle leaks (and to consolidate all of
Tornado's interfaces behind the coroutine pattern), ``callback``
arguments throughout the package are deprecated and will be removed
in version 6.0. All functions that had a ``callback`` argument
removed now return a `.Future` which should be used instead.
- Where possible, deprecation warnings are emitted when any of these
deprecated interfaces is used. However, Python does not display
deprecation warnings by default. To prepare your application for
Tornado 6.0, run Python with the ``-Wd`` argument or set the
environment variable ``PYTHONWARNINGS`` to ``d``. If your
application runs on Python 3 without deprecation warnings, it should
be able to move to Tornado 6.0 without disruption.
`tornado.auth`
~~~~~~~~~~~~~~
- `.OAuthMixin._oauth_get_user_future` may now be a native coroutine.
- All ``callback`` arguments in this package are deprecated and will
be removed in 6.0. Use the coroutine interfaces instead.
- The ``OAuthMixin._oauth_get_user`` method is deprecated and will be removed in
6.0. Override `~.OAuthMixin._oauth_get_user_future` instead.
`tornado.autoreload`
~~~~~~~~~~~~~~~~~~~~
- The command-line autoreload wrapper is now preserved if an internal
autoreload fires.
- The command-line wrapper no longer starts duplicated processes on windows
when combined with internal autoreload.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
- `.run_on_executor` now returns `.Future` objects that are compatible
with ``await``.
- The ``callback`` argument to `.run_on_executor` is deprecated and will
be removed in 6.0.
- ``return_future`` is deprecated and will be removed in 6.0.
`tornado.gen`
~~~~~~~~~~~~~
- Some older portions of this module are deprecated and will be removed
in 6.0. This includes ``engine``, ``YieldPoint``, ``Callback``,
``Wait``, ``WaitAll``, ``MultiYieldPoint``, and ``Task``.
- Functions decorated with ``@gen.coroutine`` will no longer accept
``callback`` arguments in 6.0.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
- The behavior of ``raise_error=False`` is changing in 6.0. Currently
it suppresses all errors; in 6.0 it will only suppress the errors
raised due to completed responses with non-200 status codes.
- The ``callback`` argument to `.AsyncHTTPClient.fetch` is deprecated
and will be removed in 6.0.
- `tornado.httpclient.HTTPError` has been renamed to
`.HTTPClientError` to avoid ambiguity in code that also has to deal
with `tornado.web.HTTPError`. The old name remains as an alias.
- ``tornado.curl_httpclient`` now supports non-ASCII characters in
username and password arguments.
- ``.HTTPResponse.request_time`` now behaves consistently across
``simple_httpclient`` and ``curl_httpclient``, excluding time spent
in the ``max_clients`` queue in both cases (previously this time was
included in ``simple_httpclient`` but excluded in
``curl_httpclient``). In both cases the time is now computed using
a monotonic clock where available.
- `.HTTPResponse` now has a ``start_time`` attribute recording a
wall-clock (`time.time`) timestamp at which the request started
(after leaving the ``max_clients`` queue if applicable).
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
- `.parse_multipart_form_data` now recognizes non-ASCII filenames in
RFC 2231/5987 (``filename*=``) format.
- ``HTTPServerRequest.write`` is deprecated and will be removed in 6.0. Use
the methods of ``request.connection`` instead.
- Malformed HTTP headers are now logged less noisily.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
- `.PeriodicCallback` now supports a ``jitter`` argument to randomly
vary the timeout.
- ``IOLoop.set_blocking_signal_threshold``,
``IOLoop.set_blocking_log_threshold``, ``IOLoop.log_stack``,
and ``IOLoop.handle_callback_exception`` are deprecated and will
be removed in 6.0.
- Fixed a `KeyError` in `.IOLoop.close` when `.IOLoop` objects are
being opened and closed in multiple threads.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
- All ``callback`` arguments in this module are deprecated except for
`.BaseIOStream.set_close_callback`. They will be removed in 6.0.
- ``streaming_callback`` arguments to `.BaseIOStream.read_bytes` and
`.BaseIOStream.read_until_close` are deprecated and will be removed
in 6.0.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
- Improved compatibility with GNU Hurd.
`tornado.options`
~~~~~~~~~~~~~~~~~
- `tornado.options.parse_config_file` now allows setting options to
strings (which will be parsed the same way as
`tornado.options.parse_command_line`) in addition to the specified
type for the option.
`tornado.platform.twisted`
~~~~~~~~~~~~~~~~~~~~~~~~~~
- ``TornadoReactor`` and ``TwistedIOLoop`` are deprecated and will be
removed in 6.0. Instead, Tornado will always use the asyncio event loop
and twisted can be configured to do so as well.
``tornado.stack_context``
~~~~~~~~~~~~~~~~~~~~~~~~~
- The ``tornado.stack_context`` module is deprecated and will be removed
in 6.0.
`tornado.testing`
~~~~~~~~~~~~~~~~~
- `.AsyncHTTPTestCase.fetch` now takes a ``raise_error`` argument.
This argument has the same semantics as `.AsyncHTTPClient.fetch`,
but defaults to false because tests often need to deal with non-200
responses (and for backwards-compatibility).
- The `.AsyncTestCase.stop` and `.AsyncTestCase.wait` methods are
deprecated.
`tornado.web`
~~~~~~~~~~~~~
- New method `.RequestHandler.detach` can be used from methods
that are not decorated with ``@asynchronous`` (the decorator
was required to use ``self.request.connection.detach()``.
- `.RequestHandler.finish` and `.RequestHandler.render` now return
``Futures`` that can be used to wait for the last part of the
response to be sent to the client.
- `.FallbackHandler` now calls ``on_finish`` for the benefit of
subclasses that may have overridden it.
- The ``asynchronous`` decorator is deprecated and will be removed in 6.0.
- The ``callback`` argument to `.RequestHandler.flush` is deprecated
and will be removed in 6.0.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
- When compression is enabled, memory limits now apply to the
post-decompression size of the data, protecting against DoS attacks.
- `.websocket_connect` now supports subprotocols.
- `.WebSocketHandler` and `.WebSocketClientConnection` now have
``selected_subprotocol`` attributes to see the subprotocol in use.
- The `.WebSocketHandler.select_subprotocol` method is now called with
an empty list instead of a list containing an empty string if no
subprotocols were requested by the client.
- `.WebSocketHandler.open` may now be a coroutine.
- The ``data`` argument to `.WebSocketHandler.ping` is now optional.
- Client-side websocket connections no longer buffer more than one
message in memory at a time.
- Exception logging now uses `.RequestHandler.log_exception`.
`tornado.wsgi`
~~~~~~~~~~~~~~
- ``WSGIApplication`` and ``WSGIAdapter`` are deprecated and will be removed
in Tornado 6.0.
What's new in Tornado 5.0.2
===========================
Apr 7, 2018
-----------
Bug fixes
~~~~~~~~~
- Fixed a memory leak when `.IOLoop` objects are created and destroyed.
- If `.AsyncTestCase.get_new_ioloop` returns a reference to a
preexisting event loop (typically when it has been overridden to
return `.IOLoop.current()`), the test's ``tearDown`` method will not
close this loop.
- Fixed a confusing error message when the synchronous `.HTTPClient`
fails to initialize because an event loop is already running.
- `.PeriodicCallback` no longer executes twice in a row due to
backwards clock adjustments.
What's new in Tornado 5.0.1
===========================
Mar 18, 2018
------------
Bug fix
~~~~~~~
- This release restores support for versions of Python 3.4 prior to
3.4.4. This is important for compatibility with Debian Jessie which
has 3.4.2 as its version of Python 3.
What's new in Tornado 5.0
=========================
Mar 5, 2018
-----------
Highlights
~~~~~~~~~~
- The focus of this release is improving integration with `asyncio`.
On Python 3, the `.IOLoop` is always a wrapper around the `asyncio`
event loop, and `asyncio.Future` and `asyncio.Task` are used instead
of their Tornado counterparts. This means that libraries based on
`asyncio` can be mixed relatively seamlessly with those using
Tornado. While care has been taken to minimize the disruption from
this change, code changes may be required for compatibility with
Tornado 5.0, as detailed in the following section.
- Tornado 5.0 supports Python 2.7.9+ and 3.4+. Python 2.7 and 3.4 are
deprecated and support for them will be removed in Tornado 6.0,
which will require Python 3.5+.
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Python 3.3 is no longer supported.
- Versions of Python 2.7 that predate the `ssl` module update are no
longer supported. (The `ssl` module was updated in version 2.7.9,
although in some distributions the updates are present in builds
with a lower version number. Tornado requires `ssl.SSLContext`,
`ssl.create_default_context`, and `ssl.match_hostname`)
- Versions of Python 3.5 prior to 3.5.2 are no longer supported due to
a change in the async iterator protocol in that version.
- The ``trollius`` project (`asyncio` backported to Python 2) is no
longer supported.
- `tornado.concurrent.Future` is now an alias for `asyncio.Future`
when running on Python 3. This results in a number of minor
behavioral changes:
- `.Future` objects can only be created while there is a current
`.IOLoop`
- The timing of callbacks scheduled with
``Future.add_done_callback`` has changed.
`tornado.concurrent.future_add_done_callback` can be used to
make the behavior more like older versions of Tornado (but not
identical). Some of these changes are also present in the Python
2 version of `tornado.concurrent.Future` to minimize the
difference between Python 2 and 3.
- Cancellation is now partially supported, via
`asyncio.Future.cancel`. A canceled `.Future` can no longer have
its result set. Applications that handle `~asyncio.Future`
objects directly may want to use
`tornado.concurrent.future_set_result_unless_cancelled`. In
native coroutines, cancellation will cause an exception to be
raised in the coroutine.
- The ``exc_info`` and ``set_exc_info`` methods are no longer
present. Use `tornado.concurrent.future_set_exc_info` to replace
the latter, and raise the exception with
`~asyncio.Future.result` to replace the former.
- ``io_loop`` arguments to many Tornado functions have been removed.
Use `.IOLoop.current()` instead of passing `.IOLoop` objects
explicitly.
- On Python 3, `.IOLoop` is always a wrapper around the `asyncio`
event loop. ``IOLoop.configure`` is effectively removed on Python 3
(for compatibility, it may be called to redundantly specify the
`asyncio`-backed `.IOLoop`)
- `.IOLoop.instance` is now a deprecated alias for `.IOLoop.current`.
Applications that need the cross-thread communication behavior
facilitated by `.IOLoop.instance` should use their own global variable
instead.
Other notes
~~~~~~~~~~~
- The ``futures`` (`concurrent.futures` backport) package is now required
on Python 2.7.
- The ``certifi`` and ``backports.ssl-match-hostname`` packages are no
longer required on Python 2.7.
- Python 3.6 or higher is recommended, because it features more
efficient garbage collection of `asyncio.Future` objects.
`tornado.auth`
~~~~~~~~~~~~~~
- `.GoogleOAuth2Mixin` now uses a newer set of URLs.
`tornado.autoreload`
~~~~~~~~~~~~~~~~~~~~
- On Python 3, uses ``__main__.__spec`` to more reliably reconstruct
the original command line and avoid modifying ``PYTHONPATH``.
- The ``io_loop`` argument to `tornado.autoreload.start` has been removed.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
- `tornado.concurrent.Future` is now an alias for `asyncio.Future`
when running on Python 3. See "Backwards-compatibility notes" for
more.
- Setting the result of a ``Future`` no longer blocks while callbacks
are being run. Instead, the callbacks are scheduled on the next
`.IOLoop` iteration.
- The deprecated alias ``tornado.concurrent.TracebackFuture`` has been
removed.
- `tornado.concurrent.chain_future` now works with all three kinds of
``Futures`` (Tornado, `asyncio`, and `concurrent.futures`)
- The ``io_loop`` argument to `tornado.concurrent.run_on_executor` has
been removed.
- New functions `.future_set_result_unless_cancelled`,
`.future_set_exc_info`, and `.future_add_done_callback` help mask
the difference between `asyncio.Future` and Tornado's previous
``Future`` implementation.
`tornado.curl_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~
- Improved debug logging on Python 3.
- The ``time_info`` response attribute now includes ``appconnect`` in
addition to other measurements.
- Closing a `.CurlAsyncHTTPClient` now breaks circular references that
could delay garbage collection.
- The ``io_loop`` argument to the `.CurlAsyncHTTPClient` constructor
has been removed.
`tornado.gen`
~~~~~~~~~~~~~
- ``tornado.gen.TimeoutError`` is now an alias for
`tornado.util.TimeoutError`.
- Leak detection for ``Futures`` created by this module now attributes
them to their proper caller instead of the coroutine machinery.
- Several circular references that could delay garbage collection have
been broken up.
- On Python 3, `asyncio.Task` is used instead of the Tornado coroutine
runner. This improves compatibility with some `asyncio` libraries
and adds support for cancellation.
- The ``io_loop`` arguments to ``YieldFuture`` and `.with_timeout` have
been removed.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
- The ``io_loop`` argument to all `.AsyncHTTPClient` constructors has
been removed.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
- It is now possible for a client to reuse a connection after sending
a chunked request.
- If a client sends a malformed request, the server now responds with
a 400 error instead of simply closing the connection.
- ``Content-Length`` and ``Transfer-Encoding`` headers are no longer
sent with 1xx or 204 responses (this was already true of 304
responses).
- When closing a connection to a HTTP/1.1 client, the ``Connection:
close`` header is sent with the response.
- The ``io_loop`` argument to the `.HTTPServer` constructor has been
removed.
- If more than one ``X-Scheme`` or ``X-Forwarded-Proto`` header is
present, only the last is used.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
- The string representation of `.HTTPServerRequest` objects (which are
sometimes used in log messages) no longer includes the request
headers.
- New function `.qs_to_qsl` converts the result of
`urllib.parse.parse_qs` to name-value pairs.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
- ``tornado.ioloop.TimeoutError`` is now an alias for
`tornado.util.TimeoutError`.
- `.IOLoop.instance` is now a deprecated alias for `.IOLoop.current`.
- `.IOLoop.install` and `.IOLoop.clear_instance` are deprecated.
- The ``IOLoop.initialized`` method has been removed.
- On Python 3, the `asyncio`-backed `.IOLoop` is always used and
alternative `.IOLoop` implementations cannot be configured.
`.IOLoop.current` and related methods pass through to
`asyncio.get_event_loop`.
- `~.IOLoop.run_sync` cancels its argument on a timeout. This
results in better stack traces (and avoids log messages about leaks)
in native coroutines.
- New methods `.IOLoop.run_in_executor` and
`.IOLoop.set_default_executor` make it easier to run functions in
other threads from native coroutines (since
`concurrent.futures.Future` does not support ``await``).
- ``PollIOLoop`` (the default on Python 2) attempts to detect misuse
of `.IOLoop` instances across `os.fork`.
- The ``io_loop`` argument to `.PeriodicCallback` has been removed.
- It is now possible to create a `.PeriodicCallback` in one thread
and start it in another without passing an explicit event loop.
- The ``IOLoop.set_blocking_signal_threshold`` and
``IOLoop.set_blocking_log_threshold`` methods are deprecated because
they are not implemented for the `asyncio` event loop`. Use the
``PYTHONASYNCIODEBUG=1`` environment variable instead.
- `.IOLoop.clear_current` now works if it is called before any
current loop is established.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
- The ``io_loop`` argument to the `.IOStream` constructor has been removed.
- New method `.BaseIOStream.read_into` provides a minimal-copy alternative to
`.BaseIOStream.read_bytes`.
- `.BaseIOStream.write` is now much more efficient for very large amounts of data.
- Fixed some cases in which ``IOStream.error`` could be inaccurate.
- Writing a `memoryview` can no longer result in "BufferError:
Existing exports of data: object cannot be re-sized".
`tornado.locks`
~~~~~~~~~~~~~~~
- As a side effect of the ``Future`` changes, waiters are always
notified asynchronously with respect to `.Condition.notify`.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
- The default `.Resolver` now uses `.IOLoop.run_in_executor`.
`.ExecutorResolver`, `.BlockingResolver`, and `.ThreadedResolver` are
deprecated.
- The ``io_loop`` arguments to `.add_accept_handler`,
`.ExecutorResolver`, and `.ThreadedResolver` have been removed.
- `.add_accept_handler` returns a callable which can be used to remove
all handlers that were added.
- `.OverrideResolver` now accepts per-family overrides.
`tornado.options`
~~~~~~~~~~~~~~~~~
- Duplicate option names are now detected properly whether they use
hyphens or underscores.
`tornado.platform.asyncio`
~~~~~~~~~~~~~~~~~~~~~~~~~~
- `.AsyncIOLoop` and `.AsyncIOMainLoop` are now used automatically
when appropriate; referencing them explicitly is no longer
recommended.
- Starting an `.IOLoop` or making it current now also sets the
`asyncio` event loop for the current thread. Closing an `.IOLoop`
closes the corresponding `asyncio` event loop.
- `.to_tornado_future` and `.to_asyncio_future` are deprecated since
they are now no-ops.
- `~.AnyThreadEventLoopPolicy` can now be used to easily allow the creation
of event loops on any thread (similar to Tornado's prior policy).
`tornado.platform.caresresolver`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The ``io_loop`` argument to `.CaresResolver` has been removed.
`tornado.platform.twisted`
~~~~~~~~~~~~~~~~~~~~~~~~~~
- The ``io_loop`` arguments to ``TornadoReactor``, `.TwistedResolver`,
and ``tornado.platform.twisted.install`` have been removed.
`tornado.process`
~~~~~~~~~~~~~~~~~
- The ``io_loop`` argument to the `.Subprocess` constructor and
`.Subprocess.initialize` has been removed.
`tornado.routing`
~~~~~~~~~~~~~~~~~
- A default 404 response is now generated if no delegate is found for
a request.
`tornado.simple_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The ``io_loop`` argument to `.SimpleAsyncHTTPClient` has been removed.
- TLS is now configured according to `ssl.create_default_context` by
default.
`tornado.tcpclient`
~~~~~~~~~~~~~~~~~~~
- The ``io_loop`` argument to the `.TCPClient` constructor has been
removed.
- `.TCPClient.connect` has a new ``timeout`` argument.
`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~
- The ``io_loop`` argument to the `.TCPServer` constructor has been
removed.
- `.TCPServer` no longer logs ``EBADF`` errors during shutdown.
`tornado.testing`
~~~~~~~~~~~~~~~~~
- The deprecated ``tornado.testing.get_unused_port`` and
``tornado.testing.LogTrapTestCase`` have been removed.
- `.AsyncHTTPTestCase.fetch` now supports absolute URLs.
- `.AsyncHTTPTestCase.fetch` now connects to ``127.0.0.1``
instead of ``localhost`` to be more robust against faulty
ipv6 configurations.
`tornado.util`
~~~~~~~~~~~~~~
- `tornado.util.TimeoutError` replaces ``tornado.gen.TimeoutError``
and ``tornado.ioloop.TimeoutError``.
- `.Configurable` now supports configuration at multiple levels of an
inheritance hierarchy.
`tornado.web`
~~~~~~~~~~~~~
- `.RequestHandler.set_status` no longer requires that the given
status code appear in `http.client.responses`.
- It is no longer allowed to send a body with 1xx or 204 responses.
- Exception handling now breaks up reference cycles that could delay
garbage collection.
- `.RedirectHandler` now copies any query arguments from the request
to the redirect location.
- If both ``If-None-Match`` and ``If-Modified-Since`` headers are present
in a request to `.StaticFileHandler`, the latter is now ignored.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
- The C accelerator now operates on multiple bytes at a time to
improve performance.
- Requests with invalid websocket headers now get a response with
status code 400 instead of a closed connection.
- `.WebSocketHandler.write_message` now raises `.WebSocketClosedError` if
the connection closes while the write is in progress.
- The ``io_loop`` argument to `.websocket_connect` has been removed.
What's new in Tornado 4.5.3
===========================
Jan 6, 2018
------------
`tornado.curl_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~
- Improved debug logging on Python 3.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
- ``Content-Length`` and ``Transfer-Encoding`` headers are no longer
sent with 1xx or 204 responses (this was already true of 304
responses).
- Reading chunked requests no longer leaves the connection in a broken
state.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
- Writing a `memoryview` can no longer result in "BufferError:
Existing exports of data: object cannot be re-sized".
`tornado.options`
~~~~~~~~~~~~~~~~~
- Duplicate option names are now detected properly whether they use
hyphens or underscores.
`tornado.testing`
~~~~~~~~~~~~~~~~~
- `.AsyncHTTPTestCase.fetch` now uses ``127.0.0.1`` instead of
``localhost``, improving compatibility with systems that have
partially-working ipv6 stacks.
`tornado.web`
~~~~~~~~~~~~~
- It is no longer allowed to send a body with 1xx or 204 responses.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
- Requests with invalid websocket headers now get a response with
status code 400 instead of a closed connection.
What's new in Tornado 4.5.2
===========================
Aug 27, 2017
------------
Bug Fixes
~~~~~~~~~
- Tornado now sets the ``FD_CLOEXEC`` flag on all file descriptors it creates. This prevents hanging client connections and resource leaks when the `tornado.autoreload` module (or ``Application(debug=True)``) is used.
What's new in Tornado 4.5.1
===========================
Apr 20, 2017
------------
`tornado.log`
~~~~~~~~~~~~~
- Improved detection of libraries for colorized logging.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
- `.url_concat` once again treats None as equivalent to an empty sequence.
What's new in Tornado 4.5
=========================
Apr 16, 2017
------------
Backwards-compatibility warning
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The `tornado.websocket` module now imposes a limit on the size of incoming
messages, which defaults to 10MiB.
New module
~~~~~~~~~~
- `tornado.routing` provides a more flexible routing system than the one built in
to `.Application`.
General changes
~~~~~~~~~~~~~~~
- Reduced the number of circular references, reducing memory usage and
improving performance.
`tornado.auth`
~~~~~~~~~~~~~~
* The `tornado.auth` module has been updated for compatibility with `a
change to Facebook's access_token endpoint
<https://github.com/tornadoweb/tornado/pull/1977>`_. This includes both
the changes initially released in Tornado 4.4.3 and an additional change
to support the ```session_expires`` field in the new format.
The ``session_expires`` field is currently a string; it should be accessed
as ``int(user['session_expires'])`` because it will change from a string to
an int in Tornado 5.0.
`tornado.autoreload`
~~~~~~~~~~~~~~~~~~~~
- Autoreload is now compatible with the `asyncio` event loop.
- Autoreload no longer attempts to close the `.IOLoop` and all registered
file descriptors before restarting; it relies on the ``CLOEXEC`` flag
being set instead.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
- Suppressed some "'NoneType' object not callback" messages that could
be logged at shutdown.
`tornado.gen`
~~~~~~~~~~~~~
- ``yield None`` is now equivalent to ``yield gen.moment``.
`~tornado.gen.moment` is deprecated. This improves compatibility with
`asyncio`.
- Fixed an issue in which a generator object could be garbage
collected prematurely (most often when weak references are used.
- New function `.is_coroutine_function` identifies functions wrapped
by `.coroutine` or ``engine``.
``tornado.http1connection``
~~~~~~~~~~~~~~~~~~~~~~~~~~~
- The ``Transfer-Encoding`` header is now parsed case-insensitively.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
- ``SimpleAsyncHTTPClient`` now follows 308 redirects.
- ``CurlAsyncHTTPClient`` will no longer accept protocols other than
``http`` and ``https``. To override this, set ``pycurl.PROTOCOLS``
and ``pycurl.REDIR_PROTOCOLS`` in a ``prepare_curl_callback``.
- ``CurlAsyncHTTPClient`` now supports digest authentication for proxies
(in addition to basic auth) via the new ``proxy_auth_mode`` argument.
- The minimum supported version of ``libcurl`` is now ``7.22.0``.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
- `.HTTPServer` now accepts the keyword argument
``trusted_downstream`` which controls the parsing of
``X-Forwarded-For`` headers. This header may be a list or set of IP
addresses of trusted proxies which will be skipped in the
``X-Forwarded-For`` list.
- The ``no_keep_alive`` argument works again.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
- `.url_concat` correctly handles fragments and existing query arguments.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
- Fixed 100% CPU usage after a callback returns an empty list or dict.
- `.IOLoop.add_callback` now uses a lockless implementation which
makes it safe for use from ``__del__`` methods. This improves
performance of calls to `~.IOLoop.add_callback` from the `.IOLoop`
thread, and slightly decreases it for calls from other threads.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
- `memoryview` objects are now permitted as arguments to `~.BaseIOStream.write`.
- The internal memory buffers used by `.IOStream` now use `bytearray`
instead of a list of `bytes`, improving performance.
- Futures returned by `~.BaseIOStream.write` are no longer orphaned if a second
call to ``write`` occurs before the previous one is finished.
`tornado.log`
~~~~~~~~~~~~~
- Colored log output is now supported on Windows if the
`colorama <https://pypi.python.org/pypi/colorama>`_ library
is installed and the application calls ``colorama.init()`` at
startup.
- The signature of the `.LogFormatter` constructor has been changed to
make it compatible with `logging.config.dictConfig`.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
- Worked around an issue that caused "LookupError: unknown encoding:
latin1" errors on Solaris.
`tornado.process`
~~~~~~~~~~~~~~~~~
- `.Subprocess` no longer causes "subprocess still running" warnings on Python 3.6.
- Improved error handling in `.cpu_count`.
`tornado.tcpclient`
~~~~~~~~~~~~~~~~~~~
- `.TCPClient` now supports a ``source_ip`` and ``source_port`` argument.
- Improved error handling for environments where IPv6 support is incomplete.
`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~
- `.TCPServer.handle_stream` implementations may now be native coroutines.
- Stopping a `.TCPServer` twice no longer raises an exception.
`tornado.web`
~~~~~~~~~~~~~
- `.RedirectHandler` now supports substituting parts of the matched
URL into the redirect location using `str.format` syntax.
- New methods `.RequestHandler.render_linked_js`,
`.RequestHandler.render_embed_js`,
`.RequestHandler.render_linked_css`, and
`.RequestHandler.render_embed_css` can be overridden to customize
the output of `.UIModule`.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
- `.WebSocketHandler.on_message` implementations may now be
coroutines. New messages will not be processed until the previous
``on_message`` coroutine has finished.
- The ``websocket_ping_interval`` and ``websocket_ping_timeout``
application settings can now be used to enable a periodic ping of
the websocket connection, allowing dropped connections to be
detected and closed.
- The new ``websocket_max_message_size`` setting defaults to 10MiB.
The connection will be closed if messages larger than this are received.
- Headers set by `.RequestHandler.prepare` or
`.RequestHandler.set_default_headers` are now sent as a part of the
websocket handshake.
- Return values from `.WebSocketHandler.get_compression_options` may now include
the keys ``compression_level`` and ``mem_level`` to set gzip parameters.
The default compression level is now 6 instead of 9.
Demos
~~~~~
- A new file upload demo is available in the `file_upload
<https://github.com/tornadoweb/tornado/tree/master/demos/file_upload>`_
directory.
- A new `.TCPClient` and `.TCPServer` demo is available in the
`tcpecho <https://github.com/tornadoweb/tornado/tree/master/demos/tcpecho>`_ directory.
- Minor updates have been made to several existing demos, including
updates to more recent versions of jquery.
Credits
~~~~~~~
The following people contributed commits to this release:
- A\. Jesse Jiryu Davis
- Aaron Opfer
- Akihiro Yamazaki
- Alexander
- Andreas Røsdal
- Andrew Rabert
- Andrew Sumin
- Antoine Pietri
- Antoine Pitrou
- Artur Stawiarski
- Ben Darnell
- Brian Mego
- Dario
- Doug Vargas
- Eugene Dubovoy
- Iver Jordal
- JZQT
- James Maier
- Jeff Hunter
- Leynos
- Mark Henderson
- Michael V. DePalatis
- Min RK
- Mircea Ulinic
- Ping
- Ping Yang
- Riccardo Magliocchetti
- Samuel Chen
- Samuel Dion-Girardeau
- Scott Meisburger
- Shawn Ding
- TaoBeier
- Thomas Kluyver
- Vadim Semenov
- matee
- mike820324
- stiletto
- zhimin
- 依云
What's new in Tornado 4.4.3
===========================
Mar 30, 2017
------------
Bug fixes
~~~~~~~~~
* The `tornado.auth` module has been updated for compatibility with `a
change to Facebook's access_token endpoint.
<https://github.com/tornadoweb/tornado/pull/1977>`_
What's new in Tornado 4.4.2
===========================
Oct 1, 2016
------------
Security fixes
~~~~~~~~~~~~~~
* A difference in cookie parsing between Tornado and web browsers
(especially when combined with Google Analytics) could allow an
attacker to set arbitrary cookies and bypass XSRF protection. The
cookie parser has been rewritten to fix this attack.
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Cookies containing certain special characters (in particular semicolon
and square brackets) are now parsed differently.
* If the cookie header contains a combination of valid and invalid cookies,
the valid ones will be returned (older versions of Tornado would reject the
entire header for a single invalid cookie).
What's new in Tornado 4.4.1
===========================
Jul 23, 2016
------------
`tornado.web`
~~~~~~~~~~~~~
* Fixed a regression in Tornado 4.4 which caused URL regexes
containing backslash escapes outside capturing groups to be
rejected.
What's new in Tornado 4.4
=========================
Jul 15, 2016
------------
General
~~~~~~~
* Tornado now requires Python 2.7 or 3.3+; versions 2.6 and 3.2 are no
longer supported. Pypy3 is still supported even though its latest
release is mainly based on Python 3.2.
* The `monotonic <https://pypi.python.org/pypi/monotonic>`_ package is
now supported as an alternative to `Monotime
<https://pypi.python.org/pypi/Monotime>`_ for monotonic clock support
on Python 2.
``tornado.curl_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Failures in ``_curl_setup_request`` no longer cause the
``max_clients`` pool to be exhausted.
* Non-ascii header values are now handled correctly.
`tornado.gen`
~~~~~~~~~~~~~
* `.with_timeout` now accepts any yieldable object (except
``YieldPoint``), not just `tornado.concurrent.Future`.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
* The errors raised by timeouts now indicate what state the request
was in; the error message is no longer simply "599 Timeout".
* Calling `repr` on a `tornado.httpclient.HTTPError` no longer raises
an error.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
* Int-like enums (including `http.HTTPStatus`) can now be used as
status codes.
* Responses with status code ``204 No Content`` no longer emit a
``Content-Length: 0`` header.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
* Improved performance when there are large numbers of active timeouts.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
* All included `.Resolver` implementations raise `IOError` (or a
subclass) for any resolution failure.
`tornado.options`
~~~~~~~~~~~~~~~~~
* Options can now be modified with subscript syntax in addition to
attribute syntax.
* The special variable ``__file__`` is now available inside config files.
``tornado.simple_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* HTTP/1.0 (not 1.1) responses without a ``Content-Length`` header now
work correctly.
`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~
* `.TCPServer.bind` now accepts a ``reuse_port`` argument.
`tornado.testing`
~~~~~~~~~~~~~~~~~
* Test sockets now always use ``127.0.0.1`` instead of ``localhost``.
This avoids conflicts when the automatically-assigned port is
available on IPv4 but not IPv6, or in unusual network configurations
when ``localhost`` has multiple IP addresses.
`tornado.web`
~~~~~~~~~~~~~
* ``image/svg+xml`` is now on the list of compressible mime types.
* Fixed an error on Python 3 when compression is used with multiple
``Vary`` headers.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
* ``WebSocketHandler.__init__`` now uses `super`, which improves
support for multiple inheritance.
What's new in Tornado 4.3
=========================
Nov 6, 2015
-----------
Highlights
~~~~~~~~~~
* The new async/await keywords in Python 3.5 are supported. In most cases,
``async def`` can be used in place of the ``@gen.coroutine`` decorator.
Inside a function defined with ``async def``, use ``await`` instead of
``yield`` to wait on an asynchronous operation. Coroutines defined with
async/await will be faster than those defined with ``@gen.coroutine`` and
``yield``, but do not support some features including ``Callback``/``Wait`` or
the ability to yield a Twisted ``Deferred``. See :ref:`the users'
guide <native_coroutines>` for more.
* The async/await keywords are also available when compiling with Cython in
older versions of Python.
Deprecation notice
~~~~~~~~~~~~~~~~~~
* This will be the last release of Tornado to support Python 2.6 or 3.2.
Note that PyPy3 will continue to be supported even though it implements
a mix of Python 3.2 and 3.3 features.
Installation
~~~~~~~~~~~~
* Tornado has several new dependencies: ``ordereddict`` on Python 2.6,
``singledispatch`` on all Python versions prior to 3.4 (This was an
optional dependency in prior versions of Tornado, and is now
mandatory), and ``backports_abc>=0.4`` on all versions prior to
3.5. These dependencies will be installed automatically when installing
with ``pip`` or ``setup.py install``. These dependencies will not
be required when running on Google App Engine.
* Binary wheels are provided for Python 3.5 on Windows (32 and 64 bit).
`tornado.auth`
~~~~~~~~~~~~~~
* New method `.OAuth2Mixin.oauth2_request` can be used to make authenticated
requests with an access token.
* Now compatible with callbacks that have been compiled with Cython.
`tornado.autoreload`
~~~~~~~~~~~~~~~~~~~~
* Fixed an issue with the autoreload command-line wrapper in which
imports would be incorrectly interpreted as relative.
`tornado.curl_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~
* Fixed parsing of multi-line headers.
* ``allow_nonstandard_methods=True`` now bypasses body sanity checks,
in the same way as in ``simple_httpclient``.
* The ``PATCH`` method now allows a body without
``allow_nonstandard_methods=True``.
`tornado.gen`
~~~~~~~~~~~~~
* `.WaitIterator` now supports the ``async for`` statement on Python 3.5.
* ``@gen.coroutine`` can be applied to functions compiled with Cython.
On python versions prior to 3.5, the ``backports_abc`` package must
be installed for this functionality.
* ``Multi`` and `.multi_future` are deprecated and replaced by
a unified function `.multi`.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
* `tornado.httpclient.HTTPError` is now copyable with the `copy` module.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
* Requests containing both ``Content-Length`` and ``Transfer-Encoding``
will be treated as an error.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
* `.HTTPHeaders` can now be pickled and unpickled.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
* ``IOLoop(make_current=True)`` now works as intended instead
of raising an exception.
* The Twisted and asyncio IOLoop implementations now clear
``current()`` when they exit, like the standard IOLoops.
* `.IOLoop.add_callback` is faster in the single-threaded case.
* `.IOLoop.add_callback` no longer raises an error when called on
a closed IOLoop, but the callback will not be invoked.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
* Coroutine-style usage of `.IOStream` now converts most errors into
`.StreamClosedError`, which has the effect of reducing log noise from
exceptions that are outside the application's control (especially
SSL errors).
* `.StreamClosedError` now has a ``real_error`` attribute which indicates
why the stream was closed. It is the same as the ``error`` attribute of
`.IOStream` but may be more easily accessible than the `.IOStream` itself.
* Improved error handling in `~.BaseIOStream.read_until_close`.
* Logging is less noisy when an SSL server is port scanned.
* ``EINTR`` is now handled on all reads.
`tornado.locale`
~~~~~~~~~~~~~~~~
* `tornado.locale.load_translations` now accepts encodings other than
UTF-8. UTF-16 and UTF-8 will be detected automatically if a BOM is
present; for other encodings `.load_translations` has an ``encoding``
parameter.
`tornado.locks`
~~~~~~~~~~~~~~~
* `.Lock` and `.Semaphore` now support the ``async with`` statement on
Python 3.5.
`tornado.log`
~~~~~~~~~~~~~
* A new time-based log rotation mode is available with
``--log_rotate_mode=time``, ``--log-rotate-when``, and
``log-rotate-interval``.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
* `.bind_sockets` now supports ``SO_REUSEPORT`` with the ``reuse_port=True``
argument.
`tornado.options`
~~~~~~~~~~~~~~~~~
* Dashes and underscores are now fully interchangeable in option names.
`tornado.queues`
~~~~~~~~~~~~~~~~
* `.Queue` now supports the ``async for`` statement on Python 3.5.
`tornado.simple_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* When following redirects, ``streaming_callback`` and
``header_callback`` will no longer be run on the redirect responses
(only the final non-redirect).
* Responses containing both ``Content-Length`` and ``Transfer-Encoding``
will be treated as an error.
`tornado.template`
~~~~~~~~~~~~~~~~~~
* `tornado.template.ParseError` now includes the filename in addition to
line number.
* Whitespace handling has become more configurable. The `.Loader`
constructor now has a ``whitespace`` argument, there is a new
``template_whitespace`` `.Application` setting, and there is a new
``{% whitespace %}`` template directive. All of these options take
a mode name defined in the `tornado.template.filter_whitespace` function.
The default mode is ``single``, which is the same behavior as prior
versions of Tornado.
* Non-ASCII filenames are now supported.
`tornado.testing`
~~~~~~~~~~~~~~~~~
* `.ExpectLog` objects now have a boolean ``logged_stack`` attribute to
make it easier to test whether an exception stack trace was logged.
`tornado.web`
~~~~~~~~~~~~~
* The hard limit of 4000 bytes per outgoing header has been removed.
* `.StaticFileHandler` returns the correct ``Content-Type`` for files
with ``.gz``, ``.bz2``, and ``.xz`` extensions.
* Responses smaller than 1000 bytes will no longer be compressed.
* The default gzip compression level is now 6 (was 9).
* Fixed a regression in Tornado 4.2.1 that broke `.StaticFileHandler`
with a ``path`` of ``/``.
* `tornado.web.HTTPError` is now copyable with the `copy` module.
* The exception `.Finish` now accepts an argument which will be passed to
the method `.RequestHandler.finish`.
* New `.Application` setting ``xsrf_cookie_kwargs`` can be used to set
additional attributes such as ``secure`` or ``httponly`` on the
XSRF cookie.
* `.Application.listen` now returns the `.HTTPServer` it created.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
* Fixed handling of continuation frames when compression is enabled.
What's new in Tornado 4.2.1
===========================
Jul 17, 2015
------------
Security fix
~~~~~~~~~~~~
* This release fixes a path traversal vulnerability in `.StaticFileHandler`,
in which files whose names *started with* the ``static_path`` directory
but were not actually *in* that directory could be accessed.
What's new in Tornado 4.2
=========================
May 26, 2015
------------
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``SSLIOStream.connect`` and `.IOStream.start_tls` now validate certificates
by default.
* Certificate validation will now use the system CA root certificates instead
of ``certifi`` when possible (i.e. Python 2.7.9+ or 3.4+). This includes
`.IOStream` and ``simple_httpclient``, but not ``curl_httpclient``.
* The default SSL configuration has become stricter, using
`ssl.create_default_context` where available on the client side.
(On the server side, applications are encouraged to migrate from the
``ssl_options`` dict-based API to pass an `ssl.SSLContext` instead).
* The deprecated classes in the `tornado.auth` module, ``GoogleMixin``,
``FacebookMixin``, and ``FriendFeedMixin`` have been removed.
New modules: `tornado.locks` and `tornado.queues`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
These modules provide classes for coordinating coroutines, merged from
`Toro <https://toro.readthedocs.io>`_.
To port your code from Toro's queues to Tornado 4.2, import `.Queue`,
`.PriorityQueue`, or `.LifoQueue` from `tornado.queues` instead of from
``toro``.
Use `.Queue` instead of Toro's ``JoinableQueue``. In Tornado the methods
`~.Queue.join` and `~.Queue.task_done` are available on all queues, not on a
special ``JoinableQueue``.
Tornado queues raise exceptions specific to Tornado instead of reusing
exceptions from the Python standard library.
Therefore instead of catching the standard `queue.Empty` exception from
`.Queue.get_nowait`, catch the special `tornado.queues.QueueEmpty` exception,
and instead of catching the standard `queue.Full` from `.Queue.get_nowait`,
catch `tornado.queues.QueueFull`.
To port from Toro's locks to Tornado 4.2, import `.Condition`, `.Event`,
`.Semaphore`, `.BoundedSemaphore`, or `.Lock` from `tornado.locks`
instead of from ``toro``.
Toro's ``Semaphore.wait`` allowed a coroutine to wait for the semaphore to
be unlocked *without* acquiring it. This encouraged unorthodox patterns; in
Tornado, just use `~.Semaphore.acquire`.
Toro's ``Event.wait`` raised a ``Timeout`` exception after a timeout. In
Tornado, `.Event.wait` raises ``tornado.gen.TimeoutError``.
Toro's ``Condition.wait`` also raised ``Timeout``, but in Tornado, the `.Future`
returned by `.Condition.wait` resolves to False after a timeout::
@gen.coroutine
def await_notification():
if not (yield condition.wait(timeout=timedelta(seconds=1))):
print('timed out')
else:
print('condition is true')
In lock and queue methods, wherever Toro accepted ``deadline`` as a keyword
argument, Tornado names the argument ``timeout`` instead.
Toro's ``AsyncResult`` is not merged into Tornado, nor its exceptions
``NotReady`` and ``AlreadySet``. Use a `.Future` instead. If you wrote code like
this::
from tornado import gen
import toro
result = toro.AsyncResult()
@gen.coroutine
def setter():
result.set(1)
@gen.coroutine
def getter():
value = yield result.get()
print(value) # Prints "1".
Then the Tornado equivalent is::
from tornado import gen
from tornado.concurrent import Future
result = Future()
@gen.coroutine
def setter():
result.set_result(1)
@gen.coroutine
def getter():
value = yield result
print(value) # Prints "1".
`tornado.autoreload`
~~~~~~~~~~~~~~~~~~~~
* Improved compatibility with Windows.
* Fixed a bug in Python 3 if a module was imported during a reload check.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
* `.run_on_executor` now accepts arguments to control which attributes
it uses to find the `.IOLoop` and executor.
`tornado.curl_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~
* Fixed a bug that would cause the client to stop processing requests
if an exception occurred in certain places while there is a queue.
`tornado.escape`
~~~~~~~~~~~~~~~~
* `.xhtml_escape` now supports numeric character references in hex
format (`` ``)
`tornado.gen`
~~~~~~~~~~~~~
* `.WaitIterator` no longer uses weak references, which fixes several
garbage-collection-related bugs.
* ``tornado.gen.Multi`` and `tornado.gen.multi_future` (which are used when
yielding a list or dict in a coroutine) now log any exceptions after the
first if more than one `.Future` fails (previously they would be logged
when the `.Future` was garbage-collected, but this is more reliable).
Both have a new keyword argument ``quiet_exceptions`` to suppress
logging of certain exception types; to use this argument you must
call ``Multi`` or ``multi_future`` directly instead of simply yielding
a list.
* `.multi_future` now works when given multiple copies of the same `.Future`.
* On Python 3, catching an exception in a coroutine no longer leads to
leaks via ``Exception.__context__``.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
* The ``raise_error`` argument now works correctly with the synchronous
`.HTTPClient`.
* The synchronous `.HTTPClient` no longer interferes with `.IOLoop.current()`.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
* `.HTTPServer` is now a subclass of `tornado.util.Configurable`.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
* `.HTTPHeaders` can now be copied with `copy.copy` and `copy.deepcopy`.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
* The `.IOLoop` constructor now has a ``make_current`` keyword argument
to control whether the new `.IOLoop` becomes `.IOLoop.current()`.
* Third-party implementations of `.IOLoop` should accept ``**kwargs``
in their ``IOLoop.initialize`` methods and pass them to the superclass
implementation.
* `.PeriodicCallback` is now more efficient when the clock jumps forward
by a large amount.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
* ``SSLIOStream.connect`` and `.IOStream.start_tls` now validate certificates
by default.
* New method `.SSLIOStream.wait_for_handshake` allows server-side applications
to wait for the handshake to complete in order to verify client certificates
or use NPN/ALPN.
* The `.Future` returned by ``SSLIOStream.connect`` now resolves after the
handshake is complete instead of as soon as the TCP connection is
established.
* Reduced logging of SSL errors.
* `.BaseIOStream.read_until_close` now works correctly when a
``streaming_callback`` is given but ``callback`` is None (i.e. when
it returns a `.Future`)
`tornado.locale`
~~~~~~~~~~~~~~~~
* New method `.GettextLocale.pgettext` allows additional context to be
supplied for gettext translations.
`tornado.log`
~~~~~~~~~~~~~
* `.define_logging_options` now works correctly when given a non-default
``options`` object.
`tornado.process`
~~~~~~~~~~~~~~~~~
* New method `.Subprocess.wait_for_exit` is a coroutine-friendly
version of `.Subprocess.set_exit_callback`.
`tornado.simple_httpclient`
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Improved performance on Python 3 by reusing a single `ssl.SSLContext`.
* New constructor argument ``max_body_size`` controls the maximum response
size the client is willing to accept. It may be bigger than
``max_buffer_size`` if ``streaming_callback`` is used.
`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~
* `.TCPServer.handle_stream` may be a coroutine (so that any exceptions
it raises will be logged).
`tornado.util`
~~~~~~~~~~~~~~
* `.import_object` now supports unicode strings on Python 2.
* `.Configurable.initialize` now supports positional arguments.
`tornado.web`
~~~~~~~~~~~~~
* Key versioning support for cookie signing. ``cookie_secret`` application
setting can now contain a dict of valid keys with version as key. The
current signing key then must be specified via ``key_version`` setting.
* Parsing of the ``If-None-Match`` header now follows the RFC and supports
weak validators.
* Passing ``secure=False`` or ``httponly=False`` to
`.RequestHandler.set_cookie` now works as expected (previously only the
presence of the argument was considered and its value was ignored).
* `.RequestHandler.get_arguments` now requires that its ``strip`` argument
be of type bool. This helps prevent errors caused by the slightly dissimilar
interfaces between the singular and plural methods.
* Errors raised in ``_handle_request_exception`` are now logged more reliably.
* `.RequestHandler.redirect` now works correctly when called from a handler
whose path begins with two slashes.
* Passing messages containing ``%`` characters to `tornado.web.HTTPError`
no longer causes broken error messages.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
* The ``on_close`` method will no longer be called more than once.
* When the other side closes a connection, we now echo the received close
code back instead of sending an empty close frame.
What's new in Tornado 4.1
=========================
Feb 7, 2015
-----------
Highlights
~~~~~~~~~~
* If a `.Future` contains an exception but that exception is never
examined or re-raised (e.g. by yielding the `.Future`), a stack
trace will be logged when the `.Future` is garbage-collected.
* New class `tornado.gen.WaitIterator` provides a way to iterate
over ``Futures`` in the order they resolve.
* The `tornado.websocket` module now supports compression via the
"permessage-deflate" extension. Override
`.WebSocketHandler.get_compression_options` to enable on the server
side, and use the ``compression_options`` keyword argument to
`.websocket_connect` on the client side.
* When the appropriate packages are installed, it is possible to yield
`asyncio.Future` or Twisted ``Defered`` objects in Tornado coroutines.
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `.HTTPServer` now calls ``start_request`` with the correct
arguments. This change is backwards-incompatible, affecting any
application which implemented `.HTTPServerConnectionDelegate` by
following the example of `.Application` instead of the documented
method signatures.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
* If a `.Future` contains an exception but that exception is never
examined or re-raised (e.g. by yielding the `.Future`), a stack
trace will be logged when the `.Future` is garbage-collected.
* `.Future` now catches and logs exceptions in its callbacks.
``tornado.curl_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``tornado.curl_httpclient`` now supports request bodies for ``PATCH``
and custom methods.
* ``tornado.curl_httpclient`` now supports resubmitting bodies after
following redirects for methods other than ``POST``.
* ``curl_httpclient`` now runs the streaming and header callbacks on
the IOLoop.
* ``tornado.curl_httpclient`` now uses its own logger for debug output
so it can be filtered more easily.
`tornado.gen`
~~~~~~~~~~~~~
* New class `tornado.gen.WaitIterator` provides a way to iterate
over ``Futures`` in the order they resolve.
* When the `~functools.singledispatch` library is available (standard on
Python 3.4, available via ``pip install singledispatch`` on older versions),
the `.convert_yielded` function can be used to make other kinds of objects
yieldable in coroutines.
* New function `tornado.gen.sleep` is a coroutine-friendly
analogue to `time.sleep`.
* ``gen.engine`` now correctly captures the stack context for its callbacks.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
* `tornado.httpclient.HTTPRequest` accepts a new argument
``raise_error=False`` to suppress the default behavior of raising an
error for non-200 response codes.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
* `.HTTPServer` now calls ``start_request`` with the correct
arguments. This change is backwards-incompatible, afffecting any
application which implemented `.HTTPServerConnectionDelegate` by
following the example of `.Application` instead of the documented
method signatures.
* `.HTTPServer` now tolerates extra newlines which are sometimes inserted
between requests on keep-alive connections.
* `.HTTPServer` can now use keep-alive connections after a request
with a chunked body.
* `.HTTPServer` now always reports ``HTTP/1.1`` instead of echoing
the request version.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
* New function `tornado.httputil.split_host_and_port` for parsing
the ``netloc`` portion of URLs.
* The ``context`` argument to `.HTTPServerRequest` is now optional,
and if a context is supplied the ``remote_ip`` attribute is also optional.
* `.HTTPServerRequest.body` is now always a byte string (previously the default
empty body would be a unicode string on python 3).
* Header parsing now works correctly when newline-like unicode characters
are present.
* Header parsing again supports both CRLF and bare LF line separators.
* Malformed ``multipart/form-data`` bodies will always be logged
quietly instead of raising an unhandled exception; previously
the behavior was inconsistent depending on the exact error.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
* The ``kqueue`` and ``select`` IOLoop implementations now report
writeability correctly, fixing flow control in IOStream.
* When a new `.IOLoop` is created, it automatically becomes "current"
for the thread if there is not already a current instance.
* New method `.PeriodicCallback.is_running` can be used to see
whether the `.PeriodicCallback` has been started.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
* `.IOStream.start_tls` now uses the ``server_hostname`` parameter
for certificate validation.
* `.SSLIOStream` will no longer consume 100% CPU after certain error conditions.
* `.SSLIOStream` no longer logs ``EBADF`` errors during the handshake as they
can result from nmap scans in certain modes.
`tornado.options`
~~~~~~~~~~~~~~~~~
* `~tornado.options.parse_config_file` now always decodes the config
file as utf8 on Python 3.
* `tornado.options.define` more accurately finds the module defining the
option.
``tornado.platform.asyncio``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* It is now possible to yield ``asyncio.Future`` objects in coroutines
when the `~functools.singledispatch` library is available and
``tornado.platform.asyncio`` has been imported.
* New methods `tornado.platform.asyncio.to_tornado_future` and
`~tornado.platform.asyncio.to_asyncio_future` convert between
the two libraries' `.Future` classes.
``tornado.platform.twisted``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* It is now possible to yield ``Deferred`` objects in coroutines
when the `~functools.singledispatch` library is available and
``tornado.platform.twisted`` has been imported.
`tornado.tcpclient`
~~~~~~~~~~~~~~~~~~~
* `.TCPClient` will no longer raise an exception due to an ill-timed
timeout.
`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~
* `.TCPServer` no longer ignores its ``read_chunk_size`` argument.
`tornado.testing`
~~~~~~~~~~~~~~~~~
* `.AsyncTestCase` has better support for multiple exceptions. Previously
it would silently swallow all but the last; now it raises the first
and logs all the rest.
* `.AsyncTestCase` now cleans up `.Subprocess` state on ``tearDown`` when
necessary.
`tornado.web`
~~~~~~~~~~~~~
* The ``asynchronous`` decorator now understands `concurrent.futures.Future`
in addition to `tornado.concurrent.Future`.
* `.StaticFileHandler` no longer logs a stack trace if the connection is
closed while sending the file.
* `.RequestHandler.send_error` now supports a ``reason`` keyword
argument, similar to `tornado.web.HTTPError`.
* `.RequestHandler.locale` now has a property setter.
* `.Application.add_handlers` hostname matching now works correctly with
IPv6 literals.
* Redirects for the `.Application` ``default_host`` setting now match
the request protocol instead of redirecting HTTPS to HTTP.
* Malformed ``_xsrf`` cookies are now ignored instead of causing
uncaught exceptions.
* ``Application.start_request`` now has the same signature as
`.HTTPServerConnectionDelegate.start_request`.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
* The `tornado.websocket` module now supports compression via the
"permessage-deflate" extension. Override
`.WebSocketHandler.get_compression_options` to enable on the server
side, and use the ``compression_options`` keyword argument to
`.websocket_connect` on the client side.
* `.WebSocketHandler` no longer logs stack traces when the connection
is closed.
* `.WebSocketHandler.open` now accepts ``*args, **kw`` for consistency
with ``RequestHandler.get`` and related methods.
* The ``Sec-WebSocket-Version`` header now includes all supported versions.
* `.websocket_connect` now has a ``on_message_callback`` keyword argument
for callback-style use without ``read_message()``.
What's new in Tornado 4.0.2
===========================
Sept 10, 2014
-------------
Bug fixes
~~~~~~~~~
* Fixed a bug that could sometimes cause a timeout to fire after being
cancelled.
* `.AsyncTestCase` once again passes along arguments to test methods,
making it compatible with extensions such as Nose's test generators.
* `.StaticFileHandler` can again compress its responses when gzip is enabled.
* ``simple_httpclient`` passes its ``max_buffer_size`` argument to the
underlying stream.
* Fixed a reference cycle that can lead to increased memory consumption.
* `.add_accept_handler` will now limit the number of times it will call
`~socket.socket.accept` per `.IOLoop` iteration, addressing a potential
starvation issue.
* Improved error handling in `.IOStream.connect` (primarily for FreeBSD
systems)
What's new in Tornado 4.0.1
===========================
Aug 12, 2014
------------
* The build will now fall back to pure-python mode if the C extension
fails to build for any reason (previously it would fall back for some
errors but not others).
* `.IOLoop.call_at` and `.IOLoop.call_later` now always return
a timeout handle for use with `.IOLoop.remove_timeout`.
* If any callback of a `.PeriodicCallback` or `.IOStream` returns a
`.Future`, any error raised in that future will now be logged
(similar to the behavior of `.IOLoop.add_callback`).
* Fixed an exception in client-side websocket connections when the
connection is closed.
* ``simple_httpclient`` once again correctly handles 204 status
codes with no content-length header.
* Fixed a regression in ``simple_httpclient`` that would result in
timeouts for certain kinds of errors.
What's new in Tornado 4.0
=========================
July 15, 2014
-------------
Highlights
~~~~~~~~~~
* The `tornado.web.stream_request_body` decorator allows large files to be
uploaded with limited memory usage.
* Coroutines are now faster and are used extensively throughout Tornado itself.
More methods now return `Futures <.Future>`, including most `.IOStream`
methods and `.RequestHandler.flush`.
* Many user-overridden methods are now allowed to return a `.Future`
for flow control.
* HTTP-related code is now shared between the `tornado.httpserver`,
``tornado.simple_httpclient`` and `tornado.wsgi` modules, making support
for features such as chunked and gzip encoding more consistent.
`.HTTPServer` now uses new delegate interfaces defined in `tornado.httputil`
in addition to its old single-callback interface.
* New module `tornado.tcpclient` creates TCP connections with non-blocking
DNS, SSL handshaking, and support for IPv6.
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `tornado.concurrent.Future` is no longer thread-safe; use
`concurrent.futures.Future` when thread-safety is needed.
* Tornado now depends on the `certifi <https://pypi.python.org/pypi/certifi>`_
package instead of bundling its own copy of the Mozilla CA list. This will
be installed automatically when using ``pip`` or ``easy_install``.
* This version includes the changes to the secure cookie format first
introduced in version :doc:`3.2.1 <v3.2.1>`, and the xsrf token change
in version :doc:`3.2.2 <v3.2.2>`. If you are upgrading from an earlier
version, see those versions' release notes.
* WebSocket connections from other origin sites are now rejected by default.
To accept cross-origin websocket connections, override
the new method `.WebSocketHandler.check_origin`.
* `.WebSocketHandler` no longer supports the old ``draft 76`` protocol
(this mainly affects Safari 5.x browsers). Applications should use
non-websocket workarounds for these browsers.
* Authors of alternative `.IOLoop` implementations should see the changes
to `.IOLoop.add_handler` in this release.
* The ``RequestHandler.async_callback`` and ``WebSocketHandler.async_callback``
wrapper functions have been removed; they have been obsolete for a long
time due to stack contexts (and more recently coroutines).
* ``curl_httpclient`` now requires a minimum of libcurl version 7.21.1 and
pycurl 7.18.2.
* Support for ``RequestHandler.get_error_html`` has been removed;
override `.RequestHandler.write_error` instead.
Other notes
~~~~~~~~~~~
* The git repository has moved to https://github.com/tornadoweb/tornado.
All old links should be redirected to the new location.
* An `announcement mailing list
<http://groups.google.com/group/python-tornado-announce>`_ is now available.
* All Tornado modules are now importable on Google App Engine (although
the App Engine environment does not allow the system calls used
by `.IOLoop` so many modules are still unusable).
`tornado.auth`
~~~~~~~~~~~~~~
* Fixed a bug in ``.FacebookMixin`` on Python 3.
* When using the `.Future` interface, exceptions are more reliably delivered
to the caller.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
* `tornado.concurrent.Future` is now always thread-unsafe (previously
it would be thread-safe if the `concurrent.futures` package was available).
This improves performance and provides more consistent semantics.
The parts of Tornado that accept Futures will accept both Tornado's
thread-unsafe Futures and the thread-safe `concurrent.futures.Future`.
* `tornado.concurrent.Future` now includes all the functionality
of the old ``TracebackFuture`` class. ``TracebackFuture`` is now
simply an alias for ``Future``.
``tornado.curl_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``curl_httpclient`` now passes along the HTTP "reason" string
in ``response.reason``.
`tornado.gen`
~~~~~~~~~~~~~
* Performance of coroutines has been improved.
* Coroutines no longer generate ``StackContexts`` by default, but they
will be created on demand when needed.
* The internals of the `tornado.gen` module have been rewritten to
improve performance when using ``Futures``, at the expense of some
performance degradation for the older ``YieldPoint`` interfaces.
* New function `.with_timeout` wraps a `.Future` and raises an exception
if it doesn't complete in a given amount of time.
* New object `.moment` can be yielded to allow the IOLoop to run for
one iteration before resuming.
* ``Task`` is now a function returning a `.Future` instead of a ``YieldPoint``
subclass. This change should be transparent to application code, but
allows ``Task`` to take advantage of the newly-optimized `.Future`
handling.
`tornado.http1connection`
~~~~~~~~~~~~~~~~~~~~~~~~~
* New module contains the HTTP implementation shared by `tornado.httpserver`
and ``tornado.simple_httpclient``.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
* The command-line HTTP client (``python -m tornado.httpclient $URL``)
now works on Python 3.
* Fixed a memory leak in `.AsyncHTTPClient` shutdown that affected
applications that created many HTTP clients and IOLoops.
* New client request parameter ``decompress_response`` replaces
the existing ``use_gzip`` parameter; both names are accepted.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
* ``tornado.httpserver.HTTPRequest`` has moved to
`tornado.httputil.HTTPServerRequest`.
* HTTP implementation has been unified with ``tornado.simple_httpclient``
in `tornado.http1connection`.
* Now supports ``Transfer-Encoding: chunked`` for request bodies.
* Now supports ``Content-Encoding: gzip`` for request bodies if
``decompress_request=True`` is passed to the `.HTTPServer` constructor.
* The ``connection`` attribute of `.HTTPServerRequest` is now documented
for public use; applications are expected to write their responses
via the `.HTTPConnection` interface.
* The ``HTTPServerRequest.write`` and ``HTTPServerRequest.finish`` methods
are now deprecated. (`.RequestHandler.write` and `.RequestHandler.finish`
are *not* deprecated; this only applies to the methods on
`.HTTPServerRequest`)
* `.HTTPServer` now supports `.HTTPServerConnectionDelegate` in addition to
the old ``request_callback`` interface. The delegate interface supports
streaming of request bodies.
* `.HTTPServer` now detects the error of an application sending a
``Content-Length`` error that is inconsistent with the actual content.
* New constructor arguments ``max_header_size`` and ``max_body_size``
allow separate limits to be set for different parts of the request.
``max_body_size`` is applied even in streaming mode.
* New constructor argument ``chunk_size`` can be used to limit the amount
of data read into memory at one time per request.
* New constructor arguments ``idle_connection_timeout`` and ``body_timeout``
allow time limits to be placed on the reading of requests.
* Form-encoded message bodies are now parsed for all HTTP methods, not just
``POST``, ``PUT``, and ``PATCH``.
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
* `.HTTPServerRequest` was moved to this module from `tornado.httpserver`.
* New base classes `.HTTPConnection`, `.HTTPServerConnectionDelegate`,
and `.HTTPMessageDelegate` define the interaction between applications
and the HTTP implementation.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
* `.IOLoop.add_handler` and related methods now accept file-like objects
in addition to raw file descriptors. Passing the objects is recommended
(when possible) to avoid a garbage-collection-related problem in unit tests.
* New method `.IOLoop.clear_instance` makes it possible to uninstall the
singleton instance.
* Timeout scheduling is now more robust against slow callbacks.
* `.IOLoop.add_timeout` is now a bit more efficient.
* When a function run by the `.IOLoop` returns a `.Future` and that `.Future`
has an exception, the `.IOLoop` will log the exception.
* New method `.IOLoop.spawn_callback` simplifies the process of launching
a fire-and-forget callback that is separated from the caller's stack context.
* New methods `.IOLoop.call_later` and `.IOLoop.call_at` simplify the
specification of relative or absolute timeouts (as opposed to
`~.IOLoop.add_timeout`, which used the type of its argument).
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
* The ``callback`` argument to most `.IOStream` methods is now optional.
When called without a callback the method will return a `.Future`
for use with coroutines.
* New method `.IOStream.start_tls` converts an `.IOStream` to an
`.SSLIOStream`.
* No longer gets confused when an ``IOError`` or ``OSError`` without
an ``errno`` attribute is raised.
* `.BaseIOStream.read_bytes` now accepts a ``partial`` keyword argument,
which can be used to return before the full amount has been read.
This is a more coroutine-friendly alternative to ``streaming_callback``.
* `.BaseIOStream.read_until` and ``read_until_regex`` now acept a
``max_bytes`` keyword argument which will cause the request to fail if
it cannot be satisfied from the given number of bytes.
* `.IOStream` no longer reads from the socket into memory if it does not
need data to satisfy a pending read. As a side effect, the close callback
will not be run immediately if the other side closes the connection
while there is unconsumed data in the buffer.
* The default ``chunk_size`` has been increased to 64KB (from 4KB)
* The `.IOStream` constructor takes a new keyword argument
``max_write_buffer_size`` (defaults to unlimited). Calls to
`.BaseIOStream.write` will raise `.StreamBufferFullError` if the amount
of unsent buffered data exceeds this limit.
* ``ETIMEDOUT`` errors are no longer logged. If you need to distinguish
timeouts from other forms of closed connections, examine ``stream.error``
from a close callback.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
* When `.bind_sockets` chooses a port automatically, it will now use
the same port for IPv4 and IPv6.
* TLS compression is now disabled by default on Python 3.3 and higher
(it is not possible to change this option in older versions).
`tornado.options`
~~~~~~~~~~~~~~~~~
* It is now possible to disable the default logging configuration
by setting ``options.logging`` to ``None`` instead of the string ``"none"``.
`tornado.platform.asyncio`
~~~~~~~~~~~~~~~~~~~~~~~~~~
* Now works on Python 2.6.
* Now works with Trollius version 0.3.
`tornado.platform.twisted`
~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``TwistedIOLoop`` now works on Python 3.3+ (with Twisted 14.0.0+).
``tornado.simple_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``simple_httpclient`` has better support for IPv6, which is now enabled
by default.
* Improved default cipher suite selection (Python 2.7+).
* HTTP implementation has been unified with ``tornado.httpserver``
in `tornado.http1connection`
* Streaming request bodies are now supported via the ``body_producer``
keyword argument to `tornado.httpclient.HTTPRequest`.
* The ``expect_100_continue`` keyword argument to
`tornado.httpclient.HTTPRequest` allows the use of the HTTP ``Expect:
100-continue`` feature.
* ``simple_httpclient`` now raises the original exception (e.g. an `IOError`)
in more cases, instead of converting everything to ``HTTPError``.
``tornado.stack_context``
~~~~~~~~~~~~~~~~~~~~~~~~~
* The stack context system now has less performance overhead when no
stack contexts are active.
`tornado.tcpclient`
~~~~~~~~~~~~~~~~~~~
* New module which creates TCP connections and IOStreams, including
name resolution, connecting, and SSL handshakes.
`tornado.testing`
~~~~~~~~~~~~~~~~~
* `.AsyncTestCase` now attempts to detect test methods that are generators
but were not run with ``@gen_test`` or any similar decorator (this would
previously result in the test silently being skipped).
* Better stack traces are now displayed when a test times out.
* The ``@gen_test`` decorator now passes along ``*args, **kwargs`` so it
can be used on functions with arguments.
* Fixed the test suite when ``unittest2`` is installed on Python 3.
`tornado.web`
~~~~~~~~~~~~~
* It is now possible to support streaming request bodies with the
`.stream_request_body` decorator and the new `.RequestHandler.data_received`
method.
* `.RequestHandler.flush` now returns a `.Future` if no callback is given.
* New exception `.Finish` may be raised to finish a request without
triggering error handling.
* When gzip support is enabled, all ``text/*`` mime types will be compressed,
not just those on a whitelist.
* `.Application` now implements the `.HTTPMessageDelegate` interface.
* ``HEAD`` requests in `.StaticFileHandler` no longer read the entire file.
* `.StaticFileHandler` now streams response bodies to the client.
* New setting ``compress_response`` replaces the existing ``gzip``
setting; both names are accepted.
* XSRF cookies that were not generated by this module (i.e. strings without
any particular formatting) are once again accepted (as long as the
cookie and body/header match). This pattern was common for
testing and non-browser clients but was broken by the changes in
Tornado 3.2.2.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
* WebSocket connections from other origin sites are now rejected by default.
Browsers do not use the same-origin policy for WebSocket connections as they
do for most other browser-initiated communications. This can be surprising
and a security risk, so we disallow these connections on the server side
by default. To accept cross-origin websocket connections, override
the new method `.WebSocketHandler.check_origin`.
* `.WebSocketHandler.close` and `.WebSocketClientConnection.close` now
support ``code`` and ``reason`` arguments to send a status code and
message to the other side of the connection when closing. Both classes
also have ``close_code`` and ``close_reason`` attributes to receive these
values when the other side closes.
* The C speedup module now builds correctly with MSVC, and can support
messages larger than 2GB on 64-bit systems.
* The fallback mechanism for detecting a missing C compiler now
works correctly on Mac OS X.
* Arguments to `.WebSocketHandler.open` are now decoded in the same way
as arguments to `.RequestHandler.get` and similar methods.
* It is now allowed to override ``prepare`` in a `.WebSocketHandler`,
and this method may generate HTTP responses (error pages) in the usual
way. The HTTP response methods are still not allowed once the
WebSocket handshake has completed.
`tornado.wsgi`
~~~~~~~~~~~~~~
* New class ``WSGIAdapter`` supports running a Tornado `.Application` on
a WSGI server in a way that is more compatible with Tornado's non-WSGI
`.HTTPServer`. ``WSGIApplication`` is deprecated in favor of using
``WSGIAdapter`` with a regular `.Application`.
* ``WSGIAdapter`` now supports gzipped output.
What's new in Tornado 3.2.2
===========================
June 3, 2014
------------
Security fixes
~~~~~~~~~~~~~~
* The XSRF token is now encoded with a random mask on each request.
This makes it safe to include in compressed pages without being
vulnerable to the `BREACH attack <http://breachattack.com>`_.
This applies to most applications that use both the ``xsrf_cookies``
and ``gzip`` options (or have gzip applied by a proxy).
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* If Tornado 3.2.2 is run at the same time as older versions on the same
domain, there is some potential for issues with the differing cookie
versions. The `.Application` setting ``xsrf_cookie_version=1`` can
be used for a transitional period to generate the older cookie format
on newer servers.
Other changes
~~~~~~~~~~~~~
* ``tornado.platform.asyncio`` is now compatible with ``trollius`` version 0.3.
What's new in Tornado 3.2.1
===========================
May 5, 2014
-----------
Security fixes
~~~~~~~~~~~~~~
* The signed-value format used by `.RequestHandler.set_secure_cookie`
and `.RequestHandler.get_secure_cookie` has changed to be more secure.
**This is a disruptive change**. The ``secure_cookie`` functions
take new ``version`` parameters to support transitions between cookie
formats.
* The new cookie format fixes a vulnerability that may be present in
applications that use multiple cookies where the name of one cookie
is a prefix of the name of another.
* To minimize disruption, cookies in the older format will be accepted
by default until they expire. Applications that may be vulnerable
can reject all cookies in the older format by passing ``min_version=2``
to `.RequestHandler.get_secure_cookie`.
* Thanks to Joost Pol of `Certified Secure <https://www.certifiedsecure.com>`_
for reporting this issue.
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Signed cookies issued by `.RequestHandler.set_secure_cookie` in Tornado
3.2.1 cannot be read by older releases. If you need to run 3.2.1
in parallel with older releases, you can pass ``version=1`` to
`.RequestHandler.set_secure_cookie` to issue cookies that are
backwards-compatible (but have a known weakness, so this option
should only be used for a transitional period).
Other changes
~~~~~~~~~~~~~
* The C extension used to speed up the websocket module now compiles
correctly on Windows with MSVC and 64-bit mode. The fallback to
the pure-Python alternative now works correctly on Mac OS X machines
with no C compiler installed.
What's new in Tornado 3.2
=========================
Jan 14, 2014
------------
Installation
~~~~~~~~~~~~
* Tornado now depends on the `backports.ssl_match_hostname
<https://pypi.python.org/pypi/backports.ssl_match_hostname>`_ when
running on Python 2. This will be installed automatically when using ``pip``
or ``easy_install``
* Tornado now includes an optional C extension module, which greatly improves
performance of websockets. This extension will be built automatically
if a C compiler is found at install time.
New modules
~~~~~~~~~~~
* The `tornado.platform.asyncio` module provides integration with the
``asyncio`` module introduced in Python 3.4 (also available for Python
3.3 with ``pip install asyncio``).
`tornado.auth`
~~~~~~~~~~~~~~
* Added `.GoogleOAuth2Mixin` support authentication to Google services
with OAuth 2 instead of OpenID and OAuth 1.
* `.FacebookGraphMixin` has been updated to use the current Facebook login
URL, which saves a redirect.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
* ``TracebackFuture`` now accepts a ``timeout`` keyword argument (although
it is still incorrect to use a non-zero timeout in non-blocking code).
``tornado.curl_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``tornado.curl_httpclient`` now works on Python 3 with the
soon-to-be-released pycurl 7.19.3, which will officially support
Python 3 for the first time. Note that there are some unofficial
Python 3 ports of pycurl (Ubuntu has included one for its past
several releases); these are not supported for use with Tornado.
`tornado.escape`
~~~~~~~~~~~~~~~~
* `.xhtml_escape` now escapes apostrophes as well.
* `tornado.escape.utf8`, `.to_unicode`, and `.native_str` now raise
`TypeError` instead of `AssertionError` when given an invalid value.
`tornado.gen`
~~~~~~~~~~~~~
* Coroutines may now yield dicts in addition to lists to wait for
multiple tasks in parallel.
* Improved performance of `tornado.gen` when yielding a `.Future` that is
already done.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
* `tornado.httpclient.HTTPRequest` now uses property setters so that
setting attributes after construction applies the same conversions
as ``__init__`` (e.g. converting the body attribute to bytes).
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
* Malformed ``x-www-form-urlencoded`` request bodies will now log a warning
and continue instead of causing the request to fail (similar to the existing
handling of malformed ``multipart/form-data`` bodies. This is done mainly
because some libraries send this content type by default even when the data
is not form-encoded.
* Fix some error messages for unix sockets (and other non-IP sockets)
`tornado.ioloop`
~~~~~~~~~~~~~~~~
* `.IOLoop` now uses ``IOLoop.handle_callback_exception`` consistently for
error logging.
* `.IOLoop` now frees callback objects earlier, reducing memory usage
while idle.
* `.IOLoop` will no longer call `logging.basicConfig` if there is a handler
defined for the root logger or for the ``tornado`` or ``tornado.application``
loggers (previously it only looked at the root logger).
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
* `.IOStream` now recognizes ``ECONNABORTED`` error codes in more places
(which was mainly an issue on Windows).
* `.IOStream` now frees memory earlier if a connection is closed while
there is data in the write buffer.
* `.PipeIOStream` now handles ``EAGAIN`` error codes correctly.
* `.SSLIOStream` now initiates the SSL handshake automatically without
waiting for the application to try and read or write to the connection.
* Swallow a spurious exception from ``set_nodelay`` when a connection
has been reset.
`tornado.locale`
~~~~~~~~~~~~~~~~
* `.Locale.format_date` no longer forces the use of absolute
dates in Russian.
`tornado.log`
~~~~~~~~~~~~~
* Fix an error from `tornado.log.enable_pretty_logging` when
`sys.stderr` does not have an ``isatty`` method.
* `tornado.log.LogFormatter` now accepts keyword arguments ``fmt``
and ``datefmt``.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
* `.is_valid_ip` (and therefore ``HTTPRequest.remote_ip``) now rejects
empty strings.
* Synchronously using `.ThreadedResolver` at import time to resolve
a unicode hostname no longer deadlocks.
`tornado.platform.twisted`
~~~~~~~~~~~~~~~~~~~~~~~~~~
* `.TwistedResolver` now has better error handling.
`tornado.process`
~~~~~~~~~~~~~~~~~
* `.Subprocess` no longer leaks file descriptors if `subprocess.Popen` fails.
``tornado.simple_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``simple_httpclient`` now applies the ``connect_timeout`` to requests
that are queued and have not yet started.
* On Python 2.6, ``simple_httpclient`` now uses TLSv1 instead of SSLv3.
* ``simple_httpclient`` now enforces the connect timeout during DNS resolution.
* The embedded ``ca-certificates.crt`` file has been updated with the current
Mozilla CA list.
`tornado.web`
~~~~~~~~~~~~~
* `.StaticFileHandler` no longer fails if the client requests a ``Range`` that
is larger than the entire file (Facebook has a crawler that does this).
* `.RequestHandler.on_connection_close` now works correctly on subsequent
requests of a keep-alive connection.
* New application setting ``default_handler_class`` can be used to easily
set up custom 404 pages.
* New application settings ``autoreload``, ``compiled_template_cache``,
``static_hash_cache``, and ``serve_traceback`` can be used to control
individual aspects of debug mode.
* New methods `.RequestHandler.get_query_argument` and
`.RequestHandler.get_body_argument` and new attributes
``HTTPRequest.query_arguments`` and ``HTTPRequest.body_arguments`` allow access
to arguments without intermingling those from the query string with those
from the request body.
* `.RequestHandler.decode_argument` and related methods now raise
an ``HTTPError(400)`` instead of `UnicodeDecodeError` when the
argument could not be decoded.
* `.RequestHandler.clear_all_cookies` now accepts ``domain`` and ``path``
arguments, just like `~.RequestHandler.clear_cookie`.
* It is now possible to specify handlers by name when using the
`tornado.web.URLSpec` class.
* `.Application` now accepts 4-tuples to specify the ``name`` parameter
(which previously required constructing a `tornado.web.URLSpec` object
instead of a tuple).
* Fixed an incorrect error message when handler methods return a value
other than None or a Future.
* Exceptions will no longer be logged twice when using both ``@asynchronous``
and ``@gen.coroutine``
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
* `.WebSocketHandler.write_message` now raises `.WebSocketClosedError` instead
of `AttributeError` when the connection has been closed.
* `.websocket_connect` now accepts preconstructed ``HTTPRequest`` objects.
* Fix a bug with `.WebSocketHandler` when used with some proxies that
unconditionally modify the ``Connection`` header.
* `.websocket_connect` now returns an error immediately for refused connections
instead of waiting for the timeout.
* `.WebSocketClientConnection` now has a ``close`` method.
`tornado.wsgi`
~~~~~~~~~~~~~~
* `.WSGIContainer` now calls the iterable's ``close()`` method even if
an error is raised, in compliance with the spec.
What's new in Tornado 3.1.1
===========================
Sep 1, 2013
-----------
* `.StaticFileHandler` no longer fails if the client requests a ``Range`` that
is larger than the entire file (Facebook has a crawler that does this).
* `.RequestHandler.on_connection_close` now works correctly on subsequent
requests of a keep-alive connection.
What's new in Tornado 3.1
=========================
Jun 15, 2013
------------
Multiple modules
~~~~~~~~~~~~~~~~
* Many reference cycles have been broken up throughout the package,
allowing for more efficient garbage collection on CPython.
* Silenced some log messages when connections are opened and immediately
closed (i.e. port scans), or other situations related to closed
connections.
* Various small speedups: `.HTTPHeaders` case normalization, `.UIModule`
proxy objects, precompile some regexes.
`tornado.auth`
~~~~~~~~~~~~~~
* `~tornado.auth.OAuthMixin` always sends ``oauth_version=1.0`` in its
request as required by the spec.
* `~tornado.auth.FacebookGraphMixin` now uses ``self._FACEBOOK_BASE_URL``
in `~.FacebookGraphMixin.facebook_request` to allow the base url to be
overridden.
* The ``authenticate_redirect`` and ``authorize_redirect`` methods in the
`tornado.auth` mixin classes all now return Futures. These methods
are asynchronous in `.OAuthMixin` and derived classes, although they
do not take a callback. The `.Future` these methods return must be
yielded if they are called from a function decorated with `.gen.coroutine`
(but not ``gen.engine``).
* `.TwitterMixin` now uses ``/account/verify_credentials`` to get information
about the logged-in user, which is more robust against changing screen
names.
* The ``demos`` directory (in the source distribution) has a new
``twitter`` demo using `.TwitterMixin`.
`tornado.escape`
~~~~~~~~~~~~~~~~
* `.url_escape` and `.url_unescape` have a new ``plus`` argument (defaulting
to True for consistency with the previous behavior) which specifies
whether they work like `urllib.parse.unquote` or `urllib.parse.unquote_plus`.
`tornado.gen`
~~~~~~~~~~~~~
* Fixed a potential memory leak with long chains of `tornado.gen` coroutines.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
* `tornado.httpclient.HTTPRequest` takes a new argument ``auth_mode``,
which can be either ``basic`` or ``digest``. Digest authentication
is only supported with ``tornado.curl_httpclient``.
* ``tornado.curl_httpclient`` no longer goes into an infinite loop when
pycurl returns a negative timeout.
* ``curl_httpclient`` now supports the ``PATCH`` and ``OPTIONS`` methods
without the use of ``allow_nonstandard_methods=True``.
* Worked around a class of bugs in libcurl that would result in
errors from `.IOLoop.update_handler` in various scenarios including
digest authentication and socks proxies.
* The ``TCP_NODELAY`` flag is now set when appropriate in ``simple_httpclient``.
* ``simple_httpclient`` no longer logs exceptions, since those exceptions
are made available to the caller as ``HTTPResponse.error``.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
* `tornado.httpserver.HTTPServer` handles malformed HTTP headers more
gracefully.
* `.HTTPServer` now supports lists of IPs in ``X-Forwarded-For``
(it chooses the last, i.e. nearest one).
* Memory is now reclaimed promptly on CPython when an HTTP request
fails because it exceeded the maximum upload size.
* The ``TCP_NODELAY`` flag is now set when appropriate in `.HTTPServer`.
* The `.HTTPServer` ``no_keep_alive`` option is now respected with
HTTP 1.0 connections that explicitly pass ``Connection: keep-alive``.
* The ``Connection: keep-alive`` check for HTTP 1.0 connections is now
case-insensitive.
* The `str` and `repr` of ``tornado.httpserver.HTTPRequest`` no longer
include the request body, reducing log spam on errors (and potential
exposure/retention of private data).
`tornado.httputil`
~~~~~~~~~~~~~~~~~~
* The cache used in `.HTTPHeaders` will no longer grow without bound.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
* Some `.IOLoop` implementations (such as ``pyzmq``) accept objects
other than integer file descriptors; these objects will now have
their ``.close()`` method called when the ``IOLoop` is closed with
``all_fds=True``.
* The stub handles left behind by `.IOLoop.remove_timeout` will now get
cleaned up instead of waiting to expire.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
* Fixed a bug in `.BaseIOStream.read_until_close` that would sometimes
cause data to be passed to the final callback instead of the streaming
callback.
* The `.IOStream` close callback is now run more reliably if there is
an exception in ``_try_inline_read``.
* New method `.BaseIOStream.set_nodelay` can be used to set the
``TCP_NODELAY`` flag.
* Fixed a case where errors in ``SSLIOStream.connect`` (and
``SimpleAsyncHTTPClient``) were not being reported correctly.
`tornado.locale`
~~~~~~~~~~~~~~~~
* `.Locale.format_date` now works on Python 3.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
* The default `.Resolver` implementation now works on Solaris.
* `.Resolver` now has a `~.Resolver.close` method.
* Fixed a potential CPU DoS when ``tornado.netutil.ssl_match_hostname``
is used on certificates with an abusive wildcard pattern.
* All instances of `.ThreadedResolver` now share a single thread pool,
whose size is set by the first one to be created (or the static
``Resolver.configure`` method).
* `.ExecutorResolver` is now documented for public use.
* `.bind_sockets` now works in configurations with incomplete IPv6 support.
`tornado.options`
~~~~~~~~~~~~~~~~~
* `tornado.options.define` with ``multiple=True`` now works on Python 3.
* `tornado.options.options` and other `.OptionParser` instances support some
new dict-like methods: `~.OptionParser.items()`, iteration over keys,
and (read-only) access to options with square braket syntax.
`.OptionParser.group_dict` returns all options with a given group
name, and `.OptionParser.as_dict` returns all options.
`tornado.process`
~~~~~~~~~~~~~~~~~
* `tornado.process.Subprocess` no longer leaks file descriptors into
the child process, which fixes a problem in which the child could not
detect that the parent process had closed its stdin pipe.
* `.Subprocess.set_exit_callback` now works for subprocesses created
without an explicit ``io_loop`` parameter.
``tornado.stack_context``
~~~~~~~~~~~~~~~~~~~~~~~~~
* ``tornado.stack_context`` has been rewritten and is now much faster.
* New function ``run_with_stack_context`` facilitates the use of stack
contexts with coroutines.
`tornado.tcpserver`
~~~~~~~~~~~~~~~~~~~
* The constructors of `.TCPServer` and `.HTTPServer` now take a
``max_buffer_size`` keyword argument.
`tornado.template`
~~~~~~~~~~~~~~~~~~
* Some internal names used by the template system have been changed;
now all "reserved" names in templates start with ``_tt_``.
`tornado.testing`
~~~~~~~~~~~~~~~~~
* `tornado.testing.AsyncTestCase.wait` now raises the correct exception
when it has been modified by ``tornado.stack_context``.
* `tornado.testing.gen_test` can now be called as ``@gen_test(timeout=60)``
to give some tests a longer timeout than others.
* The environment variable ``ASYNC_TEST_TIMEOUT`` can now be set to
override the default timeout for `.AsyncTestCase.wait` and `.gen_test`.
* `.bind_unused_port` now passes ``None`` instead of ``0`` as the port
to ``getaddrinfo``, which works better with some unusual network
configurations.
`tornado.util`
~~~~~~~~~~~~~~
* `tornado.util.import_object` now works with top-level module names that
do not contain a dot.
* `tornado.util.import_object` now consistently raises `ImportError`
instead of `AttributeError` when it fails.
`tornado.web`
~~~~~~~~~~~~~
* The ``handlers`` list passed to the `tornado.web.Application` constructor
and `~tornado.web.Application.add_handlers` methods can now contain
lists in addition to tuples and `~tornado.web.URLSpec` objects.
* `tornado.web.StaticFileHandler` now works on Windows when the client
passes an ``If-Modified-Since`` timestamp before 1970.
* New method `.RequestHandler.log_exception` can be overridden to
customize the logging behavior when an exception is uncaught. Most
apps that currently override ``_handle_request_exception`` can now
use a combination of `.RequestHandler.log_exception` and
`.write_error`.
* `.RequestHandler.get_argument` now raises `.MissingArgumentError`
(a subclass of `tornado.web.HTTPError`, which is what it raised previously)
if the argument cannot be found.
* `.Application.reverse_url` now uses `.url_escape` with ``plus=False``,
i.e. spaces are encoded as ``%20`` instead of ``+``.
* Arguments extracted from the url path are now decoded with
`.url_unescape` with ``plus=False``, so plus signs are left as-is
instead of being turned into spaces.
* `.RequestHandler.send_error` will now only be called once per request,
even if multiple exceptions are caught by the stack context.
* The ``tornado.web.asynchronous`` decorator is no longer necessary for
methods that return a `.Future` (i.e. those that use the `.gen.coroutine`
or ``return_future`` decorators)
* `.RequestHandler.prepare` may now be asynchronous if it returns a
`.Future`. The ``tornado.web.asynchronous`` decorator is not used with
``prepare``; one of the `.Future`-related decorators should be used instead.
* ``RequestHandler.current_user`` may now be assigned to normally.
* `.RequestHandler.redirect` no longer silently strips control characters
and whitespace. It is now an error to pass control characters, newlines
or tabs.
* `.StaticFileHandler` has been reorganized internally and now has additional
extension points that can be overridden in subclasses.
* `.StaticFileHandler` now supports HTTP ``Range`` requests.
`.StaticFileHandler` is still not suitable for files too large to
comfortably fit in memory, but ``Range`` support is necessary in some
browsers to enable seeking of HTML5 audio and video.
* `.StaticFileHandler` now uses longer hashes by default, and uses the same
hashes for ``Etag`` as it does for versioned urls.
* `.StaticFileHandler.make_static_url` and `.RequestHandler.static_url`
now have an additional keyword argument ``include_version`` to suppress
the url versioning.
* `.StaticFileHandler` now reads its file in chunks, which will reduce
memory fragmentation.
* Fixed a problem with the ``Date`` header and cookie expiration dates
when the system locale is set to a non-english configuration.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
* `.WebSocketHandler` now catches `.StreamClosedError` and runs
`~.WebSocketHandler.on_close` immediately instead of logging a
stack trace.
* New method `.WebSocketHandler.set_nodelay` can be used to set the
``TCP_NODELAY`` flag.
`tornado.wsgi`
~~~~~~~~~~~~~~
* Fixed an exception in `.WSGIContainer` when the connection is closed
while output is being written.
What's new in Tornado 3.0.2
===========================
Jun 2, 2013
-----------
* `tornado.auth.TwitterMixin` now defaults to version 1.1 of the
Twitter API, instead of version 1.0 which is being `discontinued on
June 11 <https://dev.twitter.com/calendar>`_. It also now uses HTTPS
when talking to Twitter.
* Fixed a potential memory leak with a long chain of `.gen.coroutine`
or ``gen.engine`` functions.
What's new in Tornado 3.0.1
===========================
Apr 8, 2013
-----------
* The interface of `tornado.auth.FacebookGraphMixin` is now consistent
with its documentation and the rest of the module. The
``get_authenticated_user`` and ``facebook_request`` methods return a
``Future`` and the ``callback`` argument is optional.
* The `tornado.testing.gen_test` decorator will no longer be recognized
as a (broken) test by ``nose``.
* Work around a bug in Ubuntu 13.04 betas involving an incomplete backport
of the `ssl.match_hostname` function.
* `tornado.websocket.websocket_connect` now fails cleanly when it attempts
to connect to a non-websocket url.
* ``tornado.testing.LogTrapTestCase`` once again works with byte strings
on Python 2.
* The ``request`` attribute of `tornado.httpclient.HTTPResponse` is
now always an `~tornado.httpclient.HTTPRequest`, never a ``_RequestProxy``.
* Exceptions raised by the `tornado.gen` module now have better messages
when tuples are used as callback keys.
What's new in Tornado 3.0
=========================
Mar 29, 2013
------------
Highlights
^^^^^^^^^^
* The ``callback`` argument to many asynchronous methods is now
optional, and these methods return a `.Future`. The `tornado.gen`
module now understands ``Futures``, and these methods can be used
directly without a ``gen.Task`` wrapper.
* New function `.IOLoop.current` returns the `.IOLoop` that is running
on the current thread (as opposed to `.IOLoop.instance`, which
returns a specific thread's (usually the main thread's) IOLoop.
* New class `tornado.netutil.Resolver` provides an asynchronous
interface to DNS resolution. The default implementation is still
blocking, but non-blocking implementations are available using one
of three optional dependencies: `~tornado.netutil.ThreadedResolver`
using the `concurrent.futures` thread pool,
``tornado.platform.caresresolver.CaresResolver`` using the ``pycares``
library, or ``tornado.platform.twisted.TwistedResolver`` using ``twisted``
* Tornado's logging is now less noisy, and it no longer goes directly
to the root logger, allowing for finer-grained configuration.
* New class `tornado.process.Subprocess` wraps `subprocess.Popen` with
`.PipeIOStream` access to the child's file descriptors.
* `.IOLoop` now has a static `configure <.Configurable.configure>`
method like the one on `.AsyncHTTPClient`, which can be used to
select an `.IOLoop` implementation other than the default.
* `.IOLoop` can now optionally use a monotonic clock if available
(see below for more details).
Backwards-incompatible changes
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Python 2.5 is no longer supported. Python 3 is now supported in a single
codebase instead of using ``2to3``
* The ``tornado.database`` module has been removed. It is now available
as a separate package, `torndb <https://github.com/bdarnell/torndb>`_
* Functions that take an ``io_loop`` parameter now default to
`.IOLoop.current()` instead of `.IOLoop.instance()`.
* Empty HTTP request arguments are no longer ignored. This applies to
``HTTPRequest.arguments`` and ``RequestHandler.get_argument[s]``
in WSGI and non-WSGI modes.
* On Python 3, `tornado.escape.json_encode` no longer accepts byte strings.
* On Python 3, the ``get_authenticated_user`` methods in `tornado.auth`
now return character strings instead of byte strings.
* ``tornado.netutil.TCPServer`` has moved to its own module,
`tornado.tcpserver`.
* The Tornado test suite now requires ``unittest2`` when run on Python 2.6.
* `tornado.options.options` is no longer a subclass of `dict`; attribute-style
access is now required.
Detailed changes by module
^^^^^^^^^^^^^^^^^^^^^^^^^^
Multiple modules
~~~~~~~~~~~~~~~~
* Tornado no longer logs to the root logger. Details on the new logging
scheme can be found under the `tornado.log` module. Note that in some
cases this will require that you add an explicit logging configuration
in order to see any output (perhaps just calling ``logging.basicConfig()``),
although both `.IOLoop.start()` and `tornado.options.parse_command_line`
will do this for you.
* On python 3.2+, methods that take an ``ssl_options`` argument (on
`.SSLIOStream`, `.TCPServer`, and `.HTTPServer`) now accept either a
dictionary of options or an `ssl.SSLContext` object.
* New optional dependency on `concurrent.futures` to provide better support
for working with threads. `concurrent.futures` is in the standard library
for Python 3.2+, and can be installed on older versions with
``pip install futures``.
`tornado.autoreload`
~~~~~~~~~~~~~~~~~~~~
* `tornado.autoreload` is now more reliable when there are errors at import
time.
* Calling `tornado.autoreload.start` (or creating an `.Application` with
``debug=True``) twice on the same `.IOLoop` now does nothing (instead of
creating multiple periodic callbacks). Starting autoreload on
more than one `.IOLoop` in the same process now logs a warning.
* Scripts run by autoreload no longer inherit ``__future__`` imports
used by Tornado.
`tornado.auth`
~~~~~~~~~~~~~~
* On Python 3, the ``get_authenticated_user`` method family now returns
character strings instead of byte strings.
* Asynchronous methods defined in `tornado.auth` now return a
`.Future`, and their ``callback`` argument is optional. The
``Future`` interface is preferred as it offers better error handling
(the previous interface just logged a warning and returned None).
* The `tornado.auth` mixin classes now define a method
``get_auth_http_client``, which can be overridden to use a non-default
`.AsyncHTTPClient` instance (e.g. to use a different `.IOLoop`)
* Subclasses of `.OAuthMixin` are encouraged to override
`.OAuthMixin._oauth_get_user_future` instead of ``_oauth_get_user``,
although both methods are still supported.
`tornado.concurrent`
~~~~~~~~~~~~~~~~~~~~
* New module `tornado.concurrent` contains code to support working with
`concurrent.futures`, or to emulate future-based interface when that module
is not available.
``tornado.curl_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Preliminary support for ``tornado.curl_httpclient`` on Python 3. The latest
official release of pycurl only supports Python 2, but Ubuntu has a
port available in 12.10 (``apt-get install python3-pycurl``). This port
currently has bugs that prevent it from handling arbitrary binary data
but it should work for textual (utf8) resources.
* Fix a crash with libcurl 7.29.0 if a curl object is created and closed
without being used.
`tornado.escape`
~~~~~~~~~~~~~~~~
* On Python 3, `~tornado.escape.json_encode` no longer accepts byte strings.
This mirrors the behavior of the underlying json module. Python 2 behavior
is unchanged but should be faster.
`tornado.gen`
~~~~~~~~~~~~~
* New decorator ``@gen.coroutine`` is available as an alternative to
``@gen.engine``. It automatically returns a
`.Future`, and within the function instead of
calling a callback you return a value with ``raise
gen.Return(value)`` (or simply ``return value`` in Python 3.3).
* Generators may now yield `.Future` objects.
* Callbacks produced by ``gen.Callback`` and ``gen.Task`` are now automatically
stack-context-wrapped, to minimize the risk of context leaks when used
with asynchronous functions that don't do their own wrapping.
* Fixed a memory leak involving generators, `.RequestHandler.flush`,
and clients closing connections while output is being written.
* Yielding a large list no longer has quadratic performance.
`tornado.httpclient`
~~~~~~~~~~~~~~~~~~~~
* `.AsyncHTTPClient.fetch` now returns a `.Future` and its callback argument
is optional. When the future interface is used, any error will be raised
automatically, as if `.HTTPResponse.rethrow` was called.
* `.AsyncHTTPClient.configure` and all `.AsyncHTTPClient` constructors
now take a ``defaults`` keyword argument. This argument should be a
dictionary, and its values will be used in place of corresponding
attributes of `~tornado.httpclient.HTTPRequest` that are not set.
* All unset attributes of `tornado.httpclient.HTTPRequest` are now
``None``. The default values of some attributes
(``connect_timeout``, ``request_timeout``, ``follow_redirects``,
``max_redirects``, ``use_gzip``, ``proxy_password``,
``allow_nonstandard_methods``, and ``validate_cert`` have been moved
from `~tornado.httpclient.HTTPRequest` to the client
implementations.
* The ``max_clients`` argument to `.AsyncHTTPClient` is now a keyword-only
argument.
* Keyword arguments to `.AsyncHTTPClient.configure` are no longer used
when instantiating an implementation subclass directly.
* Secondary `.AsyncHTTPClient` callbacks (``streaming_callback``,
``header_callback``, and ``prepare_curl_callback``) now respect
``StackContext``.
`tornado.httpserver`
~~~~~~~~~~~~~~~~~~~~
* `.HTTPServer` no longer logs an error when it is unable to read a second
request from an HTTP 1.1 keep-alive connection.
* `.HTTPServer` now takes a ``protocol`` keyword argument which can be set
to ``https`` if the server is behind an SSL-decoding proxy that does not
set any supported X-headers.
* ``tornado.httpserver.HTTPConnection`` now has a ``set_close_callback``
method that should be used instead of reaching into its ``stream``
attribute.
* Empty HTTP request arguments are no longer ignored. This applies to
``HTTPRequest.arguments`` and ``RequestHandler.get_argument[s]``
in WSGI and non-WSGI modes.
`tornado.ioloop`
~~~~~~~~~~~~~~~~
* New function `.IOLoop.current` returns the ``IOLoop`` that is running
on the current thread (as opposed to `.IOLoop.instance`, which returns a
specific thread's (usually the main thread's) IOLoop).
* New method `.IOLoop.add_future` to run a callback on the IOLoop when
an asynchronous `.Future` finishes.
* `.IOLoop` now has a static `configure <.Configurable.configure>`
method like the one on `.AsyncHTTPClient`, which can be used to
select an `.IOLoop` implementation other than the default.
* The `.IOLoop` poller implementations (``select``, ``epoll``, ``kqueue``)
are now available as distinct subclasses of `.IOLoop`. Instantiating
`.IOLoop` will continue to automatically choose the best available
implementation.
* The `.IOLoop` constructor has a new keyword argument ``time_func``,
which can be used to set the time function used when scheduling callbacks.
This is most useful with the `time.monotonic` function, introduced
in Python 3.3 and backported to older versions via the ``monotime``
module. Using a monotonic clock here avoids problems when the system
clock is changed.
* New function `.IOLoop.time` returns the current time according to the
IOLoop. To use the new monotonic clock functionality, all calls to
`.IOLoop.add_timeout` must be either pass a `datetime.timedelta` or
a time relative to `.IOLoop.time`, not `time.time`. (`time.time` will
continue to work only as long as the IOLoop's ``time_func`` argument
is not used).
* New convenience method `.IOLoop.run_sync` can be used to start an IOLoop
just long enough to run a single coroutine.
* New method `.IOLoop.add_callback_from_signal` is safe to use in a signal
handler (the regular `.add_callback` method may deadlock).
* `.IOLoop` now uses `signal.set_wakeup_fd` where available (Python 2.6+
on Unix) to avoid a race condition that could result in Python signal
handlers being delayed.
* Method ``IOLoop.running()`` has been removed.
* `.IOLoop` has been refactored to better support subclassing.
* `.IOLoop.add_callback` and `.add_callback_from_signal` now take
``*args, **kwargs`` to pass along to the callback.
`tornado.iostream`
~~~~~~~~~~~~~~~~~~
* `.IOStream.connect` now has an optional ``server_hostname`` argument
which will be used for SSL certificate validation when applicable.
Additionally, when supported (on Python 3.2+), this hostname
will be sent via SNI (and this is supported by ``tornado.simple_httpclient``)
* Much of `.IOStream` has been refactored into a separate class
`.BaseIOStream`.
* New class `tornado.iostream.PipeIOStream` provides the IOStream
interface on pipe file descriptors.
* `.IOStream` now raises a new exception
``tornado.iostream.StreamClosedError`` when you attempt to read or
write after the stream has been closed (by either side).
* `.IOStream` now simply closes the connection when it gets an
``ECONNRESET`` error, rather than logging it as an error.
* ``IOStream.error`` no longer picks up unrelated exceptions.
* `.BaseIOStream.close` now has an ``exc_info`` argument (similar to the
one used in the `logging` module) that can be used to set the stream's
``error`` attribute when closing it.
* `.BaseIOStream.read_until_close` now works correctly when it is called
while there is buffered data.
* Fixed a major performance regression when run on PyPy (introduced in
Tornado 2.3).
`tornado.log`
~~~~~~~~~~~~~
* New module containing `.enable_pretty_logging` and `.LogFormatter`,
moved from the options module.
* `.LogFormatter` now handles non-ascii data in messages and tracebacks better.
`tornado.netutil`
~~~~~~~~~~~~~~~~~
* New class `tornado.netutil.Resolver` provides an asynchronous
interface to DNS resolution. The default implementation is still
blocking, but non-blocking implementations are available using one
of three optional dependencies: `~tornado.netutil.ThreadedResolver`
using the `concurrent.futures` thread pool,
`tornado.platform.caresresolver.CaresResolver` using the ``pycares``
library, or `tornado.platform.twisted.TwistedResolver` using ``twisted``
* New function `tornado.netutil.is_valid_ip` returns true if a given string
is a valid IP (v4 or v6) address.
* `tornado.netutil.bind_sockets` has a new ``flags`` argument that can
be used to pass additional flags to ``getaddrinfo``.
* `tornado.netutil.bind_sockets` no longer sets ``AI_ADDRCONFIG``; this will
cause it to bind to both ipv4 and ipv6 more often than before.
* `tornado.netutil.bind_sockets` now works when Python was compiled
with ``--disable-ipv6`` but IPv6 DNS resolution is available on the
system.
* ``tornado.netutil.TCPServer`` has moved to its own module, `tornado.tcpserver`.
`tornado.options`
~~~~~~~~~~~~~~~~~
* The class underlying the functions in `tornado.options` is now public
(`tornado.options.OptionParser`). This can be used to create multiple
independent option sets, such as for subcommands.
* `tornado.options.parse_config_file` now configures logging automatically
by default, in the same way that `~tornado.options.parse_command_line` does.
* New function `tornado.options.add_parse_callback` schedules a callback
to be run after the command line or config file has been parsed. The
keyword argument ``final=False`` can be used on either parsing function
to suppress these callbacks.
* `tornado.options.define` now takes a ``callback`` argument. This callback
will be run with the new value whenever the option is changed. This is
especially useful for options that set other options, such as by reading
from a config file.
* `tornado.options.parse_command_line` ``--help`` output now goes to ``stderr``
rather than ``stdout``.
* `tornado.options.options` is no longer a subclass of `dict`; attribute-style
access is now required.
* `tornado.options.options` (and `.OptionParser` instances generally) now
have a `.mockable()` method that returns a wrapper object compatible with
`mock.patch <unittest.mock.patch>`.
* Function ``tornado.options.enable_pretty_logging`` has been moved to the
`tornado.log` module.
`tornado.platform.caresresolver`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* New module containing an asynchronous implementation of the `.Resolver`
interface, using the ``pycares`` library.
`tornado.platform.twisted`
~~~~~~~~~~~~~~~~~~~~~~~~~~
* New class ``tornado.platform.twisted.TwistedIOLoop`` allows Tornado
code to be run on the Twisted reactor (as opposed to the existing
``TornadoReactor``, which bridges the gap in the other direction).
* New class `tornado.platform.twisted.TwistedResolver` is an asynchronous
implementation of the `.Resolver` interface.
`tornado.process`
~~~~~~~~~~~~~~~~~
* New class `tornado.process.Subprocess` wraps `subprocess.Popen` with
`.PipeIOStream` access to the child's file descriptors.
``tornado.simple_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``SimpleAsyncHTTPClient`` now takes a ``resolver`` keyword argument
(which may be passed to either the constructor or `configure
<.Configurable.configure>`), to allow it to use the new non-blocking
`tornado.netutil.Resolver`.
* When following redirects, ``SimpleAsyncHTTPClient`` now treats a 302
response code the same as a 303. This is contrary to the HTTP spec
but consistent with all browsers and other major HTTP clients
(including ``CurlAsyncHTTPClient``).
* The behavior of ``header_callback`` with ``SimpleAsyncHTTPClient`` has
changed and is now the same as that of ``CurlAsyncHTTPClient``. The
header callback now receives the first line of the response (e.g.
``HTTP/1.0 200 OK``) and the final empty line.
* ``tornado.simple_httpclient`` now accepts responses with a 304
status code that include a ``Content-Length`` header.
* Fixed a bug in which ``SimpleAsyncHTTPClient`` callbacks were being run in the
client's ``stack_context``.
``tornado.stack_context``
~~~~~~~~~~~~~~~~~~~~~~~~~
* ``stack_context.wrap`` now runs the wrapped callback in a more consistent
environment by recreating contexts even if they already exist on the
stack.
* Fixed a bug in which stack contexts could leak from one callback
chain to another.
* Yield statements inside a ``with`` statement can cause stack
contexts to become inconsistent; an exception will now be raised
when this case is detected.
`tornado.template`
~~~~~~~~~~~~~~~~~~
* Errors while rendering templates no longer log the generated code,
since the enhanced stack traces (from version 2.1) should make this
unnecessary.
* The ``{% apply %}`` directive now works properly with functions that return
both unicode strings and byte strings (previously only byte strings were
supported).
* Code in templates is no longer affected by Tornado's ``__future__`` imports
(which previously included ``absolute_import`` and ``division``).
`tornado.testing`
~~~~~~~~~~~~~~~~~
* New function `tornado.testing.bind_unused_port` both chooses a port
and binds a socket to it, so there is no risk of another process
using the same port. ``get_unused_port`` is now deprecated.
* New decorator `tornado.testing.gen_test` can be used to allow for
yielding `tornado.gen` objects in tests, as an alternative to the
``stop`` and ``wait`` methods of `.AsyncTestCase`.
* `tornado.testing.AsyncTestCase` and friends now extend ``unittest2.TestCase``
when it is available (and continue to use the standard ``unittest`` module
when ``unittest2`` is not available)
* `tornado.testing.ExpectLog` can be used as a finer-grained alternative
to ``tornado.testing.LogTrapTestCase``
* The command-line interface to `tornado.testing.main` now supports
additional arguments from the underlying `unittest` module:
``verbose``, ``quiet``, ``failfast``, ``catch``, ``buffer``.
* The deprecated ``--autoreload`` option of `tornado.testing.main` has
been removed. Use ``python -m tornado.autoreload`` as a prefix command
instead.
* The ``--httpclient`` option of `tornado.testing.main` has been moved
to ``tornado.test.runtests`` so as not to pollute the application
option namespace. The `tornado.options` module's new callback
support now makes it easy to add options from a wrapper script
instead of putting all possible options in `tornado.testing.main`.
* `.AsyncHTTPTestCase` no longer calls `.AsyncHTTPClient.close` for tests
that use the singleton `.IOLoop.instance`.
* ``LogTrapTestCase`` no longer fails when run in unknown logging
configurations. This allows tests to be run under nose, which does its
own log buffering (``LogTrapTestCase`` doesn't do anything useful in this
case, but at least it doesn't break things any more).
``tornado.util``
~~~~~~~~~~~~~~~~
* ``tornado.util.b`` (which was only intended for internal use) is gone.
`tornado.web`
~~~~~~~~~~~~~
* `.RequestHandler.set_header` now overwrites previous header values
case-insensitively.
* `tornado.web.RequestHandler` has new attributes ``path_args`` and
``path_kwargs``, which contain the positional and keyword arguments
that are passed to the ``get``/``post``/etc method. These attributes
are set before those methods are called, so they are available during
``prepare()``
* `tornado.web.ErrorHandler` no longer requires XSRF tokens on ``POST``
requests, so posts to an unknown url will always return 404 instead of
complaining about XSRF tokens.
* Several methods related to HTTP status codes now take a ``reason`` keyword
argument to specify an alternate "reason" string (i.e. the "Not Found" in
"HTTP/1.1 404 Not Found"). It is now possible to set status codes other
than those defined in the spec, as long as a reason string is given.
* The ``Date`` HTTP header is now set by default on all responses.
* ``Etag``/``If-None-Match`` requests now work with `.StaticFileHandler`.
* `.StaticFileHandler` no longer sets ``Cache-Control: public`` unnecessarily.
* When gzip is enabled in a `tornado.web.Application`, appropriate
``Vary: Accept-Encoding`` headers are now sent.
* It is no longer necessary to pass all handlers for a host in a single
`.Application.add_handlers` call. Now the request will be matched
against the handlers for any ``host_pattern`` that includes the request's
``Host`` header.
`tornado.websocket`
~~~~~~~~~~~~~~~~~~~
* Client-side WebSocket support is now available:
`tornado.websocket.websocket_connect`
* `.WebSocketHandler` has new methods `~.WebSocketHandler.ping` and
`~.WebSocketHandler.on_pong` to send pings to the browser (not
supported on the ``draft76`` protocol)
What's new in Tornado 2.4.1
===========================
Nov 24, 2012
------------
Bug fixes
~~~~~~~~~
* Fixed a memory leak in ``tornado.stack_context`` that was especially likely
with long-running ``@gen.engine`` functions.
* `tornado.auth.TwitterMixin` now works on Python 3.
* Fixed a bug in which ``IOStream.read_until_close`` with a streaming callback
would sometimes pass the last chunk of data to the final callback instead
of the streaming callback.
What's new in Tornado 2.4
=========================
Sep 4, 2012
-----------
General
~~~~~~~
* Fixed Python 3 bugs in `tornado.auth`, `tornado.locale`, and `tornado.wsgi`.
HTTP clients
~~~~~~~~~~~~
* Removed ``max_simultaneous_connections`` argument from `tornado.httpclient`
(both implementations). This argument hasn't been useful for some time
(if you were using it you probably want ``max_clients`` instead)
* ``tornado.simple_httpclient`` now accepts and ignores HTTP 1xx status
responses.
`tornado.ioloop` and `tornado.iostream`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Fixed a bug introduced in 2.3 that would cause `.IOStream` close callbacks
to not run if there were pending reads.
* Improved error handling in `.SSLIOStream` and SSL-enabled `.TCPServer`.
* ``SSLIOStream.get_ssl_certificate`` now has a ``binary_form`` argument
which is passed to ``SSLSocket.getpeercert``.
* ``SSLIOStream.write`` can now be called while the connection is in progress,
same as non-SSL `.IOStream` (but be careful not to send sensitive data until
the connection has completed and the certificate has been verified).
* `.IOLoop.add_handler` cannot be called more than once with the same file
descriptor. This was always true for ``epoll``, but now the other
implementations enforce it too.
* On Windows, `.TCPServer` uses ``SO_EXCLUSIVEADDRUSER`` instead of ``SO_REUSEADDR``.
`tornado.template`
~~~~~~~~~~~~~~~~~~
* ``{% break %}`` and ``{% continue %}`` can now be used looping constructs
in templates.
* It is no longer an error for an if/else/for/etc block in a template to
have an empty body.
`tornado.testing`
~~~~~~~~~~~~~~~~~
* New class `tornado.testing.AsyncHTTPSTestCase` is like `.AsyncHTTPTestCase`.
but enables SSL for the testing server (by default using a self-signed
testing certificate).
* `tornado.testing.main` now accepts additional keyword arguments and forwards
them to `unittest.main`.
`tornado.web`
~~~~~~~~~~~~~
* New method `.RequestHandler.get_template_namespace` can be overridden to
add additional variables without modifying keyword arguments to
``render_string``.
* `.RequestHandler.add_header` now works with ``WSGIApplication``.
* `.RequestHandler.get_secure_cookie` now handles a potential error case.
* ``RequestHandler.__init__`` now calls ``super().__init__`` to ensure that
all constructors are called when multiple inheritance is used.
* Docs have been updated with a description of all available
:py:attr:`Application settings <tornado.web.Application.settings>`
Other modules
~~~~~~~~~~~~~
* `.OAuthMixin` now accepts ``"oob"`` as a ``callback_uri``.
* `.OpenIdMixin` now also returns the ``claimed_id`` field for the user.
* `tornado.platform.twisted` shutdown sequence is now more compatible.
* The logging configuration used in `tornado.options` is now more tolerant
of non-ascii byte strings.
What's new in Tornado 2.3
=========================
May 31, 2012
------------
HTTP clients
~~~~~~~~~~~~
* `tornado.httpclient.HTTPClient` now supports the same constructor
keyword arguments as `.AsyncHTTPClient`.
* The ``max_clients`` keyword argument to `.AsyncHTTPClient.configure` now works.
* ``tornado.simple_httpclient`` now supports the ``OPTIONS`` and ``PATCH``
HTTP methods.
* ``tornado.simple_httpclient`` is better about closing its sockets
instead of leaving them for garbage collection.
* ``tornado.simple_httpclient`` correctly verifies SSL certificates for
URLs containing IPv6 literals (This bug affected Python 2.5 and 2.6).
* ``tornado.simple_httpclient`` no longer includes basic auth credentials
in the ``Host`` header when those credentials are extracted from the URL.
* ``tornado.simple_httpclient`` no longer modifies the caller-supplied header
dictionary, which caused problems when following redirects.
* ``tornado.curl_httpclient`` now supports client SSL certificates (using
the same ``client_cert`` and ``client_key`` arguments as
``tornado.simple_httpclient``)
HTTP Server
~~~~~~~~~~~
* `.HTTPServer` now works correctly with paths starting with ``//``
* ``HTTPHeaders.copy`` (inherited from `dict.copy`) now works correctly.
* ``HTTPConnection.address`` is now always the socket address, even for non-IP
sockets. ``HTTPRequest.remote_ip`` is still always an IP-style address
(fake data is used for non-IP sockets)
* Extra data at the end of multipart form bodies is now ignored, which fixes
a compatibility problem with an iOS HTTP client library.
``IOLoop`` and ``IOStream``
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `.IOStream` now has an ``error`` attribute that can be used to determine
why a socket was closed.
* ``tornado.iostream.IOStream.read_until`` and ``read_until_regex`` are much
faster with large input.
* ``IOStream.write`` performs better when given very large strings.
* `.IOLoop.instance()` is now thread-safe.
``tornado.options``
~~~~~~~~~~~~~~~~~~~
* `tornado.options` options with ``multiple=True`` that are set more than
once now overwrite rather than append. This makes it possible to override
values set in ``parse_config_file`` with ``parse_command_line``.
* `tornado.options` ``--help`` output is now prettier.
* `tornado.options.options` now supports attribute assignment.
``tornado.template``
~~~~~~~~~~~~~~~~~~~~
* Template files containing non-ASCII (utf8) characters now work on Python 3
regardless of the locale environment variables.
* Templates now support ``else`` clauses in
``try``/``except``/``finally``/``else`` blocks.
``tornado.web``
~~~~~~~~~~~~~~~
* `tornado.web.RequestHandler` now supports the ``PATCH`` HTTP method.
Note that this means any existing methods named ``patch`` in
``RequestHandler`` subclasses will need to be renamed.
* `tornado.web.addslash` and ``removeslash`` decorators now send permanent
redirects (301) instead of temporary (302).
* `.RequestHandler.flush` now invokes its callback whether there was any data
to flush or not.
* Repeated calls to `.RequestHandler.set_cookie` with the same name now
overwrite the previous cookie instead of producing additional copies.
* ``tornado.web.OutputTransform.transform_first_chunk`` now takes and returns
a status code in addition to the headers and chunk. This is a
backwards-incompatible change to an interface that was never technically
private, but was not included in the documentation and does not appear
to have been used outside Tornado itself.
* Fixed a bug on python versions before 2.6.5 when `tornado.web.URLSpec` regexes
are constructed from unicode strings and keyword arguments are extracted.
* The ``reverse_url`` function in the template namespace now comes from
the `.RequestHandler` rather than the `.Application`. (Unless overridden,
`.RequestHandler.reverse_url` is just an alias for the `.Application`
method).
* The ``Etag`` header is now returned on 304 responses to an ``If-None-Match``
request, improving compatibility with some caches.
* `tornado.web` will no longer produce responses with status code 304
that also have entity headers such as ``Content-Length``.
Other modules
~~~~~~~~~~~~~
* `tornado.auth.FacebookGraphMixin` no longer sends ``post_args`` redundantly
in the url.
* The ``extra_params`` argument to `tornado.escape.linkify` may now be
a callable, to allow parameters to be chosen separately for each link.
* `tornado.gen` no longer leaks ``StackContexts`` when a ``@gen.engine`` wrapped
function is called repeatedly.
* `tornado.locale.get_supported_locales` no longer takes a meaningless
``cls`` argument.
* ``StackContext`` instances now have a deactivation callback that can be
used to prevent further propagation.
* `tornado.testing.AsyncTestCase.wait` now resets its timeout on each call.
* ``tornado.wsgi.WSGIApplication`` now parses arguments correctly on Python 3.
* Exception handling on Python 3 has been improved; previously some exceptions
such as `UnicodeDecodeError` would generate ``TypeErrors``
What's new in Tornado 2.2.1
===========================
Apr 23, 2012
------------
Security fixes
~~~~~~~~~~~~~~
* `tornado.web.RequestHandler.set_header` now properly sanitizes input
values to protect against header injection, response splitting, etc.
(it has always attempted to do this, but the check was incorrect).
Note that redirects, the most likely source of such bugs, are protected
by a separate check in `.RequestHandler.redirect`.
Bug fixes
~~~~~~~~~
* Colored logging configuration in `tornado.options` is compatible with
Python 3.2.3 (and 3.3).
What's new in Tornado 2.2
=========================
Jan 30, 2012
------------
Highlights
~~~~~~~~~~
* Updated and expanded WebSocket support.
* Improved compatibility in the Twisted/Tornado bridge.
* Template errors now generate better stack traces.
* Better exception handling in `tornado.gen`.
Security fixes
~~~~~~~~~~~~~~
* ``tornado.simple_httpclient`` now disables SSLv2 in all cases. Previously
SSLv2 would be allowed if the Python interpreter was linked against a
pre-1.0 version of OpenSSL.
Backwards-incompatible changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `tornado.process.fork_processes` now raises `SystemExit` if all child
processes exit cleanly rather than returning ``None``. The old behavior
was surprising and inconsistent with most of the documented examples
of this function (which did not check the return value).
* On Python 2.6, ``tornado.simple_httpclient`` only supports SSLv3. This
is because Python 2.6 does not expose a way to support both SSLv3 and TLSv1
without also supporting the insecure SSLv2.
* `tornado.websocket` no longer supports the older "draft 76" version
of the websocket protocol by default, although this version can
be enabled by overriding ``tornado.websocket.WebSocketHandler.allow_draft76``.
``tornado.httpclient``
~~~~~~~~~~~~~~~~~~~~~~
* ``SimpleAsyncHTTPClient`` no longer hangs on ``HEAD`` requests,
responses with no content, or empty ``POST``/``PUT`` response bodies.
* ``SimpleAsyncHTTPClient`` now supports 303 and 307 redirect codes.
* ``tornado.curl_httpclient`` now accepts non-integer timeouts.
* ``tornado.curl_httpclient`` now supports basic authentication with an
empty password.
``tornado.httpserver``
~~~~~~~~~~~~~~~~~~~~~~
* `.HTTPServer` with ``xheaders=True`` will no longer accept
``X-Real-IP`` headers that don't look like valid IP addresses.
* `.HTTPServer` now treats the ``Connection`` request header as
case-insensitive.
``tornado.ioloop`` and ``tornado.iostream``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``IOStream.write`` now works correctly when given an empty string.
* ``IOStream.read_until`` (and ``read_until_regex``) now perform better
when there is a lot of buffered data, which improves performance of
``SimpleAsyncHTTPClient`` when downloading files with lots of
chunks.
* `.SSLIOStream` now works correctly when ``ssl_version`` is set to
a value other than ``SSLv23``.
* Idle ``IOLoops`` no longer wake up several times a second.
* `tornado.ioloop.PeriodicCallback` no longer triggers duplicate callbacks
when stopped and started repeatedly.
``tornado.template``
~~~~~~~~~~~~~~~~~~~~
* Exceptions in template code will now show better stack traces that
reference lines from the original template file.
* ``{#`` and ``#}`` can now be used for comments (and unlike the old
``{% comment %}`` directive, these can wrap other template directives).
* Template directives may now span multiple lines.
``tornado.web``
~~~~~~~~~~~~~~~
* Now behaves better when given malformed ``Cookie`` headers
* `.RequestHandler.redirect` now has a ``status`` argument to send
status codes other than 301 and 302.
* New method `.RequestHandler.on_finish` may be overridden for post-request
processing (as a counterpart to `.RequestHandler.prepare`)
* `.StaticFileHandler` now outputs ``Content-Length`` and ``Etag`` headers
on ``HEAD`` requests.
* `.StaticFileHandler` now has overridable ``get_version`` and
``parse_url_path`` methods for use in subclasses.
* `.RequestHandler.static_url` now takes an ``include_host`` parameter
(in addition to the old support for the ``RequestHandler.include_host``
attribute).
``tornado.websocket``
~~~~~~~~~~~~~~~~~~~~~
* Updated to support the latest version of the protocol, as finalized
in RFC 6455.
* Many bugs were fixed in all supported protocol versions.
* `tornado.websocket` no longer supports the older "draft 76" version
of the websocket protocol by default, although this version can
be enabled by overriding ``tornado.websocket.WebSocketHandler.allow_draft76``.
* `.WebSocketHandler.write_message` now accepts a ``binary`` argument
to send binary messages.
* Subprotocols (i.e. the ``Sec-WebSocket-Protocol`` header) are now supported;
see the `.WebSocketHandler.select_subprotocol` method for details.
* ``.WebSocketHandler.get_websocket_scheme`` can be used to select the
appropriate url scheme (``ws://`` or ``wss://``) in cases where
``HTTPRequest.protocol`` is not set correctly.
Other modules
~~~~~~~~~~~~~
* `tornado.auth.TwitterMixin.authenticate_redirect` now takes a
``callback_uri`` parameter.
* `tornado.auth.TwitterMixin.twitter_request` now accepts both URLs and
partial paths (complete URLs are useful for the search API which follows
different patterns).
* Exception handling in `tornado.gen` has been improved. It is now possible
to catch exceptions thrown by a ``Task``.
* `tornado.netutil.bind_sockets` now works when ``getaddrinfo`` returns
duplicate addresses.
* `tornado.platform.twisted` compatibility has been significantly improved.
Twisted version 11.1.0 is now supported in addition to 11.0.0.
* `tornado.process.fork_processes` correctly reseeds the `random` module
even when `os.urandom` is not implemented.
* `tornado.testing.main` supports a new flag ``--exception_on_interrupt``,
which can be set to false to make ``Ctrl-C`` kill the process more
reliably (at the expense of stack traces when it does so).
* ``tornado.version_info`` is now a four-tuple so official releases can be
distinguished from development branches.
What's new in Tornado 2.1.1
===========================
Oct 4, 2011
-----------
Bug fixes
~~~~~~~~~
* Fixed handling of closed connections with the ``epoll`` (i.e. Linux)
``IOLoop``. Previously, closed connections could be shut down too early,
which most often manifested as "Stream is closed" exceptions in
``SimpleAsyncHTTPClient``.
* Fixed a case in which chunked responses could be closed prematurely,
leading to truncated output.
* ``IOStream.connect`` now reports errors more consistently via logging
and the close callback (this affects e.g. connections to localhost
on FreeBSD).
* ``IOStream.read_bytes`` again accepts both ``int`` and ``long`` arguments.
* ``PeriodicCallback`` no longer runs repeatedly when ``IOLoop`` iterations
complete faster than the resolution of ``time.time()`` (mainly a problem
on Windows).
Backwards-compatibility note
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Listening for ``IOLoop.ERROR`` alone is no longer sufficient for detecting
closed connections on an otherwise unused socket. ``IOLoop.ERROR`` must
always be used in combination with ``READ`` or ``WRITE``.
What's new in Tornado 2.1
=========================
Sep 20, 2011
------------
Backwards-incompatible changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Support for secure cookies written by pre-1.0 releases of Tornado has
been removed. The `.RequestHandler.get_secure_cookie` method no longer
takes an ``include_name`` parameter.
* The ``debug`` application setting now causes stack traces to be displayed
in the browser on uncaught exceptions. Since this may leak sensitive
information, debug mode is not recommended for public-facing servers.
Security fixes
~~~~~~~~~~~~~~
* Diginotar has been removed from the default CA certificates file used
by ``SimpleAsyncHTTPClient``.
New modules
~~~~~~~~~~~
* `tornado.gen`: A generator-based interface to simplify writing
asynchronous functions.
* `tornado.netutil`: Parts of `tornado.httpserver` have been extracted into
a new module for use with non-HTTP protocols.
* `tornado.platform.twisted`: A bridge between the Tornado IOLoop and the
Twisted Reactor, allowing code written for Twisted to be run on Tornado.
* `tornado.process`: Multi-process mode has been improved, and can now restart
crashed child processes. A new entry point has been added at
`tornado.process.fork_processes`, although
``tornado.httpserver.HTTPServer.start`` is still supported.
``tornado.web``
~~~~~~~~~~~~~~~
* `tornado.web.RequestHandler.write_error` replaces ``get_error_html`` as the
preferred way to generate custom error pages (``get_error_html`` is still
supported, but deprecated)
* In `tornado.web.Application`, handlers may be specified by
(fully-qualified) name instead of importing and passing the class object
itself.
* It is now possible to use a custom subclass of ``StaticFileHandler``
with the ``static_handler_class`` application setting, and this subclass
can override the behavior of the ``static_url`` method.
* `~tornado.web.StaticFileHandler` subclasses can now override
``get_cache_time`` to customize cache control behavior.
* `tornado.web.RequestHandler.get_secure_cookie` now has a ``max_age_days``
parameter to allow applications to override the default one-month expiration.
* `~tornado.web.RequestHandler.set_cookie` now accepts a ``max_age`` keyword
argument to set the ``max-age`` cookie attribute (note underscore vs dash)
* `tornado.web.RequestHandler.set_default_headers` may be overridden to set
headers in a way that does not get reset during error handling.
* `.RequestHandler.add_header` can now be used to set a header that can
appear multiple times in the response.
* `.RequestHandler.flush` can now take a callback for flow control.
* The ``application/json`` content type can now be gzipped.
* The cookie-signing functions are now accessible as static functions
``tornado.web.create_signed_value`` and ``tornado.web.decode_signed_value``.
``tornado.httpserver``
~~~~~~~~~~~~~~~~~~~~~~
* To facilitate some advanced multi-process scenarios, ``HTTPServer``
has a new method ``add_sockets``, and socket-opening code is
available separately as `tornado.netutil.bind_sockets`.
* The ``cookies`` property is now available on ``tornado.httpserver.HTTPRequest``
(it is also available in its old location as a property of
`~tornado.web.RequestHandler`)
* ``tornado.httpserver.HTTPServer.bind`` now takes a backlog argument with the
same meaning as ``socket.listen``.
* `~tornado.httpserver.HTTPServer` can now be run on a unix socket as well
as TCP.
* Fixed exception at startup when ``socket.AI_ADDRCONFIG`` is not available,
as on Windows XP
``IOLoop`` and ``IOStream``
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* `~tornado.iostream.IOStream` performance has been improved, especially for
small synchronous requests.
* New methods ``tornado.iostream.IOStream.read_until_close`` and
``tornado.iostream.IOStream.read_until_regex``.
* ``IOStream.read_bytes`` and ``IOStream.read_until_close`` now take a
``streaming_callback`` argument to return data as it is received rather
than all at once.
* `.IOLoop.add_timeout` now accepts `datetime.timedelta` objects in addition
to absolute timestamps.
* `~tornado.ioloop.PeriodicCallback` now sticks to the specified period
instead of creeping later due to accumulated errors.
* `tornado.ioloop.IOLoop` and `tornado.httpclient.HTTPClient` now have
``close()`` methods that should be used in applications that create
and destroy many of these objects.
* `.IOLoop.install` can now be used to use a custom subclass of IOLoop
as the singleton without monkey-patching.
* `~tornado.iostream.IOStream` should now always call the close callback
instead of the connect callback on a connection error.
* The `.IOStream` close callback will no longer be called while there
are pending read callbacks that can be satisfied with buffered data.
``tornado.simple_httpclient``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Now supports client SSL certificates with the ``client_key`` and
``client_cert`` parameters to `tornado.httpclient.HTTPRequest`
* Now takes a maximum buffer size, to allow reading files larger than 100MB
* Now works with HTTP 1.0 servers that don't send a Content-Length header
* The ``allow_nonstandard_methods`` flag on HTTP client requests now
permits methods other than ``POST`` and ``PUT`` to contain bodies.
* Fixed file descriptor leaks and multiple callback invocations in
``SimpleAsyncHTTPClient``
* No longer consumes extra connection resources when following redirects.
* Now works with buggy web servers that separate headers with ``\n`` instead
of ``\r\n\r\n``.
* Now sets ``response.request_time`` correctly.
* Connect timeouts now work correctly.
Other modules
~~~~~~~~~~~~~
* `tornado.auth.OpenIdMixin` now uses the correct realm when the
callback URI is on a different domain.
* `tornado.autoreload` has a new command-line interface which can be used
to wrap any script. This replaces the ``--autoreload`` argument to
`tornado.testing.main` and is more robust against syntax errors.
* `tornado.autoreload.watch` can be used to watch files other than
the sources of imported modules.
* ``tornado.database.Connection`` has new variants of ``execute`` and
``executemany`` that return the number of rows affected instead of
the last inserted row id.
* `tornado.locale.load_translations` now accepts any properly-formatted
locale name, not just those in the predefined ``LOCALE_NAMES`` list.
* `tornado.options.define` now takes a ``group`` parameter to group options
in ``--help`` output.
* Template loaders now take a ``namespace`` constructor argument to add
entries to the template namespace.
* `tornado.websocket` now supports the latest ("hybi-10") version of the
protocol (the old version, "hixie-76" is still supported; the correct
version is detected automatically).
* `tornado.websocket` now works on Python 3
Bug fixes
~~~~~~~~~
* Windows support has been improved. Windows is still not an officially
supported platform, but the test suite now passes and
`tornado.autoreload` works.
* Uploading files whose names contain special characters will now work.
* Cookie values containing special characters are now properly quoted
and unquoted.
* Multi-line headers are now supported.
* Repeated Content-Length headers (which may be added by certain proxies)
are now supported in `.HTTPServer`.
* Unicode string literals now work in template expressions.
* The template ``{% module %}`` directive now works even if applications
use a template variable named ``modules``.
* Requests with "Expect: 100-continue" now work on python 3
What's new in Tornado 2.0
=========================
Jun 21, 2011
------------
::
Major changes:
* Template output is automatically escaped by default; see backwards
compatibility note below.
* The default AsyncHTTPClient implementation is now simple_httpclient.
* Python 3.2 is now supported.
Backwards compatibility:
* Template autoescaping is enabled by default. Applications upgrading from
a previous release of Tornado must either disable autoescaping or adapt
their templates to work with it. For most applications, the simplest
way to do this is to pass autoescape=None to the Application constructor.
Note that this affects certain built-in methods, e.g. xsrf_form_html
and linkify, which must now be called with {% raw %} instead of {}
* Applications that wish to continue using curl_httpclient instead of
simple_httpclient may do so by calling
AsyncHTTPClient.configure("tornado.curl_httpclient.CurlAsyncHTTPClient")
at the beginning of the process. Users of Python 2.5 will probably want
to use curl_httpclient as simple_httpclient only supports ssl on Python 2.6+.
* Python 3 compatibility involved many changes throughout the codebase,
so users are encouraged to test their applications more thoroughly than
usual when upgrading to this release.
Other changes in this release:
* Templates support several new directives:
- {% autoescape ...%} to control escaping behavior
- {% raw ... %} for unescaped output
- {% module ... %} for calling UIModules
* {% module Template(path, **kwargs) %} may now be used to call another
template with an independent namespace
* All IOStream callbacks are now run directly on the IOLoop via add_callback.
* HTTPServer now supports IPv6 where available. To disable, pass
family=socket.AF_INET to HTTPServer.bind().
* HTTPClient now supports IPv6, configurable via allow_ipv6=bool on the
HTTPRequest. allow_ipv6 defaults to false on simple_httpclient and true
on curl_httpclient.
* RequestHandlers can use an encoding other than utf-8 for query parameters
by overriding decode_argument()
* Performance improvements, especially for applications that use a lot of
IOLoop timeouts
* HTTP OPTIONS method no longer requires an XSRF token.
* JSON output (RequestHandler.write(dict)) now sets Content-Type to
application/json
* Etag computation can now be customized or disabled by overriding
RequestHandler.compute_etag
* USE_SIMPLE_HTTPCLIENT environment variable is no longer supported.
Use AsyncHTTPClient.configure instead.
What's new in Tornado 1.2.1
===========================
Mar 3, 2011
-----------
::
We are pleased to announce the release of Tornado 1.2.1, available from
https://github.com/downloads/facebook/tornado/tornado-1.2.1.tar.gz
This release contains only two small changes relative to version 1.2:
* FacebookGraphMixin has been updated to work with a recent change to the
Facebook API.
* Running "setup.py install" will no longer attempt to automatically
install pycurl. This wasn't working well on platforms where the best way
to install pycurl is via something like apt-get instead of easy_install.
This is an important upgrade if you are using FacebookGraphMixin, but
otherwise it can be safely ignored.
What's new in Tornado 1.2
=========================
Feb 20, 2011
------------
::
We are pleased to announce the release of Tornado 1.2, available from
https://github.com/downloads/facebook/tornado/tornado-1.2.tar.gz
Backwards compatibility notes:
* This release includes the backwards-incompatible security change from
version 1.1.1. Users upgrading from 1.1 or earlier should read the
release notes from that release:
http://groups.google.com/group/python-tornado/browse_thread/thread/b36191c781580cde
* StackContexts that do something other than catch exceptions may need to
be modified to be reentrant.
https://github.com/tornadoweb/tornado/commit/7a7e24143e77481d140fb5579bc67e4c45cbcfad
* When XSRF tokens are used, the token must also be present on PUT and
DELETE requests (anything but GET and HEAD)
New features:
* A new HTTP client implementation is available in the module
tornado.simple_httpclient. This HTTP client does not depend on pycurl.
It has not yet been tested extensively in production, but is intended
to eventually replace the pycurl-based HTTP client in a future release of
Tornado. To transparently replace tornado.httpclient.AsyncHTTPClient with
this new implementation, you can set the environment variable
USE_SIMPLE_HTTPCLIENT=1 (note that the next release of Tornado will
likely include a different way to select HTTP client implementations)
* Request logging is now done by the Application rather than the
RequestHandler. Logging behavior may be customized by either overriding
Application.log_request in a subclass or by passing log_function
as an Application setting
* Application.listen(port): Convenience method as an alternative to
explicitly creating an HTTPServer
* tornado.escape.linkify(): Wrap urls in <a> tags
* RequestHandler.create_signed_value(): Create signatures like the
secure_cookie methods without setting cookies.
* tornado.testing.get_unused_port(): Returns a port selected in the same
way as inAsyncHTTPTestCase
* AsyncHTTPTestCase.fetch(): Convenience method for synchronous fetches
* IOLoop.set_blocking_signal_threshold(): Set a callback to be run when
the IOLoop is blocked.
* IOStream.connect(): Asynchronously connect a client socket
* AsyncHTTPClient.handle_callback_exception(): May be overridden
in subclass for custom error handling
* httpclient.HTTPRequest has two new keyword arguments, validate_cert and
ca_certs. Setting validate_cert=False will disable all certificate checks
when fetching https urls. ca_certs may be set to a filename containing
trusted certificate authorities (defaults will be used if this is
unspecified)
* HTTPRequest.get_ssl_certificate(): Returns the client's SSL certificate
(if client certificates were requested in the server's ssl_options
* StaticFileHandler can be configured to return a default file (e.g.
index.html) when a directory is requested
* Template directives of the form "{% from x import y %}" are now
supported (in addition to the existing support for "{% import x
%}"
* FacebookGraphMixin.get_authenticated_user now accepts a new
parameter 'extra_fields' which may be used to request additional
information about the user
Bug fixes:
* auth: Fixed KeyError with Facebook offline_access
* auth: Uses request.uri instead of request.path as the default redirect
so that parameters are preserved.
* escape: xhtml_escape() now returns a unicode string, not
utf8-encoded bytes
* ioloop: Callbacks added with add_callback are now run in the order they
were added
* ioloop: PeriodicCallback.stop can now be called from inside the callback.
* iostream: Fixed several bugs in SSLIOStream
* iostream: Detect when the other side has closed the connection even with
the select()-based IOLoop
* iostream: read_bytes(0) now works as expected
* iostream: Fixed bug when writing large amounts of data on windows
* iostream: Fixed infinite loop that could occur with unhandled exceptions
* httpclient: Fix bugs when some requests use proxies and others don't
* httpserver: HTTPRequest.protocol is now set correctly when using the
built-in SSL support
* httpserver: When using multiple processes, the standard library's
random number generator is re-seeded in each child process
* httpserver: With xheaders enabled, X-Forwarded-Proto is supported as an
alternative to X-Scheme
* httpserver: Fixed bugs in multipart/form-data parsing
* locale: format_date() now behaves sanely with dates in the future
* locale: Updates to the language list
* stack_context: Fixed bug with contexts leaking through reused IOStreams
* stack_context: Simplified semantics and improved performance
* web: The order of css_files from UIModules is now preserved
* web: Fixed error with default_host redirect
* web: StaticFileHandler works when os.path.sep != '/' (i.e. on Windows)
* web: Fixed a caching-related bug in StaticFileHandler when a file's
timestamp has changed but its contents have not.
* web: Fixed bugs with HEAD requests and e.g. Etag headers
* web: Fix bugs when different handlers have different static_paths
* web: @removeslash will no longer cause a redirect loop when applied to the
root path
* websocket: Now works over SSL
* websocket: Improved compatibility with proxies
Many thanks to everyone who contributed patches, bug reports, and feedback
that went into this release!
-Ben
What's new in Tornado 1.1.1
===========================
Feb 8, 2011
-----------
::
Tornado 1.1.1 is a BACKWARDS-INCOMPATIBLE security update that fixes an
XSRF vulnerability. It is available at
https://github.com/downloads/facebook/tornado/tornado-1.1.1.tar.gz
This is a backwards-incompatible change. Applications that previously
relied on a blanket exception for XMLHTTPRequest may need to be modified
to explicitly include the XSRF token when making ajax requests.
The tornado chat demo application demonstrates one way of adding this
token (specifically the function postJSON in demos/chat/static/chat.js).
More information about this change and its justification can be found at
http://www.djangoproject.com/weblog/2011/feb/08/security/
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
What's new in Tornado 1.1
=========================
Sep 7, 2010
-----------
::
We are pleased to announce the release of Tornado 1.1, available from
https://github.com/downloads/facebook/tornado/tornado-1.1.tar.gz
Changes in this release:
* RequestHandler.async_callback and related functions in other classes
are no longer needed in most cases (although it's harmless to continue
using them). Uncaught exceptions will now cause the request to be closed
even in a callback. If you're curious how this works, see the new
tornado.stack_context module.
* The new tornado.testing module contains support for unit testing
asynchronous IOLoop-based code.
* AsyncHTTPClient has been rewritten (the new implementation was
available as AsyncHTTPClient2 in Tornado 1.0; both names are
supported for backwards compatibility).
* The tornado.auth module has had a number of updates, including support
for OAuth 2.0 and the Facebook Graph API, and upgrading Twitter and
Google support to OAuth 1.0a.
* The websocket module is back and supports the latest version (76) of the
websocket protocol. Note that this module's interface is different
from the websocket module that appeared in pre-1.0 versions of Tornado.
* New method RequestHandler.initialize() can be overridden in subclasses
to simplify handling arguments from URLSpecs. The sequence of methods
called during initialization is documented at
http://tornadoweb.org/documentation#overriding-requesthandler-methods
* get_argument() and related methods now work on PUT requests in addition
to POST.
* The httpclient module now supports HTTP proxies.
* When HTTPServer is run in SSL mode, the SSL handshake is now non-blocking.
* Many smaller bug fixes and documentation updates
Backwards-compatibility notes:
* While most users of Tornado should not have to deal with the stack_context
module directly, users of worker thread pools and similar constructs may
need to use stack_context.wrap and/or NullContext to avoid memory leaks.
* The new AsyncHTTPClient still works with libcurl version 7.16.x, but it
performs better when both libcurl and pycurl are at least version 7.18.2.
* OAuth transactions started under previous versions of the auth module
cannot be completed under the new module. This applies only to the
initial authorization process; once an authorized token is issued that
token works with either version.
Many thanks to everyone who contributed patches, bug reports, and feedback
that went into this release!
-Ben
What's new in Tornado 1.0.1
===========================
Aug 13, 2010
------------
::
This release fixes a bug with RequestHandler.get_secure_cookie, which would
in some circumstances allow an attacker to tamper with data stored in the
cookie.
What's new in Tornado 1.0
=========================
July 22, 2010
-------------
::
We are pleased to announce the release of Tornado 1.0, available
from
https://github.com/downloads/facebook/tornado/tornado-1.0.tar.gz.
There have been many changes since version 0.2; here are some of
the highlights:
New features:
* Improved support for running other WSGI applications in a
Tornado server (tested with Django and CherryPy)
* Improved performance on Mac OS X and BSD (kqueue-based IOLoop),
and experimental support for win32
* Rewritten AsyncHTTPClient available as
tornado.httpclient.AsyncHTTPClient2 (this will become the
default in a future release)
* Support for standard .mo files in addition to .csv in the locale
module
* Pre-forking support for running multiple Tornado processes at
once (see HTTPServer.start())
* SSL and gzip support in HTTPServer
* reverse_url() function refers to urls from the Application
config by name from templates and RequestHandlers
* RequestHandler.on_connection_close() callback is called when the
client has closed the connection (subject to limitations of the
underlying network stack, any proxies, etc)
* Static files can now be served somewhere other than /static/ via
the static_url_prefix application setting
* URL regexes can now use named groups ("(?P<name>)") to pass
arguments to get()/post() via keyword instead of position
* HTTP header dictionary-like objects now support multiple values
for the same header via the get_all() and add() methods.
* Several new options in the httpclient module, including
prepare_curl_callback and header_callback
* Improved logging configuration in tornado.options.
* UIModule.html_body() can be used to return html to be inserted
at the end of the document body.
Backwards-incompatible changes:
* RequestHandler.get_error_html() now receives the exception
object as a keyword argument if the error was caused by an
uncaught exception.
* Secure cookies are now more secure, but incompatible with
cookies set by Tornado 0.2. To read cookies set by older
versions of Tornado, pass include_name=False to
RequestHandler.get_secure_cookie()
* Parameters passed to RequestHandler.get/post() by extraction
from the path now have %-escapes decoded, for consistency with
the processing that was already done with other query
parameters.
Many thanks to everyone who contributed patches, bug reports, and
feedback that went into this release!
-Ben
Generated by dwww version 1.15 on Sun Jun 23 20:49:54 CEST 2024.