./www/py-tornado, Fast and non-blocking web framework

[ Image CVSweb ] [ Image Homepage ] [ Image RSS ] [ Image Required by ] [ Image Add to tracker ]

Branch: CURRENT, Version: 6.5.5, Package name: py313-tornado-6.5.5, Maintainer: imil

Tornado is an open source version of the scalable, non-blocking web server and
tools that power FriendFeed. The FriendFeed application is written using a web
framework that looks a bit like web.py or Google's webapp, but with additional
tools and optimizations to take advantage of the underlying non-blocking
infrastructure.

The framework is distinct from most mainstream web server frameworks (and
certainly most Python frameworks) because it is non-blocking and reasonably
fast. Because it is non-blocking and uses epoll or kqueue, it can handle
thousands of simultaneous standing connections, which means it is ideal for
real-time web services. We built the web server specifically to handle
FriendFeed's real-time features -- every active user of FriendFeed maintains
an open connection to the FriendFeed servers.


Required to run:
[www/py-curl] [devel/py-setuptools] [lang/python37]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 503.912 KB

Version history: (Expand)

CVS history: (Expand)


   2026-03-11 11:09:06 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-tornado: updated to 6.5.5

What's new in Tornado 6.5.5

Security fixes

- ``multipart/form-data`` requests are now limited to 100 parts by default, to \ 
prevent a
  denial-of-service attack via very large requests with many parts. This limit \ 
is configurable
  via `tornado.httputil.ParseMultipartConfig`. Multipart parsing can also be \ 
disabled completely
  if not required for the application. Thanks to \ 
[0x-Apollyon](https://github.com/0x-Apollyon) and
  [bekkaze](https://github.com/bekkaze) for reporting this issue.
- The ``domain``, ``path``, and ``samesite`` arguments to \ 
`.RequestHandler.set_cookie` are now
  validated for illegal characters, which could be abused to inject other \ 
attributes on the cookie.
  Thanks to Dhiral Vyas (Praetorian) for reporting this issue.
- Carriage return characters are no longer accepted in ``multipart/form-data`` \ 
headers. Thanks to
  [sergeykochanov](https://github.com/sergeykochanov) for reporting this issue.
   2025-12-22 10:05:54 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-tornado: updated to 6.5.4

What's new in Tornado 6.5.4

Bug fixes

- The ``in`` operator for ``HTTPHeaders`` was incorrectly case-sensitive, causing
  lookups to fail for headers with different casing than the original header name.
  This was a regression in version 6.5.3 and has been fixed to restore the intended
  case-insensitive behavior from version 6.5.2 and earlier.
   2025-12-11 16:22:58 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-tornado: updated to 6.5.3

What's new in Tornado 6.5.3

Security fixes

- Fixed a denial-of-service vulnerability involving quadratic computation when \ 
parsing
  ``multipart/form-data`` request bodies.
  `CVE-2025-67726 \ 
<https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8>`_
  Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue.
- Fixed a denial-of-service vulnerability involving quadratic computation when \ 
parsing repeated HTTP
  headers.
  `CVE-2025-67725 \ 
<https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64>`_.
  Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue.
- Fixed a header injection and XSS vulnerability involving the ``reason`` argument to
  `.RequestHandler.set_status` and `tornado.web.HTTPError`.
  `CVE-2025-67724 \ 
<https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f>`_.
  Thanks to `Finder16 <https://github.com/Finder16>`_ and
  `Cheshire1225 <https://github.com/Cheshire1225>`_ for reporting this issue.

Demo changes

- Several demo applications bundled with the Tornado repo (``blog``, ``chat``, \ 
``facebook``) had an
  open redirect vulnerability which has been fixed. This is not covered by a CVE \ 
or security
  advisory since the demo applications are not included as a part of the Tornado \ 
package when
  installed, but developers who have copied code from these demos may which to \ 
review their own
  applications for open redirects. Thanks to `J1vvoo \ 
<https://github.com/J1vvoo>`_ for reporting this
  issue.
- The ``s3server`` demo application contained some path traversal \ 
vulnerabilities. Since this demo
  application was not demonstrating any interesting aspects of Tornado, it has \ 
been deleted rather
  than being fixed. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for \ 
reporting this issue.
   2025-08-13 06:42:57 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-tornado: updated to 6.5.2

What's new in Tornado 6.5.2

Bug fixes

- Fixed a bug that resulted in WebSocket pings not being sent at the configured \ 
interval.
- Improved logging for invalid ``Host`` headers. This was previouisly logged as \ 
an uncaught
  exception with a stack trace, now it is simply a 400 response (logged as a \ 
warning in the
  access log)
- Restored the ``host`` argument to ``.HTTPServerRequest``. This argument is \ 
deprecated
  and will be removed in the future, but its removal with no warning in 6.5.0 \ 
was a mistake.
- Removed a debugging print statement that was left in the code.
- Improved type hints for ``gen.multi``.
   2025-05-22 20:47:12 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-tornado: updated to 6.5.1

6.5.1

Bug fixes

Fixed a bug in multipart/form-data parsing that could incorrectly reject \ 
filenames containing characters above U+00FF (i.e. most characters outside the \ 
Latin alphabet).
   2025-05-22 07:59:40 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-tornado: updated to 6.5

Tornado 6.5.0

Security Improvements

Previously, malformed multipart-form-data requests could log multiple warnings \ 
and constitute a denial-of-service attack. Now an exception is raised at the \ 
first error, so there is only one log message per request. This fixes \ 
CVE-2025-47287.

General Changes

Python 3.14 is now supported. Older versions of Tornado will work on Python 3.14 \ 
but may log deprecation warnings.
The free-threading mode of Python 3.13 is now supported on an experimental \ 
basis. Prebuilt wheels are not yet available for this configuration, but it can \ 
be built from source.
The minimum supported Python version is 3.9.

Deprecation Notices

Support for obs-fold continuation lines in HTTP headers is deprecated and will \ 
be removed in Tornado 7.0, as is the use of carriage returns without line feeds \ 
as header separators.
The callback argument to websocket_connect is deprecated and will be removed in \ 
Tornado 7.0. Note that on_message_callback is not deprecated.
The log_message and args attributes of tornado.web.HTTPError are deprecated. Use \ 
the new get_message method instead.
   2025-04-14 22:28:04 by Adam Ciarcinski | Files touched by this commit (60) | Package updated
Log message:
Fix PLIST after py-setuptools update; bump depends and revision
   2025-02-02 11:38:04 by Havard Eidnes | Files touched by this commit (28) 
Log message:
lang/python and a number of python packages: re-do atomic64.mk issue.

Evidently, python 3.13 brought in the need to support 64-bit atomics.
This means that python extension packages built with C needs to
use mk/atomic64.mk to make -latomic available on the required 32-bit
ports.  Sadly, there is no reliable way to detect in the .mk files
whether the package is using C (or C++), so this change adds an
unconditional include of mk/atomic64.mk when the python version is
equal to or larger than 3.13 for packages using egg.mk or wheel.mk.

This undoes the individual package Makefile inclusions of mk/atomic64.mk
that I've added over the last few days.