• Jun 22, 2011


    Major changes:
    * Template output is automatically escaped by default; see backwards
      compatibility note below.
    * The default AsyncHTTPClient implementation is now simple_httpclient.
    * Python 3.2 is now supported.
    Backwards compatibility:
    * Template autoescaping is enabled by default.  Applications upgrading from
      a previous release of Tornado must either disable autoescaping or adapt
      their templates to work with it.  For most applications, the simplest
      way to do this is to pass autoescape=None to the Application constructor.
    * Applications that wish to continue using curl_httpclient instead of
      simple_httpclient may do so by calling
      at the beginning of the process.  Users of Python 2.5 will probably want
      to use curl_httpclient as simple_httpclient only supports ssl on Python 2.6+.
    * Python 3 compatibility involved many changes throughout the codebase,
      so users are encouraged to test their applications more thoroughly than
      usual when upgrading to this release.
    Other changes in this release:
    * Templates support several new directives:
      - {% autoescape ...%} to control escaping behavior
      - {% raw ... %} for unescaped output
      - {% module ... %} for calling UIModules
    * {% module Template(path, **kwargs) %} may now be used to call another
      template with an independent namespace
    * All IOStream callbacks are now run directly on the IOLoop via add_callback.
    * HTTPServer now supports IPv6 where available.  To disable, pass
      family=socket.AF_INET to HTTPServer.bind().
    * HTTPClient now supports IPv6, configurable via allow_ipv6=bool on the
      HTTPRequest.  allow_ipv6 defaults to false on simple_httpclient and true
      on curl_httpclient.
    * RequestHandlers can use an encoding other than utf-8 for query parameters
      by overriding decode_argument()
    * Performance improvements, especially for applications that use a lot of
      IOLoop timeouts
    * HTTP OPTIONS method no longer requires an XSRF token.
    * JSON output (RequestHandler.write(dict)) now sets Content-Type to
    * Etag computation can now be customized or disabled by overriding
    * USE_SIMPLE_HTTPCLIENT environment variable is no longer supported.
      Use AsyncHTTPClient.configure instead.
  • Mar 3, 2011


    We are pleased to announce the release of Tornado 1.2.1, available from
    This release contains only two small changes relative to version 1.2:
    * FacebookGraphMixin has been updated to work with a recent change to the
      Facebook API.
    * Running "setup.py install" will no longer attempt to automatically
      install pycurl.  This wasn't working well on platforms where the best way
      to install pycurl is via something like apt-get instead of easy_install.
    This is an important upgrade if you are using FacebookGraphMixin, but
    otherwise it can be safely ignored.
  • Feb 20, 2011


    We are pleased to announce the release of Tornado 1.2, available from
    Backwards compatibility notes:
    * This release includes the backwards-incompatible security change from
      version 1.1.1.  Users upgrading from 1.1 or earlier should read the
      release notes from that release:
    * StackContexts that do something other than catch exceptions may need to
      be modified to be reentrant.
    * When XSRF tokens are used, the token must also be present on PUT and
      DELETE requests (anything but GET and HEAD)
    New features:
    * A new HTTP client implementation is available in the module
      tornado.simple_httpclient.  This HTTP client does not depend on pycurl.
      It has not yet been tested extensively in production, but is intended
      to eventually replace the pycurl-based HTTP client in a future release of
      Tornado.  To transparently replace tornado.httpclient.AsyncHTTPClient with
      this new implementation, you can set the environment variable
      USE_SIMPLE_HTTPCLIENT=1 (note that the next release of Tornado will
      likely include a different way to select HTTP client implementations)
    * Request logging is now done by the Application rather than the
      RequestHandler.  Logging behavior may be customized by either overriding
      Application.log_request in a subclass or by passing log_function
      as an Application setting
    * Application.listen(port): Convenience method as an alternative to
      explicitly creating an HTTPServer
    * tornado.escape.linkify(): Wrap urls in <a> tags
    * RequestHandler.create_signed_value(): Create signatures like the
      secure_cookie methods without setting cookies.
    * tornado.testing.get_unused_port(): Returns a port selected in the same
      way as inAsyncHTTPTestCase
    * AsyncHTTPTestCase.fetch(): Convenience method for synchronous fetches
    * IOLoop.set_blocking_signal_threshold(): Set a callback to be run when
      the IOLoop is blocked.
    * IOStream.connect(): Asynchronously connect a client socket
    * AsyncHTTPClient.handle_callback_exception(): May be overridden
      in subclass for custom error handling
    * httpclient.HTTPRequest has two new keyword arguments, validate_cert and
      ca_certs. Setting validate_cert=False will disable all certificate checks
      when fetching https urls.  ca_certs may be set to a filename containing
      trusted certificate authorities (defaults will be used if this is
    * HTTPRequest.get_ssl_certificate(): Returns the client's SSL certificate
      (if client certificates were requested in the server's ssl_options
    * StaticFileHandler can be configured to return a default file (e.g.
      index.html) when a directory is requested
    * Template directives of the form "{% from x import y %}" are now supported (in
      addition to the existing support for "{% import x %}"
    * FacebookGraphMixin.get_authenticated_user now accepts a new
      parameter 'extra_fields' which may be used to request additional information
      about the user
    Bug fixes:
    * auth: Fixed KeyError with Facebook offline_access
    * auth: Uses request.uri instead of request.path as the default redirect
      so that parameters are preserved.
    * escape: xhtml_escape() now returns a unicode string, not utf8-encoded bytes
    * ioloop: Callbacks added with add_callback are now run in the order they
      were added
    * ioloop: PeriodicCallback.stop can now be called from inside the callback.
    * iostream: Fixed several bugs in SSLIOStream
    * iostream: Detect when the other side has closed the connection even with
      the select()-based IOLoop
    * iostream: read_bytes(0) now works as expected
    * iostream: Fixed bug when writing large amounts of data on windows
    * iostream: Fixed infinite loop that could occur with unhandled exceptions
    * httpclient: Fix bugs when some requests use proxies and others don't
    * httpserver: HTTPRequest.protocol is now set correctly when using the
      built-in SSL support
    * httpserver: When using multiple processes, the standard library's
      random number generator is re-seeded in each child process
    * httpserver: With xheaders enabled, X-Forwarded-Proto is supported as an
      alternative to X-Scheme
    * httpserver: Fixed bugs in multipart/form-data parsing
    * locale: format_date() now behaves sanely with dates in the future
    * locale: Updates to the language list
    * stack_context: Fixed bug with contexts leaking through reused IOStreams
    * stack_context: Simplified semantics and improved performance
    * web: The order of css_files from UIModules is now preserved
    * web: Fixed error with default_host redirect
    * web: StaticFileHandler works when os.path.sep != '/' (i.e. on Windows)
    * web: Fixed a caching-related bug in StaticFileHandler when a file's
      timestamp has changed but its contents have not.
    * web: Fixed bugs with HEAD requests and e.g. Etag headers
    * web: Fix bugs when different handlers have different static_paths
    * web: @removeslash will no longer cause a redirect loop when applied to the
      root path
    * websocket: Now works over SSL
    * websocket: Improved compatibility with proxies
    Many thanks to everyone who contributed patches, bug reports, and feedback
    that went into this release!
  • Feb 9, 2011


    Tornado 1.1.1 is a BACKWARDS-INCOMPATIBLE security update that fixes an
    XSRF vulnerability.  It is available at
    This is a backwards-incompatible change.  Applications that previously
    relied on a blanket exception for XMLHTTPRequest may need to be modified
    to explicitly include the XSRF token when making ajax requests.
    The tornado chat demo application demonstrates one way of adding this
    token (specifically the function postJSON in demos/chat/static/chat.js).
    More information about this change and its justification can be found at
  • Sep 8, 2010


    We are pleased to announce the release of Tornado 1.1, available from
    Changes in this release:
    * RequestHandler.async_callback and related functions in other classes
      are no longer needed in most cases (although it's harmless to continue
      using them).  Uncaught exceptions will now cause the request to be closed
      even in a callback.  If you're curious how this works, see the new
      tornado.stack_context module.
    * The new tornado.testing module contains support for unit testing
      asynchronous IOLoop-based code.
    * AsyncHTTPClient has been rewritten (the new implementation was available as
      AsyncHTTPClient2 in Tornado 1.0; both names are supported for backwards
    * The tornado.auth module has had a number of updates, including support
      for OAuth 2.0 and the Facebook Graph API, and upgrading Twitter and
      Google support to OAuth 1.0a.
    * The websocket module is back and supports the latest version (76) of the
      websocket protocol.  Note that this module's interface is different
      from the websocket module that appeared in pre-1.0 versions of Tornado.
    * New method RequestHandler.initialize() can be overridden in subclasses
      to simplify handling arguments from URLSpecs.  The sequence of methods
      called during initialization is documented at
    * get_argument() and related methods now work on PUT requests in addition
      to POST.
    * The httpclient module now supports HTTP proxies.
    * When HTTPServer is run in SSL mode, the SSL handshake is now non-blocking.
    * Many smaller bug fixes and documentation updates
    Backwards-compatibility notes:
    * While most users of Tornado should not have to deal with the stack_context
      module directly, users of worker thread pools and similar constructs may
      need to use stack_context.wrap and/or NullContext to avoid memory leaks.
    * The new AsyncHTTPClient still works with libcurl version 7.16.x, but it
      performs better when both libcurl and pycurl are at least version 7.18.2.
    * OAuth transactions started under previous versions of the auth module
      cannot be completed under the new module.  This applies only to the
      initial authorization process; once an authorized token is issued that
      token works with either version.
    Many thanks to everyone who contributed patches, bug reports, and feedback
    that went into this release!
  • Aug 13, 2010


    This release fixes a bug with RequestHandler.get_secure_cookie, which…
    … would
    in some circumstances allow an attacker to tamper with data stored in the
  • Jul 22, 2010


    We are pleased to announce the release of Tornado 1.0, available from h…
    …ttp://github.com/downloads/facebook/tornado/tornado-1.0.tar.gz.  There have been many changes since version 0.2; here are some of the highlights:
    New features:
    * Improved support for running other WSGI applications in a Tornado server (tested with Django and CherryPy)
    * Improved performance on Mac OS X and BSD (kqueue-based IOLoop), and experimental support for win32
    * Rewritten AsyncHTTPClient available as tornado.httpclient.AsyncHTTPClient2 (this will become the default in a future release)
    * Support for standard .mo files in addition to .csv in the locale module
    * Pre-forking support for running multiple Tornado processes at once (see HTTPServer.start())
    * SSL and gzip support in HTTPServer
    * reverse_url() function refers to urls from the Application config by name from templates and RequestHandlers
    * RequestHandler.on_connection_close() callback is called when the client has closed the connection (subject to limitations of the underlying network stack, any proxies, etc)
    * Static files can now be served somewhere other than /static/ via the static_url_prefix application setting
    * URL regexes can now use named groups ("(?P<name>)") to pass arguments to get()/post() via keyword instead of position
    * HTTP header dictionary-like objects now support multiple values for the same header via the get_all() and add() methods.
    * Several new options in the httpclient module, including prepare_curl_callback and header_callback
    * Improved logging configuration in tornado.options.
    * UIModule.html_body() can be used to return html to be inserted at the end of the document body.
    Backwards-incompatible changes:
    * RequestHandler.get_error_html() now receives the exception object as a keyword argument if the error was caused by an uncaught exception.
    * Secure cookies are now more secure, but incompatible with cookies set by Tornado 0.2.  To read cookies set by older versions of Tornado, pass include_name=False to RequestHandler.get_secure_cookie()
    * Parameters passed to RequestHandler.get/post() by extraction from the path now have %-escapes decoded, for consistency with the processing that was already done with other query parameters.
    Many thanks to everyone who contributed patches, bug reports, and feedback that went into this release!