• Apr 20, 2017


    What's new in Tornado 4.5
    Apr 16, 2017
    - Improved detection of libraries for colorized logging.
    - `.url_concat` once again treats None as equivalent to an empty sequence.
  • Apr 16, 2017


    What's new in Tornado 4.5
    Apr 16, 2017
    Backwards-compatibility warning
    - The `tornado.websocket` module now imposes a limit on the size of incoming
      messages, which defaults to 10MiB.
    New module
    - `tornado.routing` provides a more flexible routing system than the one built in
      to `.Application`.
    General changes
    - Reduced the number of circular references, reducing memory usage and
      improving performance.
    * The `tornado.auth` module has been updated for compatibility with `a
      change to Facebook's access_token endpoint
      <#1977>`_. This includes both
      the changes initially released in Tornado 4.4.3 and an additional change
      to support the ```session_expires`` field in the new format.
      The ``session_expires`` field is currently a string; it should be accessed
      as ``int(user['session_expires'])`` because it will change from a string to
      an int in Tornado 5.0.
    - Autoreload is now compatible with the `asyncio` event loop.
    - Autoreload no longer attempts to close the `.IOLoop` and all registered
      file descriptors before restarting; it relies on the ``CLOEXEC`` flag
      being set instead.
    - Suppressed some "'NoneType' object not callback" messages that could
      be logged at shutdown.
    - ``yield None`` is now equivalent to ``yield gen.moment``.
      `~tornado.gen.moment` is deprecated. This improves compatibility with
    - Fixed an issue in which a generator object could be garbage
      collected prematurely (most often when weak references are used.
    - New function `.is_coroutine_function` identifies functions wrapped
      by `.coroutine` or `.engine`.
    - The ``Transfer-Encoding`` header is now parsed case-insensitively.
    - ``SimpleAsyncHTTPClient`` now follows 308 redirects.
    - ``CurlAsyncHTTPClient`` will no longer accept protocols other than
      ``http`` and ``https``. To override this, set ``pycurl.PROTOCOLS``
      and ``pycurl.REDIR_PROTOCOLS`` in a ``prepare_curl_callback``.
    - ``CurlAsyncHTTPClient`` now supports digest authentication for proxies
      (in addition to basic auth) via the new ``proxy_auth_mode`` argument.
    - The minimum supported version of ``libcurl`` is now ``7.22.0``.
    - `.HTTPServer` now accepts the keyword argument
      ``trusted_downstream`` which controls the parsing of
      ``X-Forwarded-For`` headers. This header may be a list or set of IP
      addresses of trusted proxies which will be skipped in the
      ``X-Forwarded-For`` list.
    - The ``no_keep_alive`` argument works again.
    - `.url_concat` correctly handles fragments and existing query arguments.
    - Fixed 100% CPU usage after a callback returns an empty list or dict.
    - `.IOLoop.add_callback` now uses a lockless implementation which
      makes it safe for use from ``__del__`` methods. This improves
      performance of calls to `~.IOLoop.add_callback` from the `.IOLoop`
      thread, and slightly decreases it for calls from other threads.
    - `memoryview` objects are now permitted as arguments to `~.BaseIOStream.write`.
    - The internal memory buffers used by `.IOStream` now use `bytearray`
      instead of a list of `bytes`, improving performance.
    - Futures returned by `~.BaseIOStream.write` are no longer orphaned if a second
      call to ``write`` occurs before the previous one is finished.
    - Colored log output is now supported on Windows if the
      `colorama <https://pypi.python.org/pypi/colorama>`_ library
      is installed  and the application calls ``colorama.init()`` at
    - The signature of the `.LogFormatter` constructor has been changed to
      make it compatible with `logging.config.dictConfig`.
    - Worked around an issue that caused "LookupError: unknown encoding:
      latin1" errors on Solaris.
    - `.Subprocess` no longer causes "subprocess still running" warnings on Python 3.6.
    - Improved error handling in `.cpu_count`.
    - `.TCPClient` now supports a ``source_ip`` and ``source_port`` argument.
    - Improved error handling for environments where IPv6 support is incomplete.
    - `.TCPServer.handle_stream` implementations may now be native coroutines.
    - Stopping a `.TCPServer` twice no longer raises an exception.
    - `.RedirectHandler` now supports substituting parts of the matched
      URL into the redirect location using `str.format` syntax.
    - New methods `.RequestHandler.render_linked_js`,
      `.RequestHandler.render_linked_css`, and
      `.RequestHandler.render_embed_css` can be overridden to customize
      the output of `.UIModule`.
    - `.WebSocketHandler.on_message` implementations may now be
      coroutines. New messages will not be processed until the previous
      ``on_message`` coroutine has finished.
    - The ``websocket_ping_interval`` and ``websocket_ping_timeout``
      application settings can now be used to enable a periodic ping of
      the websocket connection, allowing dropped connections to be
      detected and closed.
    - The new ``websocket_max_message_size`` setting defaults to 10MiB.
      The connection will be closed if messages larger than this are received.
    - Headers set by `.RequestHandler.prepare` or
      `.RequestHandler.set_default_headers` are now sent as a part of the
      websocket handshake.
    - Return values from `.WebSocketHandler.get_compression_options` may now include
      the keys ``compression_level`` and ``mem_level`` to set gzip parameters.
      The default compression level is now 6 instead of 9.
    - A new file upload demo is available in the `file_upload
    - A new `.TCPClient` and `.TCPServer` demo is available in the
      `tcpecho <https://github.com/tornadoweb/tornado/tree/master/demos/tcpecho>`_ directory.
    - Minor updates have been made to several existing demos, including
      updates to more recent versions of jquery.
    The following people contributed commits to this release:
    - A\. Jesse Jiryu Davis
    - Aaron Opfer
    - Akihiro Yamazaki
    - Alexander
    - Andreas Røsdal
    - Andrew Rabert
    - Andrew Sumin
    - Antoine Pietri
    - Antoine Pitrou
    - Artur Stawiarski
    - Ben Darnell
    - Brian Mego
    - Dario
    - Doug Vargas
    - Eugene Dubovoy
    - Iver Jordal
    - JZQT
    - James Maier
    - Jeff Hunter
    - Leynos
    - Mark Henderson
    - Michael V. DePalatis
    - Min RK
    - Mircea Ulinic
    - Ping
    - Ping Yang
    - Riccardo Magliocchetti
    - Samuel Chen
    - Samuel Dion-Girardeau
    - Scott Meisburger
    - Shawn Ding
    - TaoBeier
    - Thomas Kluyver
    - Vadim Semenov
    - matee
    - mike820324
    - stiletto
    - zhimin
    - 依云
  • Mar 30, 2017


    What's new in Tornado 4.4.3
    Mar 30, 2017
    Bug fixes
    * The `tornado.auth` module has been updated for compatibility with `a
      change to Facebook's access_token endpoint.
  • Sep 30, 2016


    What's new in Tornado 4.4.2
    Oct 1, 2016
    Security fixes
    * A difference in cookie parsing between Tornado and web browsers
      (especially when combined with Google Analytics) could allow an
      attacker to set arbitrary cookies and bypass XSRF protection. The
      cookie parser has been rewritten to fix this attack.
    Backwards-compatibility notes
    * Cookies containing certain special characters (in particular semicolon
      and square brackets) are now parsed differently.
    * If the cookie header contains a combination of valid and invalid cookies,
      the valid ones will be returned (older versions of Tornado would reject the
      entire header for a single invalid cookie).
  • Jul 23, 2016


    What's new in Tornado 4.4.1
    Jul 23, 2016
    * Fixed a regression in Tornado 4.4 which caused URL regexes
      containing backslash escapes outside capturing groups to be
  • Jul 15, 2016


    What's new in Tornado 4.4
    Jul 15, 2016
    * Tornado now requires Python 2.7 or 3.3+; versions 2.6 and 3.2 are no
      longer supported. Pypy3 is still supported even though its latest
      release is mainly based on Python 3.2.
    * The `monotonic <https://pypi.python.org/pypi/monotonic>`_ package is
      now supported as an alternative to `Monotime
      <https://pypi.python.org/pypi/Monotime>`_ for monotonic clock support
      on Python 2.
    * Failures in ``_curl_setup_request`` no longer cause the
      ``max_clients`` pool to be exhausted.
    * Non-ascii header values are now handled correctly.
    * `.with_timeout` now accepts any yieldable object (except
      `.YieldPoint`), not just `tornado.concurrent.Future`.
    * The errors raised by timeouts now indicate what state the request
      was in; the error message is no longer simply "599 Timeout".
    * Calling `repr` on a `tornado.httpclient.HTTPError` no longer raises
      an error.
    * Int-like enums (including `http.HTTPStatus`) can now be used as
      status codes.
    * Responses with status code ``204 No Content`` no longer emit a
      ``Content-Length: 0`` header.
    * Improved performance when there are large numbers of active timeouts.
    * All included `.Resolver` implementations raise `IOError` (or a
      subclass) for any resolution failure.
    * Options can now be modified with subscript syntax in addition to
      attribute syntax.
    * The special variable ``__file__`` is now available inside config files.
    * HTTP/1.0 (not 1.1) responses without a ``Content-Length`` header now
      work correctly.
    * `.TCPServer.bind` now accepts a ``reuse_port`` argument.
    * Test sockets now always use ```` instead of ``localhost``.
      This avoids conflicts when the automatically-assigned port is
      available on IPv4 but not IPv6, or in unusual network configurations
      when ``localhost`` has multiple IP addresses.
    * ``image/svg+xml`` is now on the list of compressible mime types.
    * Fixed an error on Python 3 when compression is used with multiple
      ``Vary`` headers.
    * ``WebSocketHandler.__init__`` now uses `super`, which improves
      support for multiple inheritance.
  • Jul 8, 2016


    Set version number to 4.4b1
  • Nov 6, 2015


    Tornado 4.3
    Nov 6, 2015
    * The new async/await keywords in Python 3.5 are supported. In most cases,
      ``async def`` can be used in place of the ``@gen.coroutine`` decorator.
      Inside a function defined with ``async def``, use ``await`` instead of
      ``yield`` to wait on an asynchronous operation. Coroutines defined with
      async/await will be faster than those defined with ``@gen.coroutine`` and
      ``yield``, but do not support some features including `.Callback`/`.Wait` or
      the ability to yield a Twisted ``Deferred``. See :ref:`the users'
      guide <native_coroutines>` for more.
    * The async/await keywords are also available when compiling with Cython in
      older versions of Python.
    Deprecation notice
    * This will be the last release of Tornado to support Python 2.6 or 3.2.
      Note that PyPy3 will continue to be supported even though it implements
      a mix of Python 3.2 and 3.3 features.
    * Tornado has several new dependencies: ``ordereddict`` on Python 2.6,
      ``singledispatch`` on all Python versions prior to 3.4 (This was an
      optional dependency in prior versions of Tornado, and is now
      mandatory), and ``backports_abc>=0.4`` on all versions prior to
      3.5. These dependencies will be installed automatically when installing
      with ``pip`` or ``setup.py install``. These dependencies will not
      be required when running on Google App Engine.
    * Binary wheels are provided for Python 3.5 on Windows (32 and 64 bit).
    * New method `.OAuth2Mixin.oauth2_request` can be used to make authenticated
      requests with an access token.
    * Now compatible with callbacks that have been compiled with Cython.
    * Fixed an issue with the autoreload command-line wrapper in which
      imports would be incorrectly interpreted as relative.
    * Fixed parsing of multi-line headers.
    * ``allow_nonstandard_methods=True`` now bypasses body sanity checks,
      in the same way as in ``simple_httpclient``.
    * The ``PATCH`` method now allows a body without
    * `.WaitIterator` now supports the ``async for`` statement on Python 3.5.
    * ``@gen.coroutine`` can be applied to functions compiled with Cython.
      On python versions prior to 3.5, the ``backports_abc`` package must
      be installed for this functionality.
    * ``Multi`` and `.multi_future` are deprecated and replaced by
      a unified function `.multi`.
    * `tornado.httpclient.HTTPError` is now copyable with the `copy` module.
    * Requests containing both ``Content-Length`` and ``Transfer-Encoding``
      will be treated as an error.
    * `.HTTPHeaders` can now be pickled and unpickled.
    * ``IOLoop(make_current=True)`` now works as intended instead
      of raising an exception.
    * The Twisted and asyncio IOLoop implementations now clear
      ``current()`` when they exit, like the standard IOLoops.
    * `.IOLoop.add_callback` is faster in the single-threaded case.
    * `.IOLoop.add_callback` no longer raises an error when called on
      a closed IOLoop, but the callback will not be invoked.
    * Coroutine-style usage of `.IOStream` now converts most errors into
      `.StreamClosedError`, which has the effect of reducing log noise from
      exceptions that are outside the application's control (especially
      SSL errors).
    * `.StreamClosedError` now has a ``real_error`` attribute which indicates
      why the stream was closed. It is the same as the ``error`` attribute of
      `.IOStream` but may be more easily accessible than the `.IOStream` itself.
    * Improved error handling in `~.BaseIOStream.read_until_close`.
    * Logging is less noisy when an SSL server is port scanned.
    * ``EINTR`` is now handled on all reads.
    * `tornado.locale.load_translations` now accepts encodings other than
      UTF-8. UTF-16 and UTF-8 will be detected automatically if a BOM is
      present; for other encodings `.load_translations` has an ``encoding``
    * `.Lock` and `.Semaphore` now support the ``async with`` statement on
      Python 3.5.
    * A new time-based log rotation mode is available with
      ``--log_rotate_mode=time``, ``--log-rotate-when``, and
    * `.bind_sockets` now supports ``SO_REUSEPORT`` with the ``reuse_port=True``
    * Dashes and underscores are now fully interchangeable in option names.
    * `.Queue` now supports the ``async for`` statement on Python 3.5.
    * When following redirects, ``streaming_callback`` and
      ``header_callback`` will no longer be run on the redirect responses
      (only the final non-redirect).
    * Responses containing both ``Content-Length`` and ``Transfer-Encoding``
      will be treated as an error.
    * `tornado.template.ParseError` now includes the filename in addition to
      line number.
    * Whitespace handling has become more configurable. The `.Loader`
      constructor now has a ``whitespace`` argument, there is a new
      ``template_whitespace`` `.Application` setting, and there is a new
      ``{% whitespace %}`` template directive. All of these options take
      a mode name defined in the `tornado.template.filter_whitespace` function.
      The default mode is ``single``, which is the same behavior as prior
      versions of Tornado.
    * Non-ASCII filenames are now supported.
    * `.ExpectLog` objects now have a boolean ``logged_stack`` attribute to
      make it easier to test whether an exception stack trace was logged.
    * The hard limit of 4000 bytes per outgoing header has been removed.
    * `.StaticFileHandler` returns the correct ``Content-Type`` for files
      with ``.gz``, ``.bz2``, and ``.xz`` extensions.
    * Responses smaller than 1000 bytes will no longer be compressed.
    * The default gzip compression level is now 6 (was 9).
    * Fixed a regression in Tornado 4.2.1 that broke `.StaticFileHandler`
      with a ``path`` of ``/``.
    * `tornado.web.HTTPError` is now copyable with the `copy` module.
    * The exception `.Finish` now accepts an argument which will be passed to
      the method `.RequestHandler.finish`.
    * New `.Application` setting ``xsrf_cookie_kwargs`` can be used to set
      additional attributes such as ``secure`` or ``httponly`` on the
      XSRF cookie.
    * `.Application.listen` now returns the `.HTTPServer` it created.
    * Fixed handling of continuation frames when compression is enabled.
  • Oct 24, 2015


    Set version number to 4.3b2
  • Oct 18, 2015


    Set version number to 4.3b1