1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
What's new in Tornado 3.2.1
===========================
May 5, 2014
-----------
Security fixes
~~~~~~~~~~~~~~
* The signed-value format used by `.RequestHandler.set_secure_cookie`
and `.RequestHandler.get_secure_cookie` has changed to be more secure.
**This is a disruptive change**. The ``secure_cookie`` functions
take new ``version`` parameters to support transitions between cookie
formats.
* The new cookie format fixes a vulnerability that may be present in
applications that use multiple cookies where the name of one cookie
is a prefix of the name of another.
* To minimize disruption, cookies in the older format will be accepted
by default until they expire. Applications that may be vulnerable
can reject all cookies in the older format by passing ``min_version=2``
to `.RequestHandler.get_secure_cookie`.
* Thanks to Joost Pol of `Certified Secure <https://www.certifiedsecure.com>`_
for reporting this issue.
Backwards-compatibility notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Signed cookies issued by `.RequestHandler.set_secure_cookie` in Tornado
3.2.1 cannot be read by older releases. If you need to run 3.2.1
in parallel with older releases, you can pass ``version=1`` to
`.RequestHandler.set_secure_cookie` to issue cookies that are
backwards-compatible (but have a known weakness, so this option
should only be used for a transitional period).
Other changes
~~~~~~~~~~~~~
* The C extension used to speed up the websocket module now compiles
correctly on Windows with MSVC and 64-bit mode. The fallback to
the pure-Python alternative now works correctly on Mac OS X machines
with no C compiler installed.
|
