Release notes from tornado

v6.5.2: What's new in Tornado 6.5.2

2025-08-08T18:10:29Z

Aug 8, 2025

Bug fixes


- Fixed a bug that resulted in WebSocket pings not being sent at the configured interval.
- Improved logging for invalid ``Host`` headers. This was previouisly logged as an uncaught
  exception with a stack trace, now it is simply a 400 response (logged as a warning in the
  access log)
- Restored the ``host`` argument to ``.HTTPServerRequest``. This argument is deprecated
  and will be removed in the future, but its removal with no warning in 6.5.0 was a mistake.
- Removed a debugging print statement that was left in the code.
- Improved type hints for ``gen.multi``.

v6.5.1: What's new in Tornado 6.5.1

2025-05-22T17:57:59Z

May 22, 2025

Bug fixes


- Fixed a bug in ``multipart/form-data`` parsing that could incorrectly reject filenames containing
  characters above U+00FF (i.e. most characters outside the Latin alphabet).

v6.5.0: What's new in Tornado 6.5.0

2025-05-15T20:18:40Z

May 15, 2025

Security Improvements


- Previously, malformed ``multipart-form-data`` requests could log multiple warnings and
  constitute a denial-of-service attack. Now an exception is raised at the first error, so there
  is only one log message per request. This fixes
  `CVE-2025-47287 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m>`_.

General Changes
~~~~~~~~~~~~~~~

- Python 3.14 is now supported. Older versions of Tornado will work on Python 3.14 but may log
  deprecation warnings.
- The free-threading mode of Python 3.13 is now supported on an experimental basis. Prebuilt
  wheels are not yet available for this configuration, but it can be built from source.
- The minimum supported Python version is 3.9.

Deprecation Notices
~~~~~~~~~~~~~~~~~~~

- Support for ``obs-fold`` continuation lines in HTTP headers is deprecated and will be removed in
  Tornado 7.0, as is the use of carriage returns without line feeds as header separators.
- The ``callback`` argument to `.websocket_connect` is deprecated and will be removed in
  Tornado 7.0. Note that ``on_message_callback`` is not deprecated.
- The ``log_message`` and ``args`` attributes of `tornado.web.HTTPError` are deprecated. Use the
  new ``get_message`` method instead.

Type Annotation Changes

tornado.concurrent.chain_future is now typed as accepting both asyncio and concurrent Futures.
tornado.gen.multi and multi_future now take Sequences and Mappings instead of
List and Dict.
tornado.httputil.RequestStartLine and .ResponseStartLine now have type annotations for
their attributes.
.HTTPHeaders now has type annotations for its elements.
The autoescape argument to tornado.template.BaseLoader is now marked as optional.
tornado.routing._RuleList is now a Sequence for more flexibility.
.RequestHandler.SUPPPORTED_METHODS is now typed to support overriding in a subclass.
Types for .RequestHandler.get_body_argument and get_query_argument are improved and now
match the get_argument method.
.RequestHandler.get_cookie now has more accurate types.
The return type of .UIModule.render may now be either str or bytes.

tornado.httputil


- Support for ``obs-fold`` continuation lines in HTTP headers is deprecated and will be removed in
  Tornado 7.0, as is the use of carriage returns without line feeds as header separators.
- Request start lines may no longer include control characters.
- Method names containing invalid characters now return error code 400 instead of 405.
- Header names are now restricted to the set of characters permitted by the RFCs.
- Control characters are no longer allowed in (incoming) header values.
- Handling of trailing whitespace in headers has been improved, especially with ``obs-fold``
  continuation lines.
- The ``Host`` header is now restricted to the set of characters permitted by the RFCs. It is now an
  error to send more than one ``Host`` header, or to omit a ``Host`` header for a request that is
  not using HTTP/1.0.

`tornado.ioloop`
~~~~~~~~~~~~~~~~

- Fixed a bug in which `contextvars` that were set when the event loop was created were not
  available inside the event loop on Windows.

`tornado.netutil`
~~~~~~~~~~~~~~~~~

- `.bind_unix_socket` now supports the Linux abstract namespace.

`tornado.platform.twisted`

TwistedResolver has been deleted. It was already deprecated and scheduled for removal
in Tornado 7.0, but due to the adoption of RFC 8482 it no longer works for most
domain names. This class was primarily intended to provide thread-free non-blocking
DNS resolution. If that is still required, tornado.platform.caresresolver is the
next best option, although it has its own limitations which differ from TwistedResolver,
and it is also deprecated. Most users should switch to the default resolver, which uses
threads.

tornado.web


- The set of characters allowed in (outgoing) HTTP headers now matches the RFCs. Specifically, tab
  characters are now allowed and DEL is not.
- Invalid ``If-Modified-Since`` headers are now ignored instead of causing a 500 error.
- ``%`` characters in the log message of `tornado.web.HTTPError` are no longer doubled when no
  additional arguments are passed. This matches the behavior of `logging.LogRecord`. A new method
  ``get_message`` has been added to ``HTTPError`` to allow access to the fully-substituted message;
  directly accessing ``log_message`` and ``args`` is deprecated.

`tornado.websocket`

Some bugs involving ping_interval and ping_timeout have been fixed. Setting the
ping_timeout greater than the ping_interval is no longer supported. The default
ping_timeout is now equal to the ping_interval.
The callback argument to websocket_connect is deprecated and will be removed in
Tornado 7.0. Note that on_message_callback is not deprecated.

v6.5.0b1: Merge pull request #3492 from bdarnell/relnotes-6.5

2025-04-29T20:36:54Z

Prepare for release 6.5b1

v6.4.2: What's new in Tornado 6.4.2

2024-11-22T02:37:18Z

Nov 21, 2024

Security Improvements


- Parsing of the cookie header is now much more efficient. The older algorithm sometimes had
  quadratic performance which allowed for a denial-of-service attack in which the server would spend
  excessive CPU time parsing cookies and block the event loop. This change fixes CVE-2024-7592.

v6.4.1: What's new in Tornado 6.4.1

2024-06-06T18:12:16Z

Jun 6, 2024

Security Improvements


- Parsing of the ``Transfer-Encoding`` header is now stricter. Unexpected transfer-encoding values
  were previously ignored and treated as the HTTP/1.0 default of read-until-close. This can lead to
  framing issues with certain proxies. We now treat any unexpected value as an error.
- Handling of whitespace in headers now matches the RFC more closely. Only space and tab characters
  are treated as whitespace and stripped from the beginning and end of header values. Other unicode
  whitespace characters are now left alone. This could also lead to framing issues with certain
  proxies.
- ``tornado.curl_httpclient`` now prohibits carriage return and linefeed headers in HTTP headers
  (matching the behavior of ``simple_httpclient``). These characters could be used for header
  injection or request smuggling if untrusted data were used in headers.

General Changes
~~~~~~~~~~~~~~~

`tornado.iostream`
~~~~~~~~~~~~~~~~~~

- `.SSLIOStream` now understands changes to error codes from OpenSSL 3.2. The main result of this
  change is to reduce the noise in the logs for certain errors.

``tornado.simple_httpclient``

simple_httpclient now prohibits carriage return characters in HTTP headers. It had previously
prohibited only linefeed characters.

tornado.testing


- `.AsyncTestCase` subclasses can now be instantiated without being associated with a test
  method. This improves compatibility with test discovery in Pytest 8.2.

v6.4.0: What's new in Tornado 6.4.0

2023-11-29T03:19:42Z

Nov 28, 2023

General Changes


- Python 3.12 is now supported. Older versions of Tornado will work on Python 3.12 but may log
  deprecation warnings.

Deprecation Notices

.IOLoop.add_callback_from_signal is suspected to have been broken since Tornado 5.0 and will be
removed in version 7.0. Use asyncio.loop.add_signal_handler instead.
The client_secret argument to .OAuth2Mixin.authorize_redirect is deprecated and will be
removed in Tornado 7.0. This argument has never been used and other similar methods in this module
don't have it.
.TwitterMixin is deprecated and will be removed in the future.

tornado.auth


- The ``client_secret`` argument to `.OAuth2Mixin.authorize_redirect` is deprecated and will be
  removed in Tornado 7.0. This argument has never been used and other similar methods in this module
  don't have it.
- `.TwitterMixin` is deprecated and will be removed in the future.

``tornado.autoreload``

Autoreload can now be used when the program is run as a directory rather than a file or module.
New CLI flag --until-success re-runs the program on any failure but stops after the first
successful run.

tornado.concurrent


- Fixed reference cycles that could lead to increased memory usage.

``tornado.escape``
~~~~~~~~~~~~~~~~~~

- Several methods in this module now simply pass through to their equivalents in the standard
  library.

``tornado.gen``
~~~~~~~~~~~~~~~

- This module now holds a strong reference to all running `asyncio.Task` objects it creates. This
  prevents premature garbage collection which could cause warnings like "Task was destroyed but it
  is pending!".

``tornado.ioloop``
~~~~~~~~~~~~~~~~~~

- `.IOLoop.add_callback_from_signal` is suspected to have been broken since Tornado 5.0 and will be
  removed in version 7.0.  Use `asyncio.loop.add_signal_handler` instead.
- The type annotation for `.IOLoop.run_in_executor` has been updated to match the updated signature
  of `asyncio.loop.run_in_executor`.
- Fixed reference cycles that could lead to increased memory usage.

``tornado.locale``
~~~~~~~~~~~~~~~~~~

- `.format_timestamp` now supports "aware" datetime objects.

``tornado.platform.asyncio``

The shutdown protocol for .AddThreadSelectorEventLoop now requires the use of asyncio.run or
asyncio.loop.shutdown_asyncgens to avoid leaking the thread.
Introduced .SelectorThread class containing the core functionality of
.AddThreadSelectorEventLoop.
The close() method of .AddThreadSelectorEventLoop is now idempotent.

tornado.web


- `.StaticFileHandler.get_modified_time` now supports "aware" datetime objects and the default
  implementation now returns aware objects.

``tornado.websocket``

Unclosed client connections now reliably log a warning. Previously the warning was dependent on
garbage collection and whether the ping_interval option was used.
The subprotocols argument to .WebSocketClientConnection now defaults to None instead of an
empty list (which was mutable and reused)

v6.4.0b1: What's new in Tornado 6.4.0

2023-11-16T03:10:17Z

In Progress

General Changes


- Python 3.12 is now supported. Older versions of Tornado will work on Python 3.12 but may log
  deprecation warnings.

Deprecation Notices

.IOLoop.add_callback_from_signal is suspected to have been broken since Tornado 5.0 and will be
removed in version 7.0. Use asyncio.loop.add_signal_handler instead.
The client_secret argument to .OAuth2Mixin.authorize_redirect is deprecated and will be
removed in Tornado 7.0. This argument has never been used and other similar methods in this module
don't have it.
.TwitterMixin is deprecated and will be removed in the future.

tornado.auth


- The ``client_secret`` argument to `.OAuth2Mixin.authorize_redirect` is deprecated and will be
  removed in Tornado 7.0. This argument has never been used and other similar methods in this module
  don't have it.
- `.TwitterMixin` is deprecated and will be removed in the future.

``tornado.autoreload``

Autoreload can now be used when the program is run as a directory rather than a file or module.
New CLI flag --until-success re-runs the program on any failure but stops after the first
successful run.

tornado.concurrent


- Fixed reference cycles that could lead to increased memory usage.

``tornado.escape``
~~~~~~~~~~~~~~~~~~

- Several methods in this module now simply pass through to their equivalents in the standard
  library.

``tornado.gen``
~~~~~~~~~~~~~~~

- This module now holds a strong reference to all running `asyncio.Task` objects it creates. This
  prevents premature garbage collection which could cause warnings like "Task was destroyed but it
  is pending!".

``tornado.ioloop``
~~~~~~~~~~~~~~~~~~

- `.IOLoop.add_callback_from_signal` is suspected to have been broken since Tornado 5.0 and will be
  removed in version 7.0.  Use `asyncio.loop.add_signal_handler` instead.
- The type annotation for `.IOLoop.run_in_executor` has been updated to match the updated signature
  of `asyncio.loop.run_in_executor`.
- Fixed reference cycles that could lead to increased memory usage.

``tornado.locale``
~~~~~~~~~~~~~~~~~~

- `.format_timestamp` now supports "aware" datetime objects.

``tornado.platform.asyncio``

The shutdown protocol for .AddThreadSelectorEventLoop now requires the use of asyncio.run or
asyncio.loop.shutdown_asyncgens to avoid leaking the thread.
Introduced .SelectorThread class containing the core functionality of
.AddThreadSelectorEventLoop.
The close() method of .AddThreadSelectorEventLoop is now idempotent.

tornado.web


- `.StaticFileHandler.get_modified_time` now supports "aware" datetime objects and the default
  implementation now returns aware objects.

``tornado.websocket``

Unclosed client connections now reliably log a warning. Previously the warning was dependent on
garbage collection and whether the ping_interval option was used.
The subprotocols argument to .WebSocketClientConnection now defaults to None instead of an
empty list (which was mutable and reused)

v6.3.3: What's new in Tornado 6.3.3

2023-08-11T14:45:47Z

Aug 11, 2023

Security improvements


- The ``Content-Length`` header and ``chunked`` ``Transfer-Encoding`` sizes are now parsed
  more strictly (according to the relevant RFCs) to avoid potential request-smuggling
  vulnerabilities when deployed behind certain proxies.

v6.3.2: What's new in Tornado 6.3.2

2023-05-14T01:38:10Z

May 13, 2023

Security improvements


- Fixed an open redirect vulnerability in StaticFileHandler under certain
  configurations.