Tornado 3.2.1 新特性¶

May 5, 2014¶

The signed-value format used by RequestHandler.set_secure_cookieand RequestHandler.get_secure_cookie has changed to be more secure.This is a disruptive change. The secure_cookie functionstake new version parameters to support transitions between cookieformats.
The new cookie format fixes a vulnerability that may be present inapplications that use multiple cookies where the name of one cookieis a prefix of the name of another.
To minimize disruption, cookies in the older format will be acceptedby default until they expire. Applications that may be vulnerablecan reject all cookies in the older format by passing min_version=2to RequestHandler.get_secure_cookie.
Thanks to Joost Pol of Certified Securefor reporting this issue.

Signed cookies issued by RequestHandler.set_secure_cookie in Tornado3.2.1 cannot be read by older releases. If you need to run 3.2.1in parallel with older releases, you can pass version=1 toRequestHandler.set_secure_cookie to issue cookies that arebackwards-compatible (but have a known weakness, so this optionshould only be used for a transitional period).

The C extension used to speed up the websocket module now compilescorrectly on Windows with MSVC and 64-bit mode. The fallback tothe pure-Python alternative now works correctly on Mac OS X machineswith no C compiler installed.

原文:

https://tornado-zh-cn.readthedocs.io/zh_CN/latest/releases/v3.2.1.html