Tornado

In the beginning Facebook was built using PHP and MySQL, but as the traffic and size of the network increased, so did its requirements for a better and faster delivery of content in real-time.

This led the Facebook team to delve into other technologies and languages outside PHP, and the company soon turned it sights to Python, a programming language used by Google to build its search engine.

The efforts of the team resulted into a product called Tornado, a Python framework specifically designed to work with raw HTTP connections in a simple asynchronous non-blocking way.

Tornado was inspired by other tools like Web.py and Google's webapp, but also includes extra features as well.

At the center of the entire framework resides a powerful HTTP server, which is enhanced by a suite of modules for dealing with i18n content, string manipulation, output generation, asynchronous operations, third-party code, logs, and so on.

Besides Cassandra, Tornado is one of Facebook's most successful open sourced applications to date.

What is new in this release:

• New modules: tornado.locks and tornado.queues

What is new in version 4.2:

• New modules: tornado.locks and tornado.queues

What is new in version 4.1:

• The tornado.web.stream_request_body decorator allows large files to be uploaded with limited memory usage.
• Coroutines are now faster and are used extensively throughout Tornado itself. More methods now return Futures, including most IOStream methods and RequestHandler.flush.
• Many user-overridden methods are now allowed to return a Future for flow control.
• HTTP-related code is now shared between the tornado.httpserver, tornado.simple_httpclient and tornado.wsgi modules, making support for features such as chunked and gzip encoding more consistent. HTTPServer now uses new delegate interfaces defined in tornado.httputil in addition to its old single-callback interface.
• New module tornado.tcpclient creates TCP connections with non-blocking DNS, SSL handshaking, and support for IPv6.

What is new in version 3.2.2:

• The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy).
• If Tornado 3.2.2 is run at the same time as older versions on the same domain, there is some potential for issues with the differing cookie versions. The Application setting xsrf_cookie_version=1 can be used for a transitional period to generate the older cookie format on newer servers.
• tornado.platform.asyncio is now compatible with trollius version 0.3.

What is new in version 3.2.1:

• The signed-value format used by RequestHandler.set_secure_cookie and RequestHandler.get_secure_cookie has changed to be more secure. This is a disruptive change. The secure_cookie functions take new version parameters to support transitions between cookie formats.
• The new cookie format fixes a vulnerability that may be present in applications that use multiple cookies where the name of one cookie is a prefix of the name of another.
• To minimize disruption, cookies in the older format will be accepted by default until they expire. Applications that may be vulnerable can reject all cookies in the older format by passing min_version=2 to RequestHandler.get_secure_cookie.

What is new in version 3.2:

• New application setting default_handler_class can be used to easily set up custom 404 pages.
• New application settings autoreload, compiled_template_cache, static_hash_cache, and serve_traceback can be used to control individual aspects of debug mode.
• New methods RequestHandler.get_query_argument and RequestHandler.get_body_argument and new attributes HTTPRequest.query_arguments and HTTPRequest.body_arguments allow access to arguments without intermingling those from the query string with those from the request body.
• RequestHandler.decode_argument and related methods now raise an HTTPError(400) instead of UnicodeDecodeError when the argument could not be decoded.
• RequestHandler.clear_all_cookies now accepts domain and path arguments, just like clear_cookie.
• It is now possible to specify handlers by name when using the URLSpec class.
• Application now accepts 4-tuples to specify the name parameter (which previously required constructing a URLSpec object instead of a tuple).
• Fixed an incorrect error message when handler methods return a value other than None or a Future.
• Exceptions will no longer be logged twice when using both @asynchronous and @gen.coroutine.

What is new in version 3.1:

• Many reference cycles have been broken up throughout the package, allowing for more efficient garbage collection on CPython.
• Silenced some log messages when connections are opened and immediately closed (i.e. port scans), or other situations related to closed connections.
• Various small speedups: HTTPHeaders case normalization, UIModule proxy objects, precompile some regexes.

What is new in version 3.0.2:

• tornado.auth.TwitterMixin now defaults to version 1.1 of the Twitter API, instead of version 1.0 which is being discontinued on June 11. It also now uses HTTPS when talking to Twitter.
• Fixed a potential memory leak with a long chain of gen.coroutine or gen.engine functions.

What is new in version 3.0:

• The ``callback`` argument to many asynchronous methods is now optional, and these methods return a `.Future`. The `tornado.gen` module now understands ``Futures``, and these methods can be used directly without a `.gen.Task` wrapper.
• New function `.IOLoop.current` returns the `.IOLoop` that is running on the current thread (as opposed to `.IOLoop.instance`, which returns a specific thread's (usually the main thread's) IOLoop.
• New class `tornado.netutil.Resolver` provides an asynchronous interface to DNS resolution.
• New class `tornado.process.Subprocess` wraps `subprocess.Popen` with `.PipeIOStream` access to the child's file descriptors.
• `.IOLoop` now has a static `configure <.Configurable.configure>` method like the one on `.AsyncHTTPClient`, which can be used to select an `.IOLoop` implementation other than the default. * `.IOLoop` can now optionally use a monotonic clock if available.

What is new in version 2.4.1:

• Fixed a memory leak in tornado.stack_context that was especially likely with long-running @gen.engine functions.
• tornado.auth.TwitterMixin now works on Python 3.
• Fixed a bug in which IOStream.read_until_close with a streaming callback would sometimes pass the last chunk of data to the final callback instead of the streaming callback.

What is new in version 2.4:

• Fixed Python 3 bugs in tornado.auth, tornado.locale, and tornado.wsgi.
• OAuthMixin now accepts "oob" as a callback_uri.
• OpenIDMixin now also returns the claimed_id field for the user.
• tornado.platform.twisted shutdown sequence is now more compatible.
• The logging configuration used in tornado.options is now more tolerant of non-ascii byte strings.

What is new in version 2.3:

• `tornado.httpclient.HTTPClient` now supports the same constructor keyword arguments as `AsyncHTTPClient`.
• The ``max_clients`` keyword argument to `AsyncHTTPClient.configure` now works.
• `tornado.simple_httpclient` now supports the ``OPTIONS`` and ``PATCH`` HTTP methods.
• `tornado.simple_httpclient` is better about closing its sockets instead of leaving them for garbage collection.
• `tornado.simple_httpclient` correctly verifies SSL certificates for URLs containing IPv6 literals (This bug affected Python 2.5 and 2.6).
• `tornado.simple_httpclient` no longer includes basic auth credentials in the ``Host`` header when those credentials are extracted from the URL.
• `tornado.simple_httpclient` no longer modifies the caller-supplied header dictionary, which caused problems when following redirects.
• `tornado.curl_httpclient` now supports client SSL certificates (using the same ``client_cert`` and ``client_key`` arguments as `tornado.simple_httpclient`.

What is new in version 2.2.1:

• Security fixes:
• `tornado.web.RequestHandler.set_header` now properly sanitizes input values to protect against header injection, response splitting, etc. (it has always attempted to do this, but the check was incorrect). Note that redirects, the most likely source of such bugs, are protected by a separate check in `RequestHandler.redirect`.
• Bug fixes:
• Colored logging configuration in `tornado.options` is compatible with Python 3.2.3 (and 3.3).

What is new in version 2.2:

• Updated and expanded WebSocket support.
• Improved compatibility in the Twisted/Tornado bridge.
• Template errors now generate better stack traces.
• Better exception handling in `tornado.gen`.

What is new in version 2.1.1:

• Bug fixes:
• Fixed handling of closed connections with the ``epoll`` (i.e. Linux) ``IOLoop``. Previously, closed connections could be shut down too early, which most often manifested as "Stream is closed" exceptions in ``SimpleAsyncHTTPClient``.
• Fixed a case in which chunked responses could be closed prematurely, leading to truncated output.
• ``IOStream.connect`` now reports errors more consistently via logging and the close callback (this affects e.g. connections to localhost on FreeBSD).
• ``IOStream.read_bytes`` again accepts both ``int`` and ``long`` arguments.
• ``PeriodicCallback`` no longer runs repeatedly when ``IOLoop`` iterations complete faster than the resolution of ``time.time()`` (mainly a problem on Windows).

What is new in version 2.1.0:

• Diginotar has been removed from the default CA certificates file used by `SimpleAsyncHTTPClient`
• To facilitate some advanced multi-process scenarios, ``HTTPServer`` has a new method ``add_sockets``, and socket-opening code is available separately as `tornado.netutil.bind_sockets`.
• Support for secure cookies written by pre-1.0 releases of Tornado has been removed.
• Windows support has been improved.

What is new in version 2.0.0:

• Major changes:
• Template output is automatically escaped by default.
• The default AsyncHTTPClient implementation is now simple_httpclient.
• Python 3.2 is now supported.
• Backwards compatibility:
• Template autoescaping is enabled by default. Applications upgrading from a previous release of Tornado must either disable autoescaping or adapt their templates to work with it. For most applications, the simplest way to do this is to pass autoescape=None to the Application constructor.
• Applications that wish to continue using curl_httpclient instead of simple_httpclient may do so by calling AsyncHTTPClient.configure("tornado.curl_httpclient.CurlAsyncHTTPClient") at the beginning of the process. Users of Python 2.5 will probably want to use curl_httpclient as simple_httpclient only supports ssl on Python 2.6+.
• Python 3 compatibility involved many changes throughout the codebase, so users are encouraged to test their applications more thoroughly than usual when upgrading to this release.
• Other changes in version 4.1:
• Templates support several new directives: - {% autoescape ...%} to control escaping behavior - {% raw ... %} for unescaped output - {% module ... %} for calling UIModules * {% module Template(path, **kwargs) %} may now be used to call another template with an independent namespace.
• All IOStream callbacks are now run directly on the IOLoop via add_callback.
• HTTPServer now supports IPv6 where available. To disable, pass family=socket.AF_INET to HTTPServer.bind().
• HTTPClient now supports IPv6, configurable via allow_ipv6=bool on the HTTPRequest. allow_ipv6 defaults to false on simple_httpclient and true on curl_httpclient.
• RequestHandlers can use an encoding other than utf-8 for query parameters by overriding decode_argument().
• Performance improvements, especially for applications that use a lot of IOLoop timeouts.
• HTTP OPTIONS method no longer requires an XSRF token.
• JSON output (RequestHandler.write(dict)) now sets Content-Type to application/json.
• Etag computation can now be customized or disabled by overriding RequestHandler.compute_etag.
• USE_SIMPLE_HTTPCLIENT environment variable is no longer supported. Use AsyncHTTPClient.configure instead.

What is new in version 1.2.1:

• This release contains only two small changes relative to version 1.2:
• FacebookGraphMixin has been updated to work with a recent change to the Facebook API.
• Running "setup.py install" will no longer attempt to automatically install pycurl. This wasn't working well on platforms where the best way to install pycurl is via something like apt-get instead of easy_install. This is an important upgrade if you are using FacebookGraphMixin, but otherwise it can be safely ignored.

What is new in version 1.2.0:

• This release includes the backwards-incompatible security change from version 1.1.1.
• To transparently replace tornado.httpclient.AsyncHTTPClient with this new implementation, you can set the environment variable USE_SIMPLE_HTTPCLIENT=1
• Request logging is now done by the Application rather than the RequestHandler. Logging behavior may be customized by either overriding Application.log_request in a subclass or by passing log_function as an Application setting.

What is new in version 1.1.1:

• Tornado 1.1.1 is a BACKWARDS-INCOMPATIBLE security update that fixes an XSRF vulnerability.

What is new in version 1.1:

• Changes:
• RequestHandler.async_callback and related functions in other classes are no longer needed in most cases (although it's harmless to continue
• using them). Uncaught exceptions will now cause the request to be closed even in a callback. If you're curious how this works, see the new tornado.stack_context module.
• The new tornado.testing module contains support for unit testing asynchronous IOLoop-based code.
• AsyncHTTPClient has been rewritten (the new implementation was available as AsyncHTTPClient2 in Tornado 1.0; both names are supported for backwards
• compatibility).
• The tornado.auth module has had a number of updates, including support for OAuth 2.0 and the Facebook Graph API, and upgrading Twitter and Google support to OAuth 1.0a.
• The websocket module is back and supports the latest version (76) of the websocket protocol. Note that this module's interface is different from the websocket module that appeared in pre-1.0 versions of Tornado.
• New method RequestHandler.initialize() can be overridden in subclasses to simplify handling arguments from URLSpecs. The sequence of methods called during initialization is documented at http://tornadoweb.org/documentation#overriding-requesthandler-methods
• get_argument() and related methods now work on PUT requests in addition to POST.
• The httpclient module now supports HTTP proxies.
• When HTTPServer is run in SSL mode, the SSL handshake is now non-blocking.
• Many smaller bug fixes and documentation updates
• Backwards-compatibility notes:
• While most users of Tornado should not have to deal with the stack_context module directly, users of worker thread pools and similar constructs may need to use stack_context.wrap and/or NullContext to avoid memory leaks.
• The new AsyncHTTPClient still works with libcurl version 7.16.x, but it performs better when both libcurl and pycurl are at least version 7.18.2.
• OAuth transactions started under previous versions of the auth module cannot be completed under the new module. This applies only to the initial authorization process; once an authorized token is issued that token works with either version.

Requirements:

• Python 2.6 or higher