- Update to 6.5.4

* The in operator for HTTPHeaders was incorrectly case-sensitive, causing
    lookups to fail for headers with different casing than the original header
    name. This was a regression in version 6.5.3 and has been fixed to restore
    the intended case-insensitive behavior from version 6.5.2 and earlier.
- Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904)
  * Fixed a denial-of-service vulnerability involving quadratic computation
    when parsing multipart/form-data request bodies. CVE-2025-67726
    Thanks to Finder16 for reporting this issue.
  * Fixed a denial-of-service vulnerability involving quadratic computation when
    parsing repeated HTTP headers. CVE-2025-67725.
    Thanks to Finder16 for reporting this issue.
  * Fixed a header injection and XSS vulnerability involving the reason argument
    to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724.
    Thanks to Finder16 and Cheshire1225 for reporting this issue.
  * Several demo applications bundled with the Tornado repo (blog, chat,
    facebook) had an open redirect vulnerability which has been fixed. This is
    not covered by a CVE or security advisory since the demo applications are
    not included as a part of the Tornado package when installed, but developers
    who have copied code from these demos may which to review their own
    applications for open redirects.
    Thanks to J1vvoo for reporting this issue.
  * he s3server demo application contained some path traversal vulnerabilities.
    Since this demo application was not demonstrating any interesting aspects of
    Tornado, it has been deleted rather than being fixed.
    Thanks to J1vvoo for reporting this issue.
- Update to 6.5.2
  * Fixed a bug that resulted in WebSocket pings not being sent at the
    configured interval.
  * Improved logging for invalid Host headers. This was previously logged as an
    uncaught exception with a stack trace, now it is simply a 400 response
    (logged as a warning in the access log).
  * Restored the host argument to .HTTPServerRequest. This argument is
    deprecated and will be removed in the future, but its removal with no
    warning in 6.5.0 was a mistake.
  * Removed a debugging print statement that was left in the code.
  * Improved type hints for gen.multi.
- Update to 6.5.1
  * Fixed a bug in multipart/form-data parsing that could incorrectly reject
    filenames containing characters above U+00FF (i.e. most characters outside
    the Latin alphabet).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=48

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

ignore-resourcewarning-doctests.patch

@@ -0,0 +1,37 @@
+Index: tornado-6.0.4/tornado/util.py
+===================================================================
+--- tornado-6.0.4.orig/tornado/util.py	2020-03-11 11:42:49.610254636 +0100
++++ tornado-6.0.4/tornado/util.py	2020-03-11 11:43:51.470603323 +0100
+@@ -468,5 +468,7 @@ else:
+ def doctests():
+     # type: () -> unittest.TestSuite
+     import doctest
++    import warnings
++    warnings.simplefilter("ignore", ResourceWarning)
+ 
+     return doctest.DocTestSuite()
+Index: tornado-6.0.4/tornado/httputil.py
+===================================================================
+--- tornado-6.0.4.orig/tornado/httputil.py	2020-03-11 11:42:49.610254636 +0100
++++ tornado-6.0.4/tornado/httputil.py	2020-03-11 11:44:46.178911693 +0100
+@@ -1032,6 +1032,8 @@ def encode_username_password(
+ def doctests():
+     # type: () -> unittest.TestSuite
+     import doctest
++    import warnings
++    warnings.simplefilter("ignore", ResourceWarning)
+ 
+     return doctest.DocTestSuite()
+ 
+Index: tornado-6.0.4/tornado/iostream.py
+===================================================================
+--- tornado-6.0.4.orig/tornado/iostream.py	2020-03-11 11:42:49.610254636 +0100
++++ tornado-6.0.4/tornado/iostream.py	2020-03-11 11:45:31.015164413 +0100
+@@ -1677,5 +1677,7 @@ class PipeIOStream(BaseIOStream):
+ 
+ def doctests() -> Any:
+     import doctest
++    import warnings
++    warnings.simplefilter("ignore", ResourceWarning)
+ 
+     return doctest.DocTestSuite()

python-tornado6-rpmlintrc

@@ -0,0 +1,2 @@
+# keep the empty javascript resource for the demo
+addFilter("zero-length .*demos/facebook/static/facebook.js")

python-tornado6.spec

@@ -0,0 +1,108 @@
+#
+# spec file for package python-tornado6
+#
+# Copyright (c) 2025 SUSE LLC and contributors
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%{?sle15_python_module_pythons}
+Name:           python-tornado6
+Version:        6.5.4
+Release:        0
+Summary:        Open source version of scalable, non-blocking web server that power FriendFeed
+License:        Apache-2.0
+URL:            https://www.tornadoweb.org
+Source:         https://files.pythonhosted.org/packages/source/t/tornado/tornado-%{version}.tar.gz
+Source99:       python-tornado6-rpmlintrc
+# PATCH-FIX-OPENSUSE ignore-resourcewarning-doctests.patch -- ignore resource warnings on OBS
+Patch0:         ignore-resourcewarning-doctests.patch
+BuildRequires:  %{python_module base >= 3.8}
+BuildRequires:  %{python_module devel}
+BuildRequires:  %{python_module pip}
+BuildRequires:  %{python_module pycares}
+BuildRequires:  %{python_module pycurl}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module wheel}
+BuildRequires:  fdupes
+BuildRequires:  python-rpm-macros
+Requires:       python
+Recommends:     python-Twisted
+Recommends:     python-pycares
+Recommends:     python-pycurl
+Recommends:     python-service_identity
+Conflicts:      python-tornado-impl
+Provides:       python-tornado = %{version}
+Provides:       python-tornado-impl = %{version}
+Provides:       python-toro = %{version}
+Obsoletes:      python-toro < %{version}
+%python_subpackages
+
+%description
+Tornado is an open source version of the scalable, non-blocking web server and
+tools that power FriendFeed. The FriendFeed application is written using a web
+framework that looks a bit like web.py or Google's webapp, but with additional
+tools and optimizations to take advantage of the underlying non-blocking
+infrastructure.
+
+The framework is distinct from most mainstream web server frameworks (and
+certainly most Python frameworks) because it is non-blocking and reasonably
+fast. Because it is non-blocking and uses epoll, it can handle thousands of
+simultaneous standing connections, which means it is ideal for real-time web
+services. We built the web server specifically to handle FriendFeed's real-time
+features — every active user of FriendFeed maintains an open connection to the
+FriendFeed servers. (For more information on scaling servers to support
+thousands of clients, see The C10K problem.)
+
+%prep
+%autosetup -p1 -n tornado-%{version}
+# Fix non-executable script rpmlint issue:
+find tornado -name "*.py" -exec sed -i "/#\!\/usr\/bin\/.*/d" {} \;
+
+%pre
+# remove egg-info _file_, being replaced by an egg-info directory
+if [ -f %{python_sitearch}/tornado-%{version}-py%{python_version}.egg-info ]; then
+    rm %{python_sitearch}/tornado-%{version}-py%{python_version}.egg-info
+fi
+
+%build
+%pyproject_wheel
+
+%install
+%pyproject_install
+%{python_expand #
+# do not install tests
+rm -r %{buildroot}%{$python_sitearch}/tornado/test
+# deduplicate files in python platlibdir
+%fdupes %{buildroot}%{$python_sitearch}
+# install demos into docdir and deduplicate
+pdocdir=%{buildroot}%{_docdir}/$python-tornado6
+mkdir -p ${pdocdir}
+find ${pdocdir} -name "*.py" -exec sed -i "1{s|^#!.*$|%{_bindir}/$python|}" {} \;
+find ${pdocdir} -type f -exec chmod a-x {} \;
+%fdupes ${pdocdir}
+}
+
+%check
+export ASYNC_TEST_TIMEOUT=30
+export PYTHONDONTWRITEBYTECODE=1
+export TRAVIS=1
+%python_exec -m tornado.test.runtests --verbose
+
+%files %{python_files}
+%license LICENSE
+%doc %{_docdir}/%{python_prefix}-tornado6
+%{python_sitearch}/tornado
+%{python_sitearch}/tornado-%{version}.dist-info
+
+%changelog

tornado-6.5.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a22fa9047405d03260b483980635f0b041989d8bcc9a313f8fe18b411d84b1d7
+size 513632