- Add security patches:

* CVE-2025-67724.patch (bsc#1254903)
  * CVE-2025-67725.patch (bsc#1254905)
  * CVE-2025-67726.patch (bsc#1254904)

CVE-2025-67724.patch

@@ -0,0 +1,113 @@
+From 9c163aebeaad9e6e7d28bac1f33580eb00b0e421 Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Wed, 10 Dec 2025 15:15:25 -0500
+Subject: [PATCH] web: Harden against invalid HTTP reason phrases
+
+We allow applications to set custom reason phrases for the HTTP status
+line (to support custom status codes), but if this were exposed to
+untrusted data it could be exploited in various ways. This commit
+guards against invalid reason phrases in both HTTP headers and in
+error pages.
+---
+ tornado/test/web_test.py | 15 ++++++++++++++-
+ tornado/web.py           | 25 +++++++++++++++++++------
+ 2 files changed, 33 insertions(+), 7 deletions(-)
+
+Index: tornado-6.5/tornado/test/web_test.py
+===================================================================
+--- tornado-6.5.orig/tornado/test/web_test.py
++++ tornado-6.5/tornado/test/web_test.py
+@@ -1746,7 +1746,7 @@ class StatusReasonTest(SimpleHandlerTest
+     class Handler(RequestHandler):
+         def get(self):
+             reason = self.request.arguments.get("reason", [])
+-            self.set_status(
++            raise HTTPError(
+                 int(self.get_argument("code")),
+                 reason=to_unicode(reason[0]) if reason else None,
+             )
+@@ -1769,6 +1769,19 @@ class StatusReasonTest(SimpleHandlerTest
+         self.assertEqual(response.code, 682)
+         self.assertEqual(response.reason, "Unknown")
+ 
++    def test_header_injection(self):
++        response = self.fetch("/?code=200&reason=OK%0D%0AX-Injection:injected")
++        self.assertEqual(response.code, 200)
++        self.assertEqual(response.reason, "Unknown")
++        self.assertNotIn("X-Injection", response.headers)
++
++    def test_reason_xss(self):
++        response = self.fetch("/?code=400&reason=<script>alert(1)</script>")
++        self.assertEqual(response.code, 400)
++        self.assertEqual(response.reason, "Unknown")
++        self.assertNotIn(b"script", response.body)
++        self.assertIn(b"Unknown", response.body)
++
+ 
+ class DateHeaderTest(SimpleHandlerTestCase):
+     class Handler(RequestHandler):
+Index: tornado-6.5/tornado/web.py
+===================================================================
+--- tornado-6.5.orig/tornado/web.py
++++ tornado-6.5/tornado/web.py
+@@ -359,8 +359,10 @@ class RequestHandler:
+ 
+         :arg int status_code: Response status code.
+         :arg str reason: Human-readable reason phrase describing the status
+-            code. If ``None``, it will be filled in from
+-            `http.client.responses` or "Unknown".
++            code (for example, the "Not Found" in ``HTTP/1.1 404 Not Found``).
++            Normally determined automatically from `http.client.responses`; this
++            argument should only be used if you need to use a non-standard
++            status code.
+ 
+         .. versionchanged:: 5.0
+ 
+@@ -369,6 +371,14 @@ class RequestHandler:
+         """
+         self._status_code = status_code
+         if reason is not None:
++            if "<" in reason or not httputil._ABNF.reason_phrase.fullmatch(reason):
++                # Logically this would be better as an exception, but this method
++                # is called on error-handling paths that would need some refactoring
++                # to tolerate internal errors cleanly.
++                #
++                # The check for "<" is a defense-in-depth against XSS attacks (we also
++                # escape the reason when rendering error pages).
++                reason = "Unknown"
+             self._reason = escape.native_str(reason)
+         else:
+             self._reason = httputil.responses.get(status_code, "Unknown")
+@@ -1345,7 +1355,8 @@ class RequestHandler:
+                 reason = exception.reason
+         self.set_status(status_code, reason=reason)
+         try:
+-            self.write_error(status_code, **kwargs)
++            if status_code != 304:
++                self.write_error(status_code, **kwargs)
+         except Exception:
+             app_log.error("Uncaught exception in write_error", exc_info=True)
+         if not self._finished:
+@@ -1373,7 +1384,7 @@ class RequestHandler:
+             self.finish(
+                 "<html><title>%(code)d: %(message)s</title>"
+                 "<body>%(code)d: %(message)s</body></html>"
+-                % {"code": status_code, "message": self._reason}
++                % {"code": status_code, "message": escape.xhtml_escape(self._reason)}
+             )
+ 
+     @property
+@@ -2520,9 +2531,11 @@ class HTTPError(Exception):
+         mode).  May contain ``%s``-style placeholders, which will be filled
+         in with remaining positional parameters.
+     :arg str reason: Keyword-only argument.  The HTTP "reason" phrase
+-        to pass in the status line along with ``status_code``.  Normally
++        to pass in the status line along with ``status_code`` (for example,
++        the "Not Found" in ``HTTP/1.1 404 Not Found``).  Normally
+         determined automatically from ``status_code``, but can be used
+-        to use a non-standard numeric code.
++        to use a non-standard numeric code. This is not a general-purpose
++        error message.
+     """
+ 
+     def __init__(

CVE-2025-67725.patch

@@ -0,0 +1,124 @@
+From 68e81b4a3385161877408a7a49c7ed12b45a614d Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Tue, 9 Dec 2025 13:27:27 -0500
+Subject: [PATCH] httputil: Fix quadratic performance of repeated header lines
+
+Previouisly, when many header lines with the same name were found
+in an HTTP request or response, repeated string concatenation would
+result in quadratic performance. This change does the concatenation
+lazily (with a cache) so that repeated headers can be processed
+efficiently.
+
+Security: The previous behavior allowed a denial of service attack
+via a maliciously crafted HTTP message, but only if the
+max_header_size was increased from its default of 64kB.
+---
+ tornado/httputil.py           | 36 ++++++++++++++++++++++++-----------
+ tornado/test/httputil_test.py | 15 +++++++++++++++
+ 2 files changed, 40 insertions(+), 11 deletions(-)
+
+Index: tornado-6.5/tornado/httputil.py
+===================================================================
+--- tornado-6.5.orig/tornado/httputil.py
++++ tornado-6.5/tornado/httputil.py
+@@ -183,8 +183,14 @@ class HTTPHeaders(StrMutableMapping):
+         pass
+ 
+     def __init__(self, *args: typing.Any, **kwargs: str) -> None:  # noqa: F811
+-        self._dict = {}  # type: typing.Dict[str, str]
+-        self._as_list = {}  # type: typing.Dict[str, typing.List[str]]
++        # Formally, HTTP headers are a mapping from a field name to a "combined field value",
++        # which may be constructed from multiple field lines by joining them with commas.
++        # In practice, however, some headers (notably Set-Cookie) do not follow this convention,
++        # so we maintain a mapping from field name to a list of field lines in self._as_list.
++        # self._combined_cache is a cache of the combined field values derived from self._as_list
++        # on demand (and cleared whenever the list is modified).
++        self._as_list: dict[str, list[str]] = {}
++        self._combined_cache: dict[str, str] = {}
+         self._last_key = None  # type: Optional[str]
+         if len(args) == 1 and len(kwargs) == 0 and isinstance(args[0], HTTPHeaders):
+             # Copy constructor
+@@ -207,9 +213,7 @@ class HTTPHeaders(StrMutableMapping):
+         norm_name = _normalize_header(name)
+         self._last_key = norm_name
+         if norm_name in self:
+-            self._dict[norm_name] = (
+-                native_str(self[norm_name]) + "," + native_str(value)
+-            )
++            self._combined_cache.pop(norm_name, None)
+             self._as_list[norm_name].append(value)
+         else:
+             self[norm_name] = value
+@@ -266,7 +270,7 @@ class HTTPHeaders(StrMutableMapping):
+             if not _ABNF.field_value.fullmatch(new_part[1:]):
+                 raise HTTPInputError("Invalid header continuation %r" % new_part)
+             self._as_list[self._last_key][-1] += new_part
+-            self._dict[self._last_key] += new_part
++            self._combined_cache.pop(self._last_key, None)
+         else:
+             try:
+                 name, value = line.split(":", 1)
+@@ -305,22 +309,32 @@ class HTTPHeaders(StrMutableMapping):
+ 
+     def __setitem__(self, name: str, value: str) -> None:
+         norm_name = _normalize_header(name)
+-        self._dict[norm_name] = value
++        self._combined_cache[norm_name] = value
+         self._as_list[norm_name] = [value]
+ 
++    def __contains__(self, name: object) -> bool:
++        # This is an important optimization to avoid the expensive concatenation
++        # in __getitem__ when it's not needed.
++        if not isinstance(name, str):
++            return False
++        return name in self._as_list
++
+     def __getitem__(self, name: str) -> str:
+-        return self._dict[_normalize_header(name)]
++        header = _normalize_header(name)
++        if header not in self._combined_cache:
++            self._combined_cache[header] = ",".join(self._as_list[header])
++        return self._combined_cache[header]
+ 
+     def __delitem__(self, name: str) -> None:
+         norm_name = _normalize_header(name)
+-        del self._dict[norm_name]
++        del self._combined_cache[norm_name]
+         del self._as_list[norm_name]
+ 
+     def __len__(self) -> int:
+-        return len(self._dict)
++        return len(self._as_list)
+ 
+     def __iter__(self) -> Iterator[typing.Any]:
+-        return iter(self._dict)
++        return iter(self._as_list)
+ 
+     def copy(self) -> "HTTPHeaders":
+         # defined in dict but not in MutableMapping.
+Index: tornado-6.5/tornado/test/httputil_test.py
+===================================================================
+--- tornado-6.5.orig/tornado/test/httputil_test.py
++++ tornado-6.5/tornado/test/httputil_test.py
+@@ -534,6 +534,21 @@ class ParseRequestStartLineTest(unittest
+         self.assertEqual(parsed_start_line.path, self.PATH)
+         self.assertEqual(parsed_start_line.version, self.VERSION)
+ 
++    def test_linear_performance(self):
++        def f(n):
++            start = time.time()
++            headers = HTTPHeaders()
++            for i in range(n):
++                headers.add("X-Foo", "bar")
++            return time.time() - start
++
++        # This runs under 50ms on my laptop as of 2025-12-09.
++        d1 = f(10_000)
++        d2 = f(100_000)
++        if d2 / d1 > 20:
++            # d2 should be about 10x d1 but allow a wide margin for variability.
++            self.fail(f"HTTPHeaders.add() does not scale linearly: {d1=} vs {d2=}")
++
+ 
+ class ParseCookieTest(unittest.TestCase):
+     # These tests copied from Django:

CVE-2025-67726.patch

@@ -0,0 +1,94 @@
+From 771472cfdaeebc0d89a9cc46e249f8891a6b29cd Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Wed, 10 Dec 2025 10:55:02 -0500
+Subject: [PATCH] httputil: Fix quadratic behavior in _parseparam
+
+Prior to this change, _parseparam had O(n^2) behavior when parsing
+certain inputs, which could be a DoS vector. This change adapts
+logic from the equivalent function in the python standard library
+in https://github.com/python/cpython/pull/136072/files
+---
+ tornado/httputil.py           | 29 ++++++++++++++++++++++-------
+ tornado/test/httputil_test.py | 23 +++++++++++++++++++++++
+ 2 files changed, 45 insertions(+), 7 deletions(-)
+
+Index: tornado-6.5/tornado/httputil.py
+===================================================================
+--- tornado-6.5.orig/tornado/httputil.py
++++ tornado-6.5/tornado/httputil.py
+@@ -1062,19 +1062,34 @@ def parse_response_start_line(line: str)
+ # It has also been modified to support valueless parameters as seen in
+ # websocket extension negotiations, and to support non-ascii values in
+ # RFC 2231/5987 format.
++#
++# _parseparam has been further modified with the logic from
++# https://github.com/python/cpython/pull/136072/files
++# to avoid quadratic behavior when parsing semicolons in quoted strings.
++#
++# TODO: See if we can switch to email.message.Message for this functionality.
++# This is the suggested replacement for the cgi.py module now that cgi has
++# been removed from recent versions of Python.  We need to verify that
++# the email module is consistent with our existing behavior (and all relevant
++# RFCs for multipart/form-data) before making this change.
+ 
+ 
+ def _parseparam(s: str) -> Generator[str, None, None]:
+-    while s[:1] == ";":
+-        s = s[1:]
+-        end = s.find(";")
+-        while end > 0 and (s.count('"', 0, end) - s.count('\\"', 0, end)) % 2:
+-            end = s.find(";", end + 1)
++    start = 0
++    while s.find(";", start) == start:
++        start += 1
++        end = s.find(";", start)
++        ind, diff = start, 0
++        while end > 0:
++            diff += s.count('"', ind, end) - s.count('\\"', ind, end)
++            if diff % 2 == 0:
++                break
++            end, ind = ind, s.find(";", end + 1)
+         if end < 0:
+             end = len(s)
+-        f = s[:end]
++        f = s[start:end]
+         yield f.strip()
+-        s = s[end:]
++        start = end
+ 
+ 
+ def _parse_header(line: str) -> Tuple[str, Dict[str, str]]:
+Index: tornado-6.5/tornado/test/httputil_test.py
+===================================================================
+--- tornado-6.5.orig/tornado/test/httputil_test.py
++++ tornado-6.5/tornado/test/httputil_test.py
+@@ -262,6 +262,29 @@ Foo
+         self.assertEqual(file["filename"], "ab.txt")
+         self.assertEqual(file["body"], b"Foo")
+ 
++    def test_disposition_param_linear_performance(self):
++        # This is a regression test for performance of parsing parameters
++        # to the content-disposition header, specifically for semicolons within
++        # quoted strings.
++        def f(n):
++            start = time.time()
++            message = (
++                b"--1234\r\nContent-Disposition: form-data; "
++                + b'x="'
++                + b";" * n
++                + b'"; '
++                + b'name="files"; filename="a.txt"\r\n\r\nFoo\r\n--1234--\r\n'
++            )
++            args: dict[str, list[bytes]] = {}
++            files: dict[str, list[HTTPFile]] = {}
++            parse_multipart_form_data(b"1234", message, args, files)
++            return time.time() - start
++
++        d1 = f(1_000)
++        d2 = f(10_000)
++        if d2 / d1 > 20:
++            self.fail(f"Disposition param parsing is not linear: {d1=} vs {d2=}")
++
+ 
+ class HTTPHeadersTest(unittest.TestCase):
+     def test_multi_line(self):

ignore-resourcewarning-doctests.patch

@@ -1,8 +1,8 @@
-Index: tornado-6.0.4/tornado/util.py
+Index: tornado-6.5/tornado/util.py
 ===================================================================
---- tornado-6.0.4.orig/tornado/util.py	2020-03-11 11:42:49.610254636 +0100
-+++ tornado-6.0.4/tornado/util.py	2020-03-11 11:43:51.470603323 +0100
-@@ -468,5 +468,7 @@ else:
+--- tornado-6.5.orig/tornado/util.py
++++ tornado-6.5/tornado/util.py
+@@ -441,5 +441,7 @@ else:
  def doctests():
      # type: () -> unittest.TestSuite
      import doctest
@@ -10,11 +10,11 @@ Index: tornado-6.0.4/tornado/util.py
 +    warnings.simplefilter("ignore", ResourceWarning)
  
      return doctest.DocTestSuite()
-Index: tornado-6.0.4/tornado/httputil.py
+Index: tornado-6.5/tornado/httputil.py
 ===================================================================
---- tornado-6.0.4.orig/tornado/httputil.py	2020-03-11 11:42:49.610254636 +0100
-+++ tornado-6.0.4/tornado/httputil.py	2020-03-11 11:44:46.178911693 +0100
-@@ -1032,6 +1032,8 @@ def encode_username_password(
+--- tornado-6.5.orig/tornado/httputil.py
++++ tornado-6.5/tornado/httputil.py
+@@ -1137,6 +1137,8 @@ def encode_username_password(
  def doctests():
      # type: () -> unittest.TestSuite
      import doctest
@@ -23,11 +23,11 @@ Index: tornado-6.0.4/tornado/httputil.py
  
      return doctest.DocTestSuite()
  
-Index: tornado-6.0.4/tornado/iostream.py
+Index: tornado-6.5/tornado/iostream.py
 ===================================================================
---- tornado-6.0.4.orig/tornado/iostream.py	2020-03-11 11:42:49.610254636 +0100
-+++ tornado-6.0.4/tornado/iostream.py	2020-03-11 11:45:31.015164413 +0100
-@@ -1677,5 +1677,7 @@ class PipeIOStream(BaseIOStream):
+--- tornado-6.5.orig/tornado/iostream.py
++++ tornado-6.5/tornado/iostream.py
+@@ -1613,5 +1613,7 @@ class PipeIOStream(BaseIOStream):
  
  def doctests() -> Any:
      import doctest

openssl-3.2.patch

@@ -1,13 +0,0 @@
-Index: tornado-6.4/tornado/iostream.py
-===================================================================
---- tornado-6.4.orig/tornado/iostream.py
-+++ tornado-6.4/tornado/iostream.py
-@@ -1374,7 +1374,7 @@ class SSLIOStream(IOStream):
-                 return
-             elif err.args[0] in (ssl.SSL_ERROR_EOF, ssl.SSL_ERROR_ZERO_RETURN):
-                 return self.close(exc_info=err)
--            elif err.args[0] == ssl.SSL_ERROR_SSL:
-+            elif err.args[0] in (ssl.SSL_ERROR_SSL, ssl.SSL_ERROR_SYSCALL):
-                 try:
-                     peer = self.socket.getpeername()
-                 except Exception:

python-tornado6.changes

@@ -1,3 +1,82 @@
+-------------------------------------------------------------------
+Mon Dec 15 15:35:32 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
+
+- Add security patches:
+  * CVE-2025-67724.patch (bsc#1254903)
+  * CVE-2025-67725.patch (bsc#1254905)
+  * CVE-2025-67726.patch (bsc#1254904)
+
+-------------------------------------------------------------------
+Fri May 16 09:23:08 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 6.5.0 (CVE-2025-47287, bsc#1243268):
+  * Security Improvements:
+    - Previously, malformed multipart-form-data requests could log
+      multiple warnings and constitute a denial-of-service attack. Now
+      an exception is raised at the first error, so there is only one
+      log message per request. This fixes CVE-2025-47287.
+  * General Changes:
+    - Python 3.14 is now supported. Older versions of Tornado will
+      work on Python 3.14 but may log deprecation warnings.
+    - The free-threading mode of Python 3.13 is now supported on an
+      experimental basis. Prebuilt wheels are not yet available for
+      this configuration, but it can be built from source.
+    - The minimum supported Python version is 3.9.
+  * Deprecation Notices:
+    - Support for obs-fold continuation lines in HTTP headers is
+      deprecated and will be removed in Tornado 7.0, as is the use of
+      carriage returns without line feeds as header separators.
+    - The callback argument to websocket_connect is deprecated and
+      will be removed in Tornado 7.0. Note that on_message_callback is
+      not deprecated.
+    - The log_message and args attributes of tornado.web.HTTPError are
+      deprecated. Use the new get_message method instead.
+
+-------------------------------------------------------------------
+Mon Nov 25 03:19:20 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 6.4.2: 
+  + Security Improvements:
+    * Parsing of the cookie header is now much more efficient. The older
+      algorithm sometimes had quadratic performance which allowed for a
+      denial-of-service attack in which the server would spend excessive
+      CPU time parsing cookies and block the event loop.
+      (CVE-2024-52804, bsc#1233668)
+
+-------------------------------------------------------------------
+Wed Jul 31 09:32:23 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 6.4.1:
+  + Security Improvements:
+    - Parsing of the ``Transfer-Encoding`` header is now stricter.
+      Unexpected transfer-encoding values were previously ignored
+      and treated as the HTTP/1.0 default of read-until-close. This
+      can lead to framing issues with certain proxies. We now treat
+      any unexpected value as an error.
+    - Handling of whitespace in headers now matches the RFC more
+      closely. Only space and tab characters are treated as
+      whitespace and stripped from the beginning and end of header
+      values. Other unicode whitespace characters are now left
+      alone. This could also lead to framing issues with certain
+      proxies.
+    - `tornado.curl_httpclient` now prohibits carriage return and
+      linefeed headers in HTTP headers (matching the behavior of
+      `simple_httpclient`). These characters could be used for
+      header injection or request smuggling if untrusted data were
+      used in headers.
+  + General Changes:
+    - `tornado.iostream`: `SLIOStream` now understands changes to
+      error codes from OpenSSL 3.2. The main result of this change
+      is to reduce the noise in the logs for certain errors.
+    - `tornado.simple_httpclient`: `simple_httpclient` now
+      prohibits carriage return characters in HTTP headers. It had
+      previously prohibited only linefeed characters.
+    - `tornado.testing`: `.AsyncTestCase` subclasses can now be
+      instantiated without being associated with a test method.
+      Improves compatibility with test discovery in Pytest 8.2.
+- Drop  support-pytest-8.2.patch: fixed upstream.
+- Drop openssl-3.2.patch: fixed upstream.
+
 -------------------------------------------------------------------
 Fri May 17 03:37:07 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
 

python-tornado6.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-tornado6
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,9 +17,8 @@
 
 
 %{?sle15_python_module_pythons}
-%define         skip_python2 1
 Name:           python-tornado6
-Version:        6.4
+Version:        6.5
 Release:        0
 Summary:        Open source version of scalable, non-blocking web server that power FriendFeed
 License:        Apache-2.0
@@ -28,10 +27,12 @@ Source:         https://files.pythonhosted.org/packages/source/t/tornado/tornado
 Source99:       python-tornado6-rpmlintrc
 # PATCH-FIX-OPENSUSE ignore-resourcewarning-doctests.patch -- ignore resource warnings on OBS
 Patch0:         ignore-resourcewarning-doctests.patch
-# PATCH-FIX-OPENSUSE openssl-3.2.patch gh#tornadoweb/tornado#3355
-Patch1:         openssl-3.2.patch
-# PATCH-FIX-UPSTREAM gh#tornadoweb/tornado#3374
-Patch2:         support-pytest-8.2.patch
+# PATCH-FIX-UPSTREAM CVE-2025-67724.patch bsc#1254903
+Patch1:         CVE-2025-67724.patch
+# PATCH-FIX-UPSTREAM CVE-2025-67725.patch bsc#1254905
+Patch2:         CVE-2025-67725.patch
+# PATCH-FIX-UPSTREAM CVE-2025-67726.patch bsc#1254904
+Patch3:         CVE-2025-67726.patch
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module pip}
@@ -108,6 +109,6 @@ export TRAVIS=1
 %license LICENSE
 %doc %{_docdir}/%{python_prefix}-tornado6
 %{python_sitearch}/tornado
-%{python_sitearch}/tornado-%{version}*-info
+%{python_sitearch}/tornado-%{version}.dist-info
 
 %changelog

support-pytest-8.2.patch

@@ -1,66 +0,0 @@
-From c851aa8a949524b35f72c82b45a52353aa3c0558 Mon Sep 17 00:00:00 2001
-From: Ran Benita <ran@unusedvar.com>
-Date: Sun, 28 Apr 2024 14:17:54 +0300
-Subject: [PATCH] testing: allow to instantiate an empty AsyncTestCase
-
-`unittest.TestCase` has a feature where it allows instantiating
-`MyTestClass()` with the default method name `runTest` even if a
-`runTest` method doesn't actually exist. This is documented in
-`TestCase`'s docs under "Changed in version 3.2"[0].
-
-Since version 8.2, pytest relies on this, and started breaking on
-Tornado's `AsyncTestCase`[1].
-
-Change `AsyncTestCase` to allow empty instatiation, by matching the
-upstream code.
-
-[0] https://docs.python.org/3/library/unittest.html#unittest.TestCase
-[1] https://github.com/pytest-dev/pytest/issues/12263
----
- tornado/test/testing_test.py |  9 +++++++++
- tornado/testing.py           | 12 +++++++++++-
- 2 files changed, 20 insertions(+), 1 deletion(-)
-
-diff --git a/tornado/test/testing_test.py b/tornado/test/testing_test.py
-index 0429feee83..8e2b8db428 100644
---- a/tornado/test/testing_test.py
-+++ b/tornado/test/testing_test.py
-@@ -61,6 +61,15 @@ def test_subsequent_wait_calls(self):
-         self.io_loop.add_timeout(self.io_loop.time() + 0.2, self.stop)
-         self.wait(timeout=0.4)
- 
-+    def test_empty_instantation_is_allowed(self):
-+        """
-+        Test that empty instatiation of an AsyncTestCase is allowed.
-+
-+        unittest.TestCase docs guarantee this working, and pytest's unittest
-+        support relies on it.
-+        """
-+        AsyncTestCaseTest()
-+
- 
- class LeakTest(AsyncTestCase):
-     def tearDown(self):
-diff --git a/tornado/testing.py b/tornado/testing.py
-index bdbff87bc3..9455411a6d 100644
---- a/tornado/testing.py
-+++ b/tornado/testing.py
-@@ -177,7 +177,17 @@ def __init__(self, methodName: str = "runTest") -> None:
-         # the test will silently be ignored because nothing will consume
-         # the generator.  Replace the test method with a wrapper that will
-         # make sure it's not an undecorated generator.
--        setattr(self, methodName, _TestMethodWrapper(getattr(self, methodName)))
-+        try:
-+            test_method = getattr(self, methodName)
-+        except AttributeError:
-+            if methodName != "runTest":
-+                # We allow instantiation with no explicit method name
-+                # but not an *incorrect* or missing method name.
-+                raise ValueError(
-+                    "no such test method in %s: %s" % (self.__class__, methodName)
-+                )
-+        else:
-+            setattr(self, methodName, _TestMethodWrapper(test_method))
- 
-         # Not used in this class itself, but used by @gen_test
-         self._test_generator = None  # type: Optional[Union[Generator, Coroutine]]