Version 6.3.3

The github security advisory feature lets you make private PRs but
it apparently doesn't support CI so this log failure wasn't caught
until after the PR was merged.

Content-length and chunk size parsing now strictly matches the RFCs.
We previously used the python int() function which accepted leading
plus signs and internal underscores, which are not allowed by the
HTTP RFCs (it also accepts minus signs, but these are less problematic
in this context since they'd result in errors elsewhere)

It is important to fix this because when combined with certain proxies,
the lax parsing could result in a request smuggling vulnerability (if
both Tornado and the proxy accepted an invalid content-length but
interpreted it differently). This is known to occur with old versions
of haproxy, although the current version of haproxy is unaffected.

Version 6.3.2

Under some configurations the default_filename redirect could be exploited
to redirect to an attacker-controlled site. This change refuses to redirect
to URLs that could be misinterpreted.

A test case for the specific vulnerable configuration will follow after the
patch has been available.

test: Close a websocket client that causes occasional test failures

These will fail when run from forks because the necessary
credentials aren't available.

These failures occur on the build.yml workflow on the emulated arm64
platform: an ill-timed timer firing during test shutdown can result
in a message being logged and the test failing for dirty logs.

ci: Update setup-qemu-action version

Eliminates some more deprecation warnings

Bump version to 6.3.1

web: Restore case-insensitivity of set_cookie args

This was an unintended feature that got broken in #3224. Bring it back
for now but deprecate it for future cleanup.

Fixes #3252

Set version to 6.3 final

ci: Update build workflow

Build wheels for Python 3.12 as well.
Update various dependencies. The upload/download artifact actions
were using deprecated versions, and we were using a deprecated
macos build image. While we're at it, update the other OS versions
and cibuildwheel.

Set version number to 6.3b1

typing: Eagerly import all submodules in __init__.pyi

This makes the auto-import functionality compatible with mypy
and other typing-based tools such as autocomplete functionality.
Excluding these imports from static typing feels like a premature
optimization and made it much less appealing to make use of the
auto-imports.

This may slow down type checking of applications that use Tornado by
a little, since the type checker must now process all of Tornado and
not only the subset that was imported. However, the increasing use
of long-lived daemons for type checkers should mitigate this cost.

websocket: Add resolver argument to websocket_connect

Old browser versions that do not support websockets have long since
faded from use.

This is the public interface, but when the resolver argument was added
it was only added to the supporting WebSocketClientConnection class.

docs: Add release notes for 6.3

Use SPDX license identifier

Use SPDX license identifier: Apache-2.0
This will help tools to produce valid SPDX.
Signed-off-by: NMarc-Etienne Vargenau <marc-etienne.vargenau@nokia.com>

web: Support renaming the XSRF cookie

This makes it possible to use the __Host- cookie prefix for increased
security

docs: Point to stable branch for all demo links

Add a README to the demos directory with a brief description of each,
and a warning about the usage of not-yet-released features.

Fixes #3236

testing: No longer silence deprecation warnings

Only do it on the specific versions that had the problematic warnings.

Also deprecate get_new_ioloop.

Revert some deprecations, following asyncio changes

wsgi: Support ThreadPoolExecutor