v5.1.1+security.2

Security backport release for the Python 2.7-compatible tornado 5.1.1 line. Of nine reported advisories, one was already fixed (5.1.1.1) and two collapse into one fix, giving seven backports (one commit each).

• CVE-2024-52804 (GHSA-8w49-h785-mj3c): O(n^2) cookie unquoting replaced with a single regex — DoS.
• CVE-2025-47287 (GHSA-7cx3-6m66-7c5m): malformed multipart bodies raise once instead of logging per part — log-flood DoS.
• CVE-2026-31958 (GHSA-qjxf-f2mg-c6mc): multipart part count (1000) and per-part header size (10 KiB) are now capped — DoS.
• CVE-2026-35536 (GHSA-fqwm-6jpj-5wxc, GHSA-78cv-mqj4-43f7): set_cookie validates name/domain/path/samesite attributes (control chars, DEL, ;) — attribute injection.
• GHSA-753j-mpmx-qq6g: reject both-Transfer-Encoding-and-Content-Length / duplicate or unknown Transfer-Encoding, and strip only RFC 7230 OWS from header values — request smuggling.
• GHSA-qppv-j76h-2rpx: strict (digits-only) Content-Length and chunk-size parsing — request smuggling.
• GHSA-w235-7p84-xx57: reject bare CR/LF in outgoing request headers (curl + HTTP/1 writer) — header injection.

Already fixed in 5.1.1.1: GHSA-hj3f-6gcp-jg8j (CVE-2023-28370, StaticFileHandler open redirect).

Behavior notes: the multipart caps (tornado.httputil._MULTIPART_MAX_PARTS / _MULTIPART_MAX_PART_HEADER_SIZE) and stricter multipart rejection are behavior changes.

PR: #1

Tornado 5.1.1.1

ActiveState release of Tornado version 5.1.1.1

This is a Python 2 patch version to close CVE-2023-28370.