git.ipfire.org Git - thirdparty/tornado.git/commit

]> git.ipfire.org Git - thirdparty/tornado.git/commit

projects / thirdparty / tornado.git / commit

author	Ben Darnell <ben@bendarnell.com>
	Thu, 21 Nov 2024 19:48:05 +0000 (14:48 -0500)
committer	Ben Darnell <ben@bendarnell.com>
	Fri, 22 Nov 2024 02:17:20 +0000 (21:17 -0500)
commit	d5ba4a1695fbf7c6a3e54313262639b198291533
tree	13637c33c7f2d190ec57459a217ae7ae25596a9e	tree
parent	2a0e1d13b5222dca4388c0ec8a4bb74ea6fa4af2	commit \| diff

httputil: Fix quadratic performance of cookie parsing

Maliciously-crafted cookies can cause Tornado to
spend an unreasonable amount of CPU time and block
the event loop.

This change replaces the quadratic algorithm with
a more efficient one. The implementation is copied
from the Python 3.13 standard library (the
previous one was from Python 3.5).

Fixes CVE-2024-52804
See CVE-2024-7592 for a similar vulnerability in cpython.

Thanks to github.com/kexinoh for the report.

tornado/httputil.py		diff \| blob \| blame \| history
tornado/test/httputil_test.py		diff \| blob \| blame \| history

Mirror of https://github.com/tornadoweb/tornado.git

RSS Atom