git.ipfire.org Git - thirdparty/tornado.git/commit

]> git.ipfire.org Git - thirdparty/tornado.git/commit

projects / thirdparty / tornado.git / commit

author	Ben Darnell <ben@bendarnell.com>
	Thu, 21 Nov 2024 19:48:05 +0000 (14:48 -0500)
committer	Ben Darnell <ben@bendarnell.com>
	Fri, 22 Nov 2024 13:44:17 +0000 (08:44 -0500)
commit	f4b3e9600e925ab57fc7b6ce250af175aa3e1356
tree	258a57ef79c714dd4bc4f35004c36cb9083ec482	tree
parent	f62afc31bc8908a2c9d0c21f74bc1447781e4782	commit \| diff

httputil: Fix quadratic performance of cookie parsing

Maliciously-crafted cookies can cause Tornado to
spend an unreasonable amount of CPU time and block
the event loop.

This change replaces the quadratic algorithm with
a more efficient one. The implementation is copied
from the Python 3.13 standard library (the
previous one was from Python 3.5).

Fixes CVE-2024-52804
See CVE-2024-7592 for a similar vulnerability in cpython.

Thanks to github.com/kexinoh for the report.

tornado/httputil.py		diff \| blob \| blame \| history
tornado/test/httputil_test.py		diff \| blob \| blame \| history

Mirror of https://github.com/tornadoweb/tornado.git

RSS Atom