From: Ben Darnell <ben@bendarnell.com>
Date: Fri, 13 Aug 2010 17:18:28 +0000 (-0700)
Subject: Check for far-future timestamps in secure cookies.
X-Git-Tag: v1.1.0~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a770a7cf6c2b0a4703cf29f419c400266fee1530;p=thirdparty%2Ftornado.git

Check for far-future timestamps in secure cookies.
---

diff --git a/tornado/web.py b/tornado/web.py
index daf8b315b..3696411c6 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -344,6 +344,16 @@ class RequestHandler(object):
         if timestamp < time.time() - 31 * 86400:
             logging.warning("Expired cookie %r", value)
             return None
+        if timestamp > time.time() + 31 * 86400:
+            # _cookie_signature does not hash a delimiter between the
+            # parts of the cookie, so an attacker could transfer trailing
+            # digits from the payload to the timestamp without altering the
+            # signature.  For backwards compatibility, sanity-check timestamp
+            # here instead of modifying _cookie_signature.
+            logging.warning("Cookie timestamp in future; possible tampering %r", value)
+            return None
+        if parts[1].startswith("0"):
+            logging.warning("Tampered cookie %r", value)
         try:
             return base64.b64decode(parts[0])
         except: