From 1ca245f0ee0d5785610e5bf90b78e3860adc9deb Mon Sep 17 00:00:00 2001
From: Raullen <raullenchai@gmail.com>
Date: Mon, 2 Jul 2012 17:28:44 -0700
Subject: [PATCH] return None when a secure-cookie is forged

---
 tornado/web.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tornado/web.py b/tornado/web.py
index a9bc5046f..99c6858d1 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -2046,6 +2046,7 @@ def decode_signed_value(secret, name, value, max_age_days=31):
         return None
     if parts[1].startswith(b("0")):
         logging.warning("Tampered cookie %r", value)
+        return None
     try:
         return base64.b64decode(parts[0])
     except Exception:
-- 
2.47.2