Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

httputil: Fix quadratic performance of cookie parsing #3446

Merged
merged 3 commits into from
Nov 22, 2024
Merged

httputil: Fix quadratic performance of cookie parsing #3446

merged 3 commits into from
Nov 22, 2024

Conversation

bdarnell
Copy link
Member

Maliciously-crafted cookies can cause Tornado to
spend an unreasonable amount of CPU time and block
the event loop.

This change replaces the quadratic algorithm with
a more efficient one. The implementation is copied
from the Python 3.13 standard library (the
previous one was from Python 3.5).

Fixes CVE-2024-52804
See CVE-2024-7592 for a similar vulnerability in cpython.

Thanks to @kexinoh for the report.

@bdarnell
httputil: Fix quadratic performance of cookie parsing
d5ba4a1 
Maliciously-crafted cookies can cause Tornado to
spend an unreasonable amount of CPU time and block
the event loop.

This change replaces the quadratic algorithm with
a more efficient one. The implementation is copied
from the Python 3.13 standard library (the
previous one was from Python 3.5).

Fixes CVE-2024-52804
See CVE-2024-7592 for a similar vulnerability in cpython.

Thanks to github.com/kexinoh for the report.
cjwatson and others added 2 commits November 21, 2024 21:28
@cjwatson @bdarnell
Fix tests with Twisted 24.7.0
bc7df6b 
`twisted.internet.defer.returnValue` was needed on Python 2, but on
Python 3 a simple `return` statement works fine.  Twisted 24.7.0
deprecated the former, causing
`tornado.test.twisted_test.ConvertDeferredTest.test_success` to fail.
@bdarnell
Bump version to 6.4.2
a5ecfab
@bdarnell bdarnell merged commit 27b3252 into tornadoweb:branch6.4 Nov 22, 2024
12 checks passed
@bdarnell bdarnell deleted the cookie-quadratic-6.4 branch November 22, 2024 02:36
@bdarnell bdarnell mentioned this pull request Nov 22, 2024
Open
@explunit
Copy link

Is this fix needed for sites where cookie authentication is not used? I.e., are these cookie headers parsed regardless of the authentication method?

@bdarnell
Copy link
Member Author

Cookies are parsed the first time the request.cookies attribute is accessed (usually via the get_cookie or get_signed_cookie method). An application that does not use cookies in any way is not affected (but remember that the xsrf_cookies feature uses cookies underneath)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bdarnell @explunit @cjwatson