Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

httputil: Fix quadratic performance of cookie parsing #3446

Merged
merged 3 commits into from
Nov 22, 2024

Conversation

bdarnell
Copy link
Member

Maliciously-crafted cookies can cause Tornado to
spend an unreasonable amount of CPU time and block
the event loop.

This change replaces the quadratic algorithm with
a more efficient one. The implementation is copied
from the Python 3.13 standard library (the
previous one was from Python 3.5).

Fixes CVE-2024-52804
See CVE-2024-7592 for a similar vulnerability in cpython.

Thanks to @kexinoh for the report.

Maliciously-crafted cookies can cause Tornado to
spend an unreasonable amount of CPU time and block
the event loop.

This change replaces the quadratic algorithm with
a more efficient one. The implementation is copied
from the Python 3.13 standard library (the
previous one was from Python 3.5).

Fixes CVE-2024-52804
See CVE-2024-7592 for a similar vulnerability in cpython.

Thanks to github.com/kexinoh for the report.
@bdarnell bdarnell force-pushed the cookie-quadratic-6.4 branch from 16c33a6 to e6dad37 Compare November 22, 2024 02:17
cjwatson and others added 2 commits November 21, 2024 21:28
`twisted.internet.defer.returnValue` was needed on Python 2, but on
Python 3 a simple `return` statement works fine.  Twisted 24.7.0
deprecated the former, causing
`tornado.test.twisted_test.ConvertDeferredTest.test_success` to fail.
@bdarnell bdarnell force-pushed the cookie-quadratic-6.4 branch from 2327b57 to a5ecfab Compare November 22, 2024 02:28
@bdarnell bdarnell merged commit 27b3252 into tornadoweb:branch6.4 Nov 22, 2024
12 checks passed
@bdarnell bdarnell deleted the cookie-quadratic-6.4 branch November 22, 2024 02:36
@explunit
Copy link

Is this fix needed for sites where cookie authentication is not used? I.e., are these cookie headers parsed regardless of the authentication method?

@bdarnell
Copy link
Member Author

Cookies are parsed the first time the request.cookies attribute is accessed (usually via the get_cookie or get_signed_cookie method). An application that does not use cookies in any way is not affected (but remember that the xsrf_cookies feature uses cookies underneath)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants