explunit
commented
1 day ago Is this fix needed for sites where cookie authentication is not used? I.e., are these cookie headers parsed regardless of the authentication method?
Closed bdarnell closed 4 days ago
explunit
commented
1 day ago Is this fix needed for sites where cookie authentication is not used? I.e., are these cookie headers parsed regardless of the authentication method?
bdarnell
commented
11 hours ago Cookies are parsed the first time the request.cookies attribute is accessed (usually via the get_cookie or get_signed_cookie method). An application that does not use cookies in any way is not affected (but remember that the xsrf_cookies feature uses cookies underneath)
Maliciously-crafted cookies can cause Tornado to spend an unreasonable amount of CPU time and block the event loop.
This change replaces the quadratic algorithm with a more efficient one. The implementation is copied from the Python 3.13 standard library (the previous one was from Python 3.5).
Fixes CVE-2024-52804 See CVE-2024-7592 for a similar vulnerability in cpython.
Thanks to @kexinoh for the report.