Maliciously-crafted cookies can cause Tornado to
spend an unreasonable amount of CPU time and block the event loop.
This change replaces the quadratic algorithm with
a more efficient one. The implementation is copied from the Python 3.13 standard library (the
previous one was from Python 3.5).
Fixes CVE-2024-52804
See CVE-2024-7592 for a similar vulnerability in cpython.
Maliciously-crafted cookies can cause Tornado to spend an unreasonable amount of CPU time and block the event loop.
This change replaces the quadratic algorithm with a more efficient one. The implementation is copied from the Python 3.13 standard library (the previous one was from Python 3.5).
Fixes CVE-2024-52804 See CVE-2024-7592 for a similar vulnerability in cpython.
Thanks to github.com/kexinoh for the report.
This is the master-branch version of #3446