Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

httputil: Fix quadratic performance of cookie parsing #3447

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

httputil: Fix quadratic performance of cookie parsing #3447

wants to merge 1 commit into from

Conversation

bdarnell
Copy link
Member

Maliciously-crafted cookies can cause Tornado to
spend an unreasonable amount of CPU time and block the event loop.

This change replaces the quadratic algorithm with
a more efficient one. The implementation is copied from the Python 3.13 standard library (the
previous one was from Python 3.5).

Fixes CVE-2024-52804
See CVE-2024-7592 for a similar vulnerability in cpython.

Thanks to github.com/kexinoh for the report.

This is the master-branch version of #3446

@bdarnell
httputil: Fix quadratic performance of cookie parsing
f4b3e96 
Maliciously-crafted cookies can cause Tornado to
spend an unreasonable amount of CPU time and block
the event loop.

This change replaces the quadratic algorithm with
a more efficient one. The implementation is copied
from the Python 3.13 standard library (the
previous one was from Python 3.5).

Fixes CVE-2024-52804
See CVE-2024-7592 for a similar vulnerability in cpython.

Thanks to github.com/kexinoh for the report.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bdarnell