MEDIUM 5.4

GHSA-78cv-mqj4-43f7

Tornado has incomplete validation of cookie attributes

Details

Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / tornado

Introduced in: 0 Fixed in: 6.5.5

Fix pip install --upgrade 'tornado>=6.5.5'

References

https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7 [WEB]
https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104 [WEB]
https://github.com/tornadoweb/tornado [PACKAGE]
https://github.com/tornadoweb/tornado/releases/tag/v6.5.5 [WEB]