MEDIUM 5.4

GHSA-78cv-mqj4-43f7

Tornado has incomplete validation of cookie attributes

상세

Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / tornado

최초 영향 버전: 0 수정 버전: 6.5.5

수정 pip install --upgrade 'tornado>=6.5.5'

참고

https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7 [WEB]
https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104 [WEB]
https://github.com/tornadoweb/tornado [PACKAGE]
https://github.com/tornadoweb/tornado/releases/tag/v6.5.5 [WEB]