micromasters
micromasters copied to clipboard
chore(deps): update dependency tornado to v6 [security]
This PR contains the following updates:
Package | Change | Age | Adoption | Passing | Confidence |
---|---|---|---|---|---|
tornado (source) | ==5.1.1 -> ==6.3.3 |
GitHub Vulnerability Alerts
CVE-2023-28370
Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.
GHSA-qppv-j76h-2rpx
Summary
Tornado interprets -
, +
, and _
in chunk length and Content-Length
values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected.
Details
Tornado uses the int
constructor to parse the values of Content-Length
headers and chunk lengths in the following locations:
tornado/http1connection.py:445
self._expected_content_remaining = int(headers["Content-Length"])
tornado/http1connection.py:621
content_length = int(headers["Content-Length"]) # type: Optional[int]
tornado/http1connection.py:671
chunk_len = int(chunk_len_str.strip(), 16)
Because int("0_0") == int("+0") == int("-0") == int("0")
, using the int
constructor to parse and validate strings that should contain only ASCII digits is not a good strategy.
Release Notes
Configuration
📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.