Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

return None when a secure-cookie is forged #557

merged 1 commit into from Jul 4, 2012


None yet
2 participants

raullenchai commented Jul 3, 2012

A very simple bug fixing!

It seems one forgot to return None when a secure-cookie is forged -- where the timestamp starts with a "0" -- in the function "decode_signed_value", a mechanism designed to defeat the following forgery:

"TWFu0000|1341271759|02233ed3df447a08059ccb6e4fd0d19797b3e435" forges as

Note that, the fixing does not change the logic of this function but makes the "returns" more consistency.


bdarnell commented Jul 4, 2012

Ah, good catch. This is a slight logical change, although it only affects invalid input and the chances of it actually being usable by an attacker are pretty remote. All they could do would be to truncate bytes from the end of their payload, and only if those bytes base64-encoded to zeroes (three bytes/four b64 zeroes at a time, because of base64 padding).

bdarnell added a commit that referenced this pull request Jul 4, 2012

Merge pull request #557 from raullenchai/master
Fix handling of a limited form of secure_cookie tampering

@bdarnell bdarnell merged commit 00688f9 into tornadoweb:master Jul 4, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment