-
-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Latest data: Tue Aug 15 08:03:55 UTC 2023
- Loading branch information
github.actions
committed
Aug 15, 2023
1 parent
5eb57d1
commit 3106848
Showing
13 changed files
with
610 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
[ | ||
{ | ||
"package": { | ||
"name": "tornado", | ||
"version": "6.3.2", | ||
"ecosystem": "PyPI" | ||
}, | ||
"vulnerabilities": [ | ||
{ | ||
"modified": "2023-08-14T21:48:29Z", | ||
"published": "2023-08-14T21:34:17Z", | ||
"schema_version": "1.4.0", | ||
"id": "GHSA-qppv-j76h-2rpx", | ||
"summary": "Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths", | ||
"details": "## Summary\nTornado interprets `-`, `+`, and `_` in chunk length and `Content-Length` values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected.\n\n## Details\nTornado uses the `int` constructor to parse the values of `Content-Length` headers and chunk lengths in the following locations:\n### `tornado/http1connection.py:445`\n```python3\n self._expected_content_remaining = int(headers[\"Content-Length\"])\n```\n### `tornado/http1connection.py:621`\n```python3\n content_length = int(headers[\"Content-Length\"]) # type: Optional[int]\n```\n### `tornado/http1connection.py:671`\n```python3\n chunk_len = int(chunk_len_str.strip(), 16)\n```\nBecause `int(\"0_0\") == int(\"+0\") == int(\"-0\") == int(\"0\")`, using the `int` constructor to parse and validate strings that should contain only ASCII digits is not a good strategy. \n\n", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"ecosystem": "PyPI", | ||
"name": "tornado", | ||
"purl": "pkg:pypi/tornado" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
}, | ||
{ | ||
"fixed": "6.3.3" | ||
} | ||
] | ||
} | ||
], | ||
"versions": [ | ||
"0.2", | ||
"1.0", | ||
"1.1", | ||
"1.1.1", | ||
"1.2", | ||
"1.2.1", | ||
"2.0", | ||
"2.1", | ||
"2.1.1", | ||
"2.2", | ||
"2.2.1", | ||
"2.3", | ||
"2.4", | ||
"2.4.1", | ||
"3.0", | ||
"3.0.1", | ||
"3.0.2", | ||
"3.1", | ||
"3.1.1", | ||
"3.2", | ||
"3.2.1", | ||
"3.2.2", | ||
"4.0", | ||
"4.0.1", | ||
"4.0.2", | ||
"4.1", | ||
"4.1b2", | ||
"4.2", | ||
"4.2.1", | ||
"4.2b1", | ||
"4.3", | ||
"4.3b1", | ||
"4.3b2", | ||
"4.4", | ||
"4.4.1", | ||
"4.4.2", | ||
"4.4.3", | ||
"4.4b1", | ||
"4.5", | ||
"4.5.1", | ||
"4.5.2", | ||
"4.5.3", | ||
"4.5b1", | ||
"4.5b2", | ||
"5.0", | ||
"5.0.1", | ||
"5.0.2", | ||
"5.0a1", | ||
"5.0b1", | ||
"5.1", | ||
"5.1.1", | ||
"5.1b1", | ||
"6.0", | ||
"6.0.1", | ||
"6.0.2", | ||
"6.0.3", | ||
"6.0.4", | ||
"6.0a1", | ||
"6.0b1", | ||
"6.1", | ||
"6.1b1", | ||
"6.1b2", | ||
"6.2", | ||
"6.2b1", | ||
"6.2b2", | ||
"6.3", | ||
"6.3.1", | ||
"6.3.2", | ||
"6.3b1" | ||
], | ||
"database_specific": { | ||
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-qppv-j76h-2rpx/GHSA-qppv-j76h-2rpx.json" | ||
} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe" | ||
}, | ||
{ | ||
"type": "PACKAGE", | ||
"url": "https://github.com/tornadoweb/tornado" | ||
} | ||
], | ||
"database_specific": { | ||
"cwe_ids": [ | ||
"CWE-444" | ||
], | ||
"github_reviewed": true, | ||
"github_reviewed_at": "2023-08-14T21:34:17Z", | ||
"nvd_published_at": null, | ||
"severity": "MODERATE" | ||
} | ||
} | ||
], | ||
"groups": [ | ||
{ | ||
"ids": [ | ||
"GHSA-qppv-j76h-2rpx" | ||
] | ||
} | ||
] | ||
} | ||
] |
Oops, something went wrong.