Bug 1399570

Summary: python-tornado: XSRF protection bypass via cookie parsing differences
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dkholia, mhroncok, orion, python-sig, tomspur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-tornado 4.4.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 05:59:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1399571    
Bug Blocks: 1399574    

Description Andrej Nemec 2016-11-29 10:25:11 UTC 
A difference in cookie parsing between Tornado and web browsers (especially when combined with Google Analytics) could allow an attacker to set arbitrary cookies and bypass XSRF protection. The cookie parser has been rewritten to fix this attack.

References:

http://www.tornadoweb.org/en/stable/releases/v4.4.2.html
https://hackerone.com/reports/26647

Upstream patch:

https://github.com/tornadoweb/tornado/commit/cb247cb8db7903fda0ca26531c1526e895e10800
Comment 1 Andrej Nemec 2016-11-29 10:25:49 UTC 
Created python-tornado tracking bugs for this issue:

Affects: fedora-24 [bug 1399571]