A difference in cookie parsing between Tornado and web browsers (especially when combined with Google Analytics) could allow an attacker to set arbitrary cookies and bypass XSRF protection. The cookie parser has been rewritten to fix this attack. References: http://www.tornadoweb.org/en/stable/releases/v4.4.2.html https://hackerone.com/reports/26647 Upstream patch: https://github.com/tornadoweb/tornado/commit/cb247cb8db7903fda0ca26531c1526e895e10800
Created python-tornado tracking bugs for this issue: Affects: fedora-24 [bug 1399571]