Tornado Denial-of-Service Vulnerability via Repeated HTTP Header Coalescing

A denial-of-service vulnerability has been identified in the Tornado web framework, specifically in versions prior to 6.5.3. The issue arises in the HTTPHeaders.add method, where repeated header names are handled through string concatenation. This approach is problematic due to Python's string immutability, as each concatenation creates a copy of the entire string, leading to a time complexity of O(n²). In Tornado's single-threaded event loop, a single maliciously crafted HTTP request can significantly block the server's event loop for an extended period. The severity of this vulnerability is high if the 'max_header_size' has been increased from its default value of 64KB, and low if it remains at the default.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, where the server's event loop is blocked for a prolonged period, disrupting normal operations and potentially causing timeouts or other negative effects on the server's responsiveness.

Reproduction

The vulnerability can be reproduced by sending an HTTP request that includes a single header name repeated multiple times. This can be done by crafting a 'Content-Disposition' header, for example, and including it in the request with a payload that causes the header value to exceed the default maximum header size. The 'tornado/test/httputil_test.py' file in the Tornado repository contains a test case that demonstrates this vulnerability by parsing a 'Content-Disposition' header with repeated semicolons, which triggers the quadratic behavior in the 'HTTPHeaders.add' method.

Remediation

Users can upgrade to Tornado version 6.5.3, where this vulnerability has been fixed.