Tornado HTTP Header Parsing Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Tornado versions prior to 6.5.3. The issue arises in the `_parseparam` function within `httputil.py`, which handles the parsing of certain HTTP header values, including those in `multipart/form-data`. The vulnerability is caused by an inefficient algorithm that repeatedly uses `string.count()` in a nested loop to process quoted semicolons. This flaw can be exploited by sending a request with a large number of maliciously crafted parameters in a `Content-Disposition` header, leading to a quadratic increase in CPU usage during parsing. Because Tornado operates on a single event loop, this can cause the server to become unresponsive for a prolonged period.

Impact

Exploitation of this vulnerability leads to a significant increase in CPU usage, causing the server to become unresponsive and unavailable for an extended period.

Reproduction

The vulnerability can be reproduced by sending a `multipart/form-data` request with a `Content-Disposition` header that includes a large number of crafted parameters. The `_parseparam` function will process these parameters inefficiently, causing a quadratic increase in CPU usage.

Remediation

Users can upgrade to Tornado version 6.5.3, which addresses this vulnerability by improving the parsing algorithm to eliminate the quadratic behavior.