Summary
The _parseparam function in Tornado's httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data. This function uses an inefficient algorithm that repeatedly calls string.count() within a nested loop while processing quoted semicolons (e.g., param=";").
As a result, if an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period, leading to a Denial of Service (DoS).
Severity: High
Summary
The
_parseparamfunction in Tornado'shttputil.pyis used to parse specific HTTP header values, such as those inmultipart/form-data. This function uses an inefficient algorithm that repeatedly callsstring.count()within a nested loop while processing quoted semicolons (e.g.,param=";").As a result, if an attacker sends a request with a large number of maliciously crafted parameters in a
Content-Dispositionheader, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period, leading to a Denial of Service (DoS).Severity: High