Skip to content

[ENG-8501] Upgrade tornado version to "6.5.1" #399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 12, 2025
Merged

[ENG-8501] Upgrade tornado version to "6.5.1" #399

merged 1 commit into from
Aug 12, 2025

Conversation

mkovalua
Copy link

@mkovalua mkovalua commented Aug 7, 2025
edited
Loading

Ticket

https://openscience.atlassian.net/browse/ENG-8501

Purpose

Summary
When Tornado's multipart/form-data parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.

Affected versions
All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default.

Changes

Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking Content-Type: multipart/form-data in a proxy. It looks like there is no breaking changings in backlog https://www.tornadoweb.org/en/stable/releases/v6.5.0.html , so no code changings is needed.

( PR is closed
#398
)

Side effects

QA Notes

Deployment Notes

@mkovalua
migrate tornado version to "6.5.1" to improve support for non latin c…
899a998 
…hars and avoid issues that was fixed in 6.5.0
@mkovalua mkovalua mentioned this pull request Aug 7, 2025
Closed
@coveralls
Copy link

Coverage Status

coverage: 68.586%. remained the same
when pulling 899a998 on mkovalua:fix/ENG--8501
into 231f5be on CenterForOpenScience:feature/buff-worms.

@mkovalua mkovalua mentioned this pull request Aug 8, 2025
Merged
cslzchen
cslzchen approved these changes Aug 12, 2025
View reviewed changes
Copy link
Contributor

@cslzchen cslzchen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎆

Note: I am going to merge this PR now, which will lead you to update the poetry lock file again in #400

poetry.lock
@@ -1,4 +1,4 @@
# This file is automatically @generated by Poetry 2.1.3 and should not be changed by hand.
# This file is automatically @generated by Poetry 2.1.2 and should not be changed by hand.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 again for using 2.1.2

@cslzchen cslzchen merged commit a54c91a into CenterForOpenScience:feature/buff-worms Aug 12, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cslzchen cslzchen cslzchen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mkovalua @coveralls @cslzchen