Merge pull request #3491 from bdarnell/merge-642

bdarnell · web-flow · commit 26d5788cc05a · 2025-04-29T16:08:15.000-04:00
docs: Copy 6.4.2 release notes to master branch
diff --git a/docs/releases.rst b/docs/releases.rst
@@ -4,6 +4,7 @@ Release notes
 .. toctree::
    :maxdepth: 2
 
+   releases/v6.4.2
    releases/v6.4.1
    releases/v6.4.0
    releases/v6.3.3
diff --git a/docs/releases/v6.4.2.rst b/docs/releases/v6.4.2.rst
@@ -0,0 +1,12 @@
+What's new in Tornado 6.4.2
+===========================
+
+Nov 21, 2024
+------------
+
+Security Improvements
+~~~~~~~~~~~~~~~~~~~~~
+
+- Parsing of the cookie header is now much more efficient. The older algorithm sometimes had
+  quadratic performance which allowed for a denial-of-service attack in which the server would spend
+  excessive CPU time parsing cookies and block the event loop. This change fixes CVE-2024-7592.
diff --git a/tornado/routing.py b/tornado/routing.py
@@ -184,7 +184,18 @@ def request_callable(request):
 from tornado.log import app_log
 from tornado.util import basestring_type, import_object, re_unescape, unicode_type
 
-from typing import Any, Union, Optional, Awaitable, List, Dict, Pattern, Tuple, overload, Sequence
+from typing import (
+    Any,
+    Union,
+    Optional,
+    Awaitable,
+    List,
+    Dict,
+    Pattern,
+    Tuple,
+    overload,
+    Sequence,
+)
 
 
 class Router(httputil.HTTPServerConnectionDelegate):
