Comment 4 for bug 1990191

I reviewed python-tornado 6.2.0-1 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

> Tornado is a Python web framework and asynchronous networking library

- CVE History:
  - CVE-2012-2374, CVE-2013-2099, and CVE-2014-9720
    - developers responded swiftly
  - CVE-2020-28476 was misassigned and revoked
  - silent vulnerability fixes https://github.com/tornadoweb/tornado/issues/799
    - https://github.com/tornadoweb/tornado/releases/tag/v6.2.0
    - downstream cannot apply security fixes that they do not know about!
  - release notes are only tracked by GitHub tags
    - previously kept on project's website
    - difficult to track history
- Build-Depends?
  - notably python3-pycurl and python3-twisted
  - optional python3-pycares not included in package
- pre/post inst/rm scripts?
  - yes
    - postinst compiles code
    - prerm cleans up compiled code
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - 1,167 build tests for functionality
  - some autopkgtests
    - i386 failing due to dependencies
- cron jobs?
  - none
- Build logs:
  - trivial lintian warnings, needs cleaning

- Processes spawned?
  - most are in tests
  - exec_in's exec() seems fine, see bandit
  - Popen in autoreload.py and process.py are okay--isolated from user
- Memory management?
  - appears fine
- File IO?
  - mostly in tests or demos
  - web.py's get_content() reads absolute paths
  - WebSocketHandler class has its own open function
  - file reads in templaye.py, options.py, process.py, locale.py are fine
- Logging?
  - many functions to log or raise errors, warnings, and debugging
  - httputil.py defines many error functions
  - logging is well defined in tornado documentation
- Environment variable usage?
  - mostly in wsgi.py
    - WSGIContainer defines it's own environ()
  - autoreload.py calls os.environ["PYTHONPATH"]
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - http goes through python3-pycurl
  - websocket.py's magic value is part of standard
  - uses of SHA-1 in ETags and Sec-WebSocket-Accept are fine
  - uses of random in ETags, Sec-WebScoket-Accept, xsrf, and jitter are fine
- Use of temp files?
  - none
  - templates.py writes lines to temp buffer
- Use of networking?
  - http goes through python3-pycurl
  - heavy use
  - lots of inline comments
  - appears to comply with standards, is defensively written, and covers edgecases
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none
- Any significant Coverity results?
  - none
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - _HTTPRequestContext class defaults to listening on 0.0.0.0 instead of localhost. Unsafe default.

This package should use dh_python.

Downstream developers using Tornado could easily create vulnerabilities in their projects via Tornado templates and exec calls. Dependents of Tornado should be audited for this.

Code is tidy. Developers are active.

Security team ACK for promoting python-tornado to main.