return None when a secure-cookie is forged

Frostman · Jul 3, 2012 · 1ca245f · 1ca245f
1 parent ed7030d
commit 1ca245f
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/tornado/web.py b/tornado/web.py
@@ -2046,6 +2046,7 @@ def decode_signed_value(secret, name, value, max_age_days=31):
         return None
     if parts[1].startswith(b("0")):
         logging.warning("Tampered cookie %r", value)
+        return None
     try:
         return base64.b64decode(parts[0])
     except Exception: