[Esapi-dev] org.owasp.esapi.filters.SecurityWrapperResponse cookie size limits

Chris Schmidt chrisisbeef at gmail.com
Mon Sep 27 16:50:24 EDT 2010 

I absolutely think this should be coded to spec and not configurable in the ri. 

Sent from my iPwn

On Sep 27, 2010, at 1:31 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I think this should be a configurable value at best, or at least a hard coded larger value as you suggest.
> 
> August these are great findings - can you drop them in the Google code issue tracker for us?
> 
> -Jim Manico
> http://manico.net
> 
> On Sep 27, 2010, at 8:50 AM, augustd <augustd at codemagi.com> wrote:
> 
>> RFC 2109 suggests that browsers implementing the cookie spec should be able to support cookies up to 4096 bytes. 
>> 
>> http://www.w3.org/Protocols/rfc2109/rfc2109
>> 
>> However, SecurityWrapperResponse limits the length of cookies that can be set to 500 characters in the setHeader() method (which is ultimately called by setCookie()): 
>> 
>>     public void setHeader(String name, String value) {
>>         try {
>>             String strippedName = StringUtilities.stripControls(name);
>>             String strippedValue = StringUtilities.stripControls(value);
>>             String safeName = ESAPI.validator().getValidInput("setHeader", strippedName, "HTTPHeaderName", 20, false);
>>             String safeValue = ESAPI.validator().getValidInput("setHeader", strippedValue, "HTTPHeaderValue", 500, false);
>>             getHttpServletResponse().setHeader(safeName, safeValue);
>>         } catch (ValidationException e) {
>>             logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid header denied", e);
>>         }
>>     }
>> 
>> Is there any reason why this method should not be modified to support the full cookie spec? 
>> 
>> Thanks,
>> August 
>> _______________________________________________
>> Esapi-dev mailing list
>> Esapi-dev at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-dev
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100927/702a62aa/attachment.html

More information about the Esapi-dev mailing list