[Esapi-dev] org.owasp.esapi.filters.SecurityWrapperResponse cookie size limits
augustd
augustd at codemagi.com
Mon Sep 27 20:43:41 EDT 2010
Patch checked in to Google code.
-August
On Mon, Sep 27, 2010 at 3:24 PM, augustd <augustd at codemagi.com> wrote:
> Created issue #149 and attached a proposed patch for review.
>
> -August
>
>
> On Mon, Sep 27, 2010 at 2:44 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Can we make this configurable, August, and default ESAPI.properties to
>> 4096 for now?
>>
>>
>>
>> - Jim
>>
>>
>>
>> *From:* esapi-dev-bounces at lists.owasp.org [mailto:
>> esapi-dev-bounces at lists.owasp.org] *On Behalf Of *augustd
>> *Sent:* Monday, September 27, 2010 11:42 AM
>> *To:* ESAPI-Developers
>> *Subject:* Re: [Esapi-dev]
>> org.owasp.esapi.filters.SecurityWrapperResponse cookie size limits
>>
>>
>>
>> I've got a change ready to check in on this issue.
>>
>> New question: Do we want to limit the size of headers at all? I can't find
>> anything in the HTTP spec that indicates there is a maximum size for a
>> header, though it looks like Tomcat sets the to maximum 4096 by default:
>>
>> maxHttpHeaderSize: The maximum size of the request and response HTTP
>> header, specified in bytes. If not specified, this attribute is set to 4096
>> (4 KB).
>>
>> http://tomcat.apache.org/tomcat-5.5-doc/config/http.html
>>
>> Other servers may or may not restrict this as well.
>>
>> -August
>>
>>
>> On Mon, Sep 27, 2010 at 1:50 PM, Chris Schmidt <chrisisbeef at gmail.com>
>> wrote:
>>
>> I absolutely think this should be coded to spec and not configurable in
>> the ri.
>>
>> Sent from my iPwn
>>
>>
>> On Sep 27, 2010, at 1:31 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>> I think this should be a configurable value at best, or at least a hard
>> coded larger value as you suggest.
>>
>>
>>
>> August these are great findings - can you drop them in the Google code
>> issue tracker for us?
>>
>> -Jim Manico
>>
>> http://manico.net
>>
>>
>> On Sep 27, 2010, at 8:50 AM, augustd <augustd at codemagi.com> wrote:
>>
>> RFC 2109 suggests that browsers implementing the cookie spec should be
>> able to support cookies up to 4096 bytes.
>>
>> http://www.w3.org/Protocols/rfc2109/rfc2109
>>
>> However, SecurityWrapperResponse limits the length of cookies that can be
>> set to 500 characters in the setHeader() method (which is ultimately called
>> by setCookie()):
>>
>> public void setHeader(String name, String value) {
>> try {
>> String strippedName = StringUtilities.stripControls(name);
>> String strippedValue = StringUtilities.stripControls(value);
>> String safeName = ESAPI.validator().getValidInput("setHeader",
>> strippedName, "HTTPHeaderName", 20, false);
>> * String safeValue =
>> ESAPI.validator().getValidInput("setHeader", strippedValue,
>> "HTTPHeaderValue", 500, false);*
>> getHttpServletResponse().setHeader(safeName, safeValue);
>> } catch (ValidationException e) {
>> logger.warning(Logger.SECURITY_FAILURE, "Attempt to set
>> invalid header denied", e);
>> }
>> }
>>
>> Is there any reason why this method should not be modified to support the
>> full cookie spec?
>>
>> Thanks,
>> August
>>
>> _______________________________________________
>> Esapi-dev mailing list
>> Esapi-dev at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>
>> _______________________________________________
>> Esapi-dev mailing list
>> Esapi-dev at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100927/0d4f5791/attachment.html
More information about the Esapi-dev
mailing list