[Esapi-dev] org.owasp.esapi.filters.SecurityWrapperResponse cookie size limits

Jim Manico jim.manico at owasp.org
Tue Sep 28 19:31:25 EDT 2010 

I think length chercking and regex verification should be split out for clarity, but that’s just me.

 

- Jim 

 

From: Jeff Williams [mailto:jeff.williams at owasp.org] 
Sent: Tuesday, September 28, 2010 1:35 AM
To: Chris Schmidt
Cc: Jim Manico; ESAPI-Developers
Subject: Re: [Esapi-dev] org.owasp.esapi.filters.SecurityWrapperResponse cookie size limits

 

We should allow organizations to set a value that is More restrictive than the spec if they desire.  But I'm not crazy about having both a length and a regex that could also have a length.  Thoughts?

--Jeff

 

 


On Sep 27, 2010, at 4:50 PM, Chris Schmidt <chrisisbeef at gmail.com> wrote:

I absolutely think this should be coded to spec and not configurable in the ri. 

Sent from my iPwn


On Sep 27, 2010, at 1:31 PM, Jim Manico <jim.manico at owasp.org> wrote:

I think this should be a configurable value at best, or at least a hard coded larger value as you suggest.

 

August these are great findings - can you drop them in the Google code issue tracker for us?

-Jim Manico

http://manico.net


On Sep 27, 2010, at 8:50 AM, augustd <augustd at codemagi.com> wrote:

RFC 2109 suggests that browsers implementing the cookie spec should be able to support cookies up to 4096 bytes. 

http://www.w3.org/Protocols/rfc2109/rfc2109

However, SecurityWrapperResponse limits the length of cookies that can be set to 500 characters in the setHeader() method (which is ultimately called by setCookie()): 

    public void setHeader(String name, String value) {
        try {
            String strippedName = StringUtilities.stripControls(name);
            String strippedValue = StringUtilities.stripControls(value);
            String safeName = ESAPI.validator().getValidInput("setHeader", strippedName, "HTTPHeaderName", 20, false);
            String safeValue = ESAPI.validator().getValidInput("setHeader", strippedValue, "HTTPHeaderValue", 500, false);
            getHttpServletResponse().setHeader(safeName, safeValue);
        } catch (ValidationException e) {
            logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid header denied", e);
        }
    }

Is there any reason why this method should not be modified to support the full cookie spec? 

Thanks,
August 

_______________________________________________
Esapi-dev mailing list
Esapi-dev at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-dev

_______________________________________________
Esapi-dev mailing list
Esapi-dev at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-dev

_______________________________________________
Esapi-dev mailing list
Esapi-dev at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100928/7090395e/attachment.html

More information about the Esapi-dev mailing list