[Esapi-user] SecurityWrapperRequest.getHeaderValues doesn't handle cookies properly?

Luke Biddell luke.biddell at gmail.com
Tue Aug 30 10:47:59 EDT 2011


Chaps,

I think I've found a discrepancy in the handling of cookies
within SecurityWrapperRequest.getHeaderValues.

Every header value gets validated against HTTPHeaderValue, even the cookies.
So a 150 char limit is applied to the cookies.

Given that there's a specific validator pattern for HTTPCookieValue, I would
have expected that to be applied instead. Indeed, when we addCookie we use
the HTTPCookieValue validator and restrict length to 1000.

Perhaps getHeaders might look something like this?


public Enumeration getHeaders(String name) {
                    Vector<String> v = new Vector<String>();
                    Enumeration en = hsReq.getHeaders(name);
                    while (en.hasMoreElements()) {
                        try {
                            String value = (String) en.nextElement();
                            if ("Cookie".equalsIgnoreCase(name)) {
                                v.add(ESAPI.validator().getValidInput("HTTP
cookie value: " + value, value, "HTTPCookieValue",
                                        1000, true));
                            } else {
                                v.add(ESAPI.validator().getValidInput("HTTP
header value (" + name + "): " + value, value,
                                        "HTTPHeaderValue", 150, true));
                            }
                        } catch (ValidationException e) {
                            // already logged
                        }
                    }
                    return v.elements();
                }

I'm guessing the same might apply with HTTPHeaderName vs HTTPCookieName?
Ideas welcome.

Regards

Luke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110830/5d9befa0/attachment.html 


More information about the Esapi-user mailing list