[Esapi-user] SecurityWrapperRequest.getHeaderValues doesn't handle cookies properly?

Luke Biddell luke.biddell at gmail.com
Tue Aug 30 10:47:59 EDT 2011


I think I've found a discrepancy in the handling of cookies
within SecurityWrapperRequest.getHeaderValues.

Every header value gets validated against HTTPHeaderValue, even the cookies.
So a 150 char limit is applied to the cookies.

Given that there's a specific validator pattern for HTTPCookieValue, I would
have expected that to be applied instead. Indeed, when we addCookie we use
the HTTPCookieValue validator and restrict length to 1000.

Perhaps getHeaders might look something like this?

public Enumeration getHeaders(String name) {
                    Vector<String> v = new Vector<String>();
                    Enumeration en = hsReq.getHeaders(name);
                    while (en.hasMoreElements()) {
                        try {
                            String value = (String) en.nextElement();
                            if ("Cookie".equalsIgnoreCase(name)) {
cookie value: " + value, value, "HTTPCookieValue",
                                        1000, true));
                            } else {
header value (" + name + "): " + value, value,
                                        "HTTPHeaderValue", 150, true));
                        } catch (ValidationException e) {
                            // already logged
                    return v.elements();

I'm guessing the same might apply with HTTPHeaderName vs HTTPCookieName?
Ideas welcome.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110830/5d9befa0/attachment.html 

More information about the Esapi-user mailing list