[Esapi-user] SecurityWrapperRequest.getHeaderValues doesn't handle cookies properly?

Chris Schmidt chrisisbeef at gmail.com
Tue Aug 30 11:31:53 EDT 2011


This is an interesting problem. 

Your solution will likely work in *most* cases, but the full cookie header can be much longer than 1000 characters because that header contains *all* of the cookies being sent with the request as opposed to a single cookie. T would be better IMHO to skip cookies from this method altogether, document it, and force the dev to use getCookies to reference the cookie-jar. I can't think of a single reason to parse the cookie header manually when it is a million times easier and more reliable to use the java servlet cookies framework to do so. This rule should also be applies to the responsewrapper as well.

Sent from my iPwn

On Aug 30, 2011, at 8:47 AM, Luke Biddell <luke.biddell at gmail.com> wrote:

> Chaps,
> 
> I think I've found a discrepancy in the handling of cookies within SecurityWrapperRequest.getHeaderValues.
> 
> Every header value gets validated against HTTPHeaderValue, even the cookies. So a 150 char limit is applied to the cookies.
> 
> Given that there's a specific validator pattern for HTTPCookieValue, I would have expected that to be applied instead. Indeed, when we addCookie we use the HTTPCookieValue validator and restrict length to 1000.
> 
> Perhaps getHeaders might look something like this?
> 
> 
> public Enumeration getHeaders(String name) {
>                     Vector<String> v = new Vector<String>();
>                     Enumeration en = hsReq.getHeaders(name);
>                     while (en.hasMoreElements()) {
>                         try {
>                             String value = (String) en.nextElement();
>                             if ("Cookie".equalsIgnoreCase(name)) {
>                                 v.add(ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue",
>                                         1000, true));
>                             } else {
>                                 v.add(ESAPI.validator().getValidInput("HTTP header value (" + name + "): " + value, value,
>                                         "HTTPHeaderValue", 150, true));
>                             }
>                         } catch (ValidationException e) {
>                             // already logged
>                         }
>                     }
>                     return v.elements();
>                 }
> 
> I'm guessing the same might apply with HTTPHeaderName vs HTTPCookieName? Ideas welcome.
> 
> Regards 
> 
> Luke
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list