[Esapi-user] SecurityWrapperRequest.getHeaderValues doesn't handle cookies properly?

Luke Biddell luke.biddell at gmail.com
Tue Aug 30 12:07:28 EDT 2011


Good point - of course it's all the cookies.

I think ignoring the cookies here makes sense too. Shall I raise a change
request?

On 30 August 2011 16:31, Chris Schmidt <chrisisbeef at gmail.com> wrote:

> This is an interesting problem.
>
> Your solution will likely work in *most* cases, but the full cookie header
> can be much longer than 1000 characters because that header contains *all*
> of the cookies being sent with the request as opposed to a single cookie. T
> would be better IMHO to skip cookies from this method altogether, document
> it, and force the dev to use getCookies to reference the cookie-jar. I can't
> think of a single reason to parse the cookie header manually when it is a
> million times easier and more reliable to use the java servlet cookies
> framework to do so. This rule should also be applies to the responsewrapper
> as well.
>
> Sent from my iPwn
>
> On Aug 30, 2011, at 8:47 AM, Luke Biddell <luke.biddell at gmail.com> wrote:
>
> > Chaps,
> >
> > I think I've found a discrepancy in the handling of cookies within
> SecurityWrapperRequest.getHeaderValues.
> >
> > Every header value gets validated against HTTPHeaderValue, even the
> cookies. So a 150 char limit is applied to the cookies.
> >
> > Given that there's a specific validator pattern for HTTPCookieValue, I
> would have expected that to be applied instead. Indeed, when we addCookie we
> use the HTTPCookieValue validator and restrict length to 1000.
> >
> > Perhaps getHeaders might look something like this?
> >
> >
> > public Enumeration getHeaders(String name) {
> >                     Vector<String> v = new Vector<String>();
> >                     Enumeration en = hsReq.getHeaders(name);
> >                     while (en.hasMoreElements()) {
> >                         try {
> >                             String value = (String) en.nextElement();
> >                             if ("Cookie".equalsIgnoreCase(name)) {
> >
> v.add(ESAPI.validator().getValidInput("HTTP cookie value: " + value, value,
> "HTTPCookieValue",
> >                                         1000, true));
> >                             } else {
> >
> v.add(ESAPI.validator().getValidInput("HTTP header value (" + name + "): " +
> value, value,
> >                                         "HTTPHeaderValue", 150, true));
> >                             }
> >                         } catch (ValidationException e) {
> >                             // already logged
> >                         }
> >                     }
> >                     return v.elements();
> >                 }
> >
> > I'm guessing the same might apply with HTTPHeaderName vs HTTPCookieName?
> Ideas welcome.
> >
> > Regards
> >
> > Luke
> > _______________________________________________
> > Esapi-user mailing list
> > Esapi-user at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/esapi-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110830/0275ece0/attachment.html 


More information about the Esapi-user mailing list