cookies: reject oversized cookies #1894

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants
Owner

bagder commented Sep 17, 2017

... instead of truncating them.

There's no fixed limit for acceptable cookie names in RFC 6265, but the
entire cookie is said to be less than 4096 bytes (section 6.1).

Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
Reported-by: Kevin Smith

Owner

bagder commented Sep 18, 2017

The travis failure is not because of the patch.

I will however make sure the code also refuses truncated content, and it we should check to see what the max cookie name size some popular browsers use so that we don't reject cookies that are generally accepted.

cookies: reject oversized cookies
... instead of truncating them.

There's no fixed limit for acceptable cookie names in RFC 6265, but the
entire cookie is said to be less than 4096 bytes (section 6.1). This is
also what browsers seem to implement.

We now allow max 5000 bytes cookie header. Max 4095 bytes length per
cookie name and value. Name + value together may not exceed 4096 bytes.

Added test 1151 to verify

Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
Reported-by: Kevin Smith
Owner

jay commented Sep 18, 2017

Chrome 61.0.3163.79 entire cookie (name=value) has a max length of 4096 and discards larger lengths.

edit; I see you were asking about the name specifically. You can have a name of 4094 in chrome.

Owner

bagder commented Sep 18, 2017

Right, thanks. I noticed that Firefox has very similar logic as Chrome when it comes to the maximum cookie length. I used that as basis for selecting the curl limits used in the updated patch.

@bagder bagder closed this in 2bc230d Sep 18, 2017

@bagder bagder deleted the bagder/reject-oversized-cookies branch Sep 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment