Skip to content

Fix SetCookieHeaderValue.TryParse throwing ArgumentOutOfRangeException for Max-Age overflow #63323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Aug 21, 2025
+36 −0
Merged

Fix SetCookieHeaderValue.TryParse throwing ArgumentOutOfRangeException for Max-Age overflow #63323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a35662c
Initial plan
Copilot Aug 18, 2025
767fe8e
Fix TimeSpan overflow in SetCookieHeaderValue.TryParse for Max-Age
Copilot Aug 19, 2025
f10d364
Simplify overflow handling using exception handling instead of manual…
Copilot Aug 19, 2025
3d23d0a
Revert to manual validation approach instead of try-catch for TimeSpa…
Copilot Aug 19, 2025
ecd9567
Update src/Http/Headers/src/SetCookieHeaderValue.cs
danmoseley Aug 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions src/Http/Headers/src/SetCookieHeaderValue.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -587,6 +587,16 @@ private static int GetSetCookieLength(StringSegment input, int startIndex, out S
maxAge = -maxAge;
}

// Check if maxAge would cause TimeSpan.FromSeconds to overflow
// TimeSpan.MaxValue.TotalSeconds is approximately 922337203685.4775
const long MaxTimeSpanSeconds = 922337203685L;
const long MinTimeSpanSeconds = -922337203685L;
if (maxAge is > MaxTimeSpanSeconds or < MinTimeSpanSeconds)
{
// MaxAge value would overflow TimeSpan, abort
return 0;
}

result.MaxAge = TimeSpan.FromSeconds(maxAge);
offset += itemLength;
}
Expand Down
26 changes: 26 additions & 0 deletions src/Http/Headers/test/SetCookieHeaderValueTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -486,4 +486,30 @@ public void SetCookieHeaderValue_TryParseStrictList_FailsForAnyInvalidValues(
Assert.Null(results);
Assert.False(result);
}

[Theory]
[InlineData("name=value; max-age=922337203686")] // One more than TimeSpan.MaxValue.TotalSeconds
[InlineData("name=value; max-age=999999999999999999999")] // Much larger value
[InlineData("name=value; max-age=-922337203686")] // Negative overflow
public void SetCookieHeaderValue_TryParse_MaxAgeOverflow_ReturnsFalse(string value)
{
// Should return false instead of throwing ArgumentOutOfRangeException
bool result = SetCookieHeaderValue.TryParse(value, out var parsedValue);
Assert.False(result);
Assert.Null(parsedValue);
}

[Theory]
[InlineData("name=value; max-age=922337203685")] // Max valid value
[InlineData("name=value; max-age=-922337203685")] // Min valid value
[InlineData("name=value; max-age=0")] // Zero
[InlineData("name=value; max-age=86400")] // One day in seconds
public void SetCookieHeaderValue_TryParse_MaxAgeValid_ReturnsTrue(string value)
{
// Should successfully parse valid max-age values
bool result = SetCookieHeaderValue.TryParse(value, out var parsedValue);
Assert.True(result);
Assert.NotNull(parsedValue);
Assert.NotNull(parsedValue!.MaxAge);
}
}
Loading