RFC 6265bis: Truncating cookie values may enable attack #1531
Assignees
Labels
Comments
chlily1
added a commit
that referenced
this issue
Jul 20, 2021
Reject cookies with any CTL characters, instead of truncating them. Addresses #1531. Co-authored-by: Lily Chen <chlily@google.com>
chlily1
added a commit
that referenced
this issue
Aug 4, 2021
This excludes HTAB (%x09) from the CTL characters that normally cause cookie rejection. HTAB is considered whitespace and is handled separately at a later step in the algorithm. Related to #1531
chlily1
added a commit
that referenced
this issue
Aug 5, 2021
This excludes HTAB (%x09) from the CTL characters that normally cause cookie rejection. HTAB is considered whitespace and is handled separately at a later step in the algorithm. Related to #1531
|
Thanks @chlily1! Do you know if tests have been updated as well and implementations bugs have been filed against browsers that do not do this (yet)? |
|
@annevk I just submitted for review an update to the tests, and will soon file bugs based on the findings from running those. I'll post back here with links to any tickets I open. Thanks for asking about this For reference: web-platform-tests/wpt#29965 |
|
@annevk FYI, here are the corresponding bugs: |
|
Thanks @recvfrom for your work on this! |
achristensen07
added a commit
to achristensen07/wpt
that referenced
this issue
May 2, 2022
This should have been included in e87cd77
webkit-commit-queue
pushed a commit
to WebKit/WebKit
that referenced
this issue
May 2, 2022
https://bugs.webkit.org/show_bug.cgi?id=239966 <rdar://92300855> Reviewed by Chris Dumez. This reflects a change in httpwg/http-extensions#1531 * web-platform-tests/cookies/name/name-ctl-expected.txt: * web-platform-tests/cookies/name/name-ctl.html: * web-platform-tests/cookies/resources/cookie-test.js: * web-platform-tests/cookies/value/value-ctl-expected.txt: * web-platform-tests/cookies/value/value-ctl.html: * web-platform-tests/html/dom/documents/resource-metadata-management/document-cookie-expected.txt: * web-platform-tests/html/dom/documents/resource-metadata-management/document-cookie.html: Canonical link: https://commits.webkit.org/250188@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@293691 268f45cc-cd09-0410-ab3c-d52691b4dbfc
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
May 16, 2022
…ttps://github.com/httpwg/http…, a=testonly Automatic update from web-platform-tests Update document.cookie test to reflect httpwg/http-extensions#1531 (#33898) This should have been included in e87cd7738787efea77b379fb594a2c3d8a676e9f -- wpt-commits: bd1da4818624af1b890daf7842a48fbdd6a27a04 wpt-pr: 33898
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this issue
May 25, 2022
…ttps://github.com/httpwg/http…, a=testonly Automatic update from web-platform-tests Update document.cookie test to reflect httpwg/http-extensions#1531 (#33898) This should have been included in e87cd7738787efea77b379fb594a2c3d8a676e9f -- wpt-commits: bd1da4818624af1b890daf7842a48fbdd6a27a04 wpt-pr: 33898
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #1420, RFC 6265bis was modified to specify truncation of set-cookie-lines at the first {CR, LF, NUL} byte. This is consistent with Chrome's current behavior.
@annevk points out that this may enable an attack where an attacker may inject a CR, LF, or NUL byte into a cookie value to cause its truncation, thus changing the value of the cookie.
Investigate interop/web compatibility and consider rejecting all cookies containing any control character (rather than truncating).
The text was updated successfully, but these errors were encountered: