New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC 6265bis: Truncating cookie values may enable attack #1531
Comments
Reject cookies with any CTL characters, instead of truncating them. Addresses #1531. Co-authored-by: Lily Chen <chlily@google.com>
This excludes HTAB (%x09) from the CTL characters that normally cause cookie rejection. HTAB is considered whitespace and is handled separately at a later step in the algorithm. Related to #1531
This excludes HTAB (%x09) from the CTL characters that normally cause cookie rejection. HTAB is considered whitespace and is handled separately at a later step in the algorithm. Related to #1531
Thanks @chlily1! Do you know if tests have been updated as well and implementations bugs have been filed against browsers that do not do this (yet)? |
@annevk I just submitted for review an update to the tests, and will soon file bugs based on the findings from running those. I'll post back here with links to any tickets I open. Thanks for asking about this For reference: web-platform-tests/wpt#29965 |
@annevk FYI, here are the corresponding bugs: |
Thanks @recvfrom for your work on this! |
This should have been included in e87cd77
https://bugs.webkit.org/show_bug.cgi?id=239966 <rdar://92300855> Reviewed by Chris Dumez. This reflects a change in httpwg/http-extensions#1531 * web-platform-tests/cookies/name/name-ctl-expected.txt: * web-platform-tests/cookies/name/name-ctl.html: * web-platform-tests/cookies/resources/cookie-test.js: * web-platform-tests/cookies/value/value-ctl-expected.txt: * web-platform-tests/cookies/value/value-ctl.html: * web-platform-tests/html/dom/documents/resource-metadata-management/document-cookie-expected.txt: * web-platform-tests/html/dom/documents/resource-metadata-management/document-cookie.html: Canonical link: https://commits.webkit.org/250188@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@293691 268f45cc-cd09-0410-ab3c-d52691b4dbfc
…ttps://github.com/httpwg/http…, a=testonly Automatic update from web-platform-tests Update document.cookie test to reflect httpwg/http-extensions#1531 (#33898) This should have been included in e87cd7738787efea77b379fb594a2c3d8a676e9f -- wpt-commits: bd1da4818624af1b890daf7842a48fbdd6a27a04 wpt-pr: 33898
…ttps://github.com/httpwg/http…, a=testonly Automatic update from web-platform-tests Update document.cookie test to reflect httpwg/http-extensions#1531 (#33898) This should have been included in e87cd7738787efea77b379fb594a2c3d8a676e9f -- wpt-commits: bd1da4818624af1b890daf7842a48fbdd6a27a04 wpt-pr: 33898
In #1420, RFC 6265bis was modified to specify truncation of set-cookie-lines at the first {CR, LF, NUL} byte. This is consistent with Chrome's current behavior.
@annevk points out that this may enable an attack where an attacker may inject a CR, LF, or NUL byte into a cookie value to cause its truncation, thus changing the value of the cookie.
Investigate interop/web compatibility and consider rejecting all cookies containing any control character (rather than truncating).
The text was updated successfully, but these errors were encountered: