org.owasp.esapi.filters.SecurityWrapperResponse cookie size limits

[GoogleCodeExporter]

RFC 2109 suggests that browsers implementing the cookie spec should be able to 
support cookies up to 4096 bytes.

http://www.w3.org/Protocols/rfc2109/rfc2109

However, SecurityWrapperResponse limits the length of cookies that can be set 
to 500 characters in the setHeader() method (which is ultimately called by 
setCookie()):

    public void setHeader(String name, String value) {
        try {
            String strippedName = StringUtilities.stripControls(name);
            String strippedValue = StringUtilities.stripControls(value);
            String safeName = ESAPI.validator().getValidInput("setHeader", strippedName, "HTTPHeaderName", 20, false);
            String safeValue = ESAPI.validator().getValidInput("setHeader", strippedValue, "HTTPHeaderValue", 500, false);
            getHttpServletResponse().setHeader(safeName, safeValue);
        } catch (ValidationException e) {
            logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid header denied", e);
        }
    }

This method should not be modified to support headers up to 4096 chars. 

Original issue reported on code.google.com by augu...@gmail.com on 27 Sep 2010 at 9:29

[GoogleCodeExporter]

Proposed patch attached: 

- Added new key to ESAPI.properties: HttpUtilities.MaxHeaderSize=4096
- Added relevant methods in SecurityConfiguration, DefaultSecurityConfiguration 
and SecurityConfigurationWrapper to access this property
- Modified SecurityWrapperResponse to use this value when setting headers and 
cookies

Original comment by augu...@gmail.com on 27 Sep 2010 at 10:22

• Changed state: Started

Attachments:

• [Issue 149.diff](https://storage.googleapis.com/google-code-attachments/owasp-esapi-java/issue-149/comment-1/Issue 149.diff)

[GoogleCodeExporter]

Modified files committed to SVN.

Original comment by augu...@gmail.com on 27 Sep 2010 at 10:47

• Changed state: Fixed