demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

org.owasp.esapi.filters.SecurityWrapperResponse cookie size limits #149

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
RFC 2109 suggests that browsers implementing the cookie spec should be able to 
support cookies up to 4096 bytes.

http://www.w3.org/Protocols/rfc2109/rfc2109

However, SecurityWrapperResponse limits the length of cookies that can be set 
to 500 characters in the setHeader() method (which is ultimately called by 
setCookie()):

    public void setHeader(String name, String value) {
        try {
            String strippedName = StringUtilities.stripControls(name);
            String strippedValue = StringUtilities.stripControls(value);
            String safeName = ESAPI.validator().getValidInput("setHeader", strippedName, "HTTPHeaderName", 20, false);
            String safeValue = ESAPI.validator().getValidInput("setHeader", strippedValue, "HTTPHeaderValue", 500, false);
            getHttpServletResponse().setHeader(safeName, safeValue);
        } catch (ValidationException e) {
            logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid header denied", e);
        }
    }

This method should not be modified to support headers up to 4096 chars. 

Original issue reported on code.google.com by augu...@gmail.com on 27 Sep 2010 at 9:29

GoogleCodeExporter commented 8 years ago
Proposed patch attached: 

- Added new key to ESAPI.properties: HttpUtilities.MaxHeaderSize=4096
- Added relevant methods in SecurityConfiguration, DefaultSecurityConfiguration 
and SecurityConfigurationWrapper to access this property
- Modified SecurityWrapperResponse to use this value when setting headers and 
cookies

Original comment by augu...@gmail.com on 27 Sep 2010 at 10:22

Attachments:

GoogleCodeExporter commented 8 years ago
Modified files committed to SVN.

Original comment by augu...@gmail.com on 27 Sep 2010 at 10:47