There is some historical ambiguity as to what the cookie value can contain. While there is a convention that the cookie value should be URL encoded, the specs don't seem to enforce this. lambda-api expects that the cookie value be URL encoded string. Any cookie containing a "%" character without a valid sequence will fail cookie decoding and can create an exception and a denial of service.
Fixing this is a bit tricky, as we would still want to correctly URL decode any standard cookie value while supporting non-standard ones. It might be worth discussing the correct solution here.
Some reference I found regarding the permitted characters in a cookie value:
There is some historical ambiguity as to what the cookie value can contain. While there is a convention that the cookie value should be URL encoded, the specs don't seem to enforce this.
lambda-api
expects that the cookie value be URL encoded string. Any cookie containing a "%" character without a valid sequence will fail cookie decoding and can create an exception and a denial of service.Fixing this is a bit tricky, as we would still want to correctly URL decode any standard cookie value while supporting non-standard ones. It might be worth discussing the correct solution here.
Some reference I found regarding the permitted characters in a cookie value: