[Webkit-unassigned] [Bug 229088] New: Ensure cookies that contain control characters are handled according the the spec
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Aug 13 11:12:09 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=229088
Bug ID: 229088
Summary: Ensure cookies that contain control characters are
handled according the the spec
Product: WebKit
Version: Safari 14
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: awillia at google.com
The latest draft of RFC6265bis has changed recently such that tab characters are allowed in cookies but all other characters should cause the whole cookie line to be discarded. From 'The Set-Cookie Header Field' section:
1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F character (CTL
characters excluding HTAB): Abort these steps and ignore the
set-cookie-string entirely.
and from the 'Storage Model' section:
3. If the cookie-name or the cookie-value contains a %x00-08 / %x0A-1F / %x7F
character (CTL characters excluding HTAB), abort these steps and ignore the
cookie entirely.
>From some testing using document.cookie in Safari, it looks like all control characters except the tab character cause the cookie to be rejected if present in the name and cause the rest of the cookie line to be truncated if present in the value. To conform to the spec, it'd be ideal if all control characters except tabs anywhere in a cookie line (for cookie lines from document.cookie or in Set-Cookie headers) caused the cookie to be rejected.
For reference, I used variations of the following for testing (which also demonstrates the motivation behind not having control characters truncate):
function getCtlCharacters() {
const ctlCodes = [...Array(0x20).keys()]
.concat([0x7F]);
return ctlCodes.map(i => ({ code: i, chr: String.fromCharCode(i) }))
}
const CTLS = getCtlCharacters();
for (const ctl of CTLS) {
malicious_value = `haha${ctl.chr}haha`;
// See whether HttpOnly gets ignored for easier testing, but in
// an attack scenario it could be bad if Secure gets ignored
document.cookie = `test${ctl.code}=` + malicious_value + "; HttpOnly";
document.cookie = `te${ctl.chr}st${ctl.code}=asdf`;
}
document.cookie
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210813/9479ac2f/attachment.htm>
More information about the webkit-unassigned
mailing list