[Webkit-unassigned] [Bug 229088] New: Ensure cookies that contain control characters are handled according the the spec

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Aug 13 11:12:09 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=229088

            Bug ID: 229088
           Summary: Ensure cookies that contain control characters are
                    handled according the the spec
           Product: WebKit
           Version: Safari 14
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: awillia at google.com

The latest draft of RFC6265bis has changed recently such that tab characters are allowed in cookies but all other characters should cause the whole cookie line to be discarded.  From 'The Set-Cookie Header Field' section:

1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F character (CTL  
   characters excluding HTAB): Abort these steps and ignore the                  
   set-cookie-string entirely.

and from the 'Storage Model' section:

3. If the cookie-name or the cookie-value contains a %x00-08 / %x0A-1F / %x7F   
   character (CTL characters excluding HTAB), abort these steps and ignore the  
   cookie entirely.                                                             

>From some testing using document.cookie in Safari, it looks like all control characters except the tab character cause the cookie to be rejected if present in the name and cause the rest of the cookie line to be truncated if present in the value.  To conform to the spec, it'd be ideal if all control characters except tabs anywhere in a cookie line (for cookie lines from document.cookie or in Set-Cookie headers) caused the cookie to be rejected.

For reference, I used variations of the following for testing (which also demonstrates the motivation behind not having control characters truncate):

function getCtlCharacters() {
  const ctlCodes = [...Array(0x20).keys()]
                       .concat([0x7F]);
  return ctlCodes.map(i => ({ code: i, chr: String.fromCharCode(i) }))
}
const CTLS = getCtlCharacters();
for (const ctl of CTLS) {
    malicious_value = `haha${ctl.chr}haha`;
    // See whether HttpOnly gets ignored for easier testing, but in
    // an attack scenario it could be bad if Secure gets ignored
    document.cookie = `test${ctl.code}=` + malicious_value + "; HttpOnly";
    document.cookie = `te${ctl.chr}st${ctl.code}=asdf`;
}
document.cookie

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210813/9479ac2f/attachment.htm>

More information about the webkit-unassigned mailing list