如何验证是否正确处理不合格的HTTP cookie?
摘要:客户的代码正在使用安全,属性生成无效的cookie(请注意非法尾随逗号)。 IETF规格说,必须忽略cookie的未知属性,但仍然可以使用cookie本身。因此,我们可能会生成不安全的cookie。是这样吗?
完整背景:
我正在尝试跟踪客户代码如何生成cookie的一些错误,并且我偶然发现了以下set-cookie标题(在几行上折断以使其更易于阅读) :
foo=wtf; expires=Tue, 28-Jul-2022 GMT; secure,
foo=bar; expires=Tue, 28-Jul-2022 GMT; secure,
baz=qux; expires=Tue, 28-Jul-2022 GMT; secure
在仔细阅读 HTTP状态管理机制的IETF规范,我发现了几件事。
首先,重复的cookie名称不应该在那里:
Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name.
我已经修复了(这是我正在处理的错误的原因)。但是,还有其他问题...
到期属性,28-Jul-2022,需要空格(28 Jul 2022)而不是破折号,但看起来大多数饼干解析器都对此很宽容。
但是,Cookie Generation Library与逗号一起加入Cookie。因此,我们有一个名为安全的属性,对于前两个cookie。根据规格:
User agents ignore unrecognized cookie attributes (but not the entire cookie).
因此,我们可能是尝试将cookies标记为安全,但是让我们的安全,属性忽略了。
我很难找到详细说明这种特定条件的资源,如果Cookie解析代码严格,看起来可能是一个严重的安全错误。 i 可以尝试在各种用户代理中尝试测试它,但是我不能与所有用户代理,这些用户代理的不同版本一起尝试,或者(要成为船长明显的)这些用户的未来版本代理商。
允许那个尾随的逗号吗?当然似乎不是。如果不允许,我是否可以检查一些资源,以找出一般的允许曲奇解析器的方式?
我不知道我有时间解决这个问题,但是我至少可以在内部提出问题。
Summary: A client's code is generating invalid cookies with a secure, attribute (note the illegal trailing comma). The IETF spec says unknown attributes for cookies must be ignored, but the cookies themselves can still be used. Thus, we might have unsecure cookies being generated. Is this the case?
Full background:
I'm trying to track down some bugs in how a client's code generates cookies and I've stumbled across the following Set-Cookie header (broken over several lines to make it easier to read):
foo=wtf; expires=Tue, 28-Jul-2022 GMT; secure,
foo=bar; expires=Tue, 28-Jul-2022 GMT; secure,
baz=qux; expires=Tue, 28-Jul-2022 GMT; secure
In a careful reading of the IETF specification for HTTP State Management Mechanism, I've found several things.
First, duplicate cookie names should not be there:
Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name.
I've fixed that (it was the cause of the bug I was working on). However, there are other concerns ...
The expires attribute, 28-Jul-2022, requires spaces (28 Jul 2022) instead of dashes, but it looks like most cookie parsers are fairly tolerant of this.
However, the cookie generation library is joining cookies with commas. Thus, we have an attribute named secure, for the first two cookies. According to the spec:
User agents ignore unrecognized cookie attributes (but not the entire cookie).
Thus, we might be trying to mark cookies as secure, but having our secure, attribute ignored.
I've struggled to find resources detailing this particular condition and it looks like it might be a serious security bug if the cookie parsing code is strict. I could just try testing this out in various user agents, but I can't try it with all user agents, different versions of those user agents, or (to be Captain Obvious) future versions of those user agents.
Is that trailing comma allowed? It certainly doesn't seem to be. If it's not allowed, is there a resource I can check to find out how permissive cookie parsers are in general?
I don't know that I have the time to fix this, but I can at least raise the issue internally.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
rfc6265§3
因此,至少您的Cookie Generation Library表现不佳(尽管这是否可以回答是否无效,我猜这取决于您想与RFC的建议遵守程度)。
RFC 6265 § 3 also states
So at the very least your cookie generation library is misbehaving (although whether that can answer if this is invalid or not I guess depends on how closely you want to adhere to the RFC's recommendations).