LibWeb: Impose a sane max cookie size

Drop cookies larger than 4KiB. This value is the RFC's recommendation: https://tools.ietf.org/html/rfc6265#section-6.1
author: Timothy Flynn <trflynn89@pm.me> 2021-04-15 08:44:59 -0400
committer: Andreas Kling <kling@serenityos.org> 2021-04-16 19:19:31 +0200
commit: 67884f6747fef572a5984a6c690abf96d898530d (patch)
tree: e5ff9e0c84b15427cd892d19430fb4045c4244d8 /Userland/Libraries/LibWeb
parent: da92c0e1ca2be53df4a7889090656b428869d140 (diff)
download: serenity-67884f6747fef572a5984a6c690abf96d898530d.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/Userland/Libraries/LibWeb/Cookie/ParsedCookie.cpp b/Userland/Libraries/LibWeb/Cookie/ParsedCookie.cpp
index a2274a25c8..8f4b7e058e 100644
--- a/Userland/Libraries/LibWeb/Cookie/ParsedCookie.cpp
+++ b/Userland/Libraries/LibWeb/Cookie/ParsedCookie.cpp
@@ -30,6 +30,8 @@
 
 namespace Web::Cookie {
 
+static constexpr size_t s_max_cookie_size = 4096;
+
 static void parse_attributes(ParsedCookie& parsed_cookie, StringView unparsed_attributes);
 static void process_attribute(ParsedCookie& parsed_cookie, StringView attribute_name, StringView attribute_value);
 static void on_expires_attribute(ParsedCookie& parsed_cookie, StringView attribute_value);
@@ -43,6 +45,10 @@ static Optional<Core::DateTime> parse_date_time(StringView date_string);
 Optional<ParsedCookie> parse_cookie(const String& cookie_string)
 {
     // https://tools.ietf.org/html/rfc6265#section-5.2
+
+    if (cookie_string.length() > s_max_cookie_size)
+        return {};
+
     StringView name_value_pair;
     StringView unparsed_attributes;
author	Timothy Flynn <trflynn89@pm.me>	2021-04-15 08:44:59 -0400
committer	Andreas Kling <kling@serenityos.org>	2021-04-16 19:19:31 +0200
commit	67884f6747fef572a5984a6c690abf96d898530d (patch)
tree	e5ff9e0c84b15427cd892d19430fb4045c4244d8 /Userland/Libraries/LibWeb
parent	da92c0e1ca2be53df4a7889090656b428869d140 (diff)
download	serenity-67884f6747fef572a5984a6c690abf96d898530d.zip