#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes

Fri, 16 Nov 2007 05:31:56 -0800 

 ID:               43311
 Comment by:       crrodriguez+php at suse dot de
 Reported By:      crrodriguez at suse dot de
 Status:           Open
 Bug Type:         *General Issues
 Operating System: Irrelevant
 PHP Version:      5.3CVS-2007-11-16 (CVS)
 New Comment:

also imagine the following code

setcookie ("foo", $_GET['reallybigdata']) 

it can also exausts the PHP process or system memory(dependding on the
memory limit)for no gain because the browser will truncate it anyway.


Previous Comments:
------------------------------------------------------------------------

[2007-11-16 08:23:38] judas dot iscariote at gmail dot com

PHP implements the netscape spec, **not** the RFC one

"When a cookie larger than 4 kilobytes is encountered the cookie should
be trimmed to fit, but the name should remain intact as long as it is
less than 4 kilobytes"

"Servers should not expect clients to be able to exceed these limits"


In the case of PHP, sending a cookie bigger than 4kb is useless because
no browser will use it correctly, and truncating it without emitting any
warning just makes debugging  harder.

------------------------------------------------------------------------

[2007-11-16 08:17:45] yoy dot noneoff at dfgh dot net

http://www.faqs.org/rfcs/rfc2109
http://www.faqs.org/rfcs/rfc2965

RFCS linked from the setcookie function docs

"
...
     *  at least 300 cookies

      *  at least 4096 bytes per cookie (as measured by the characters
         that comprise the cookie non-terminal in the syntax
description
         of the Set-Cookie2 header, and as received in the Set-Cookie2
         header)
...
"

keyword:at least 

so basicly php should not limit cookie length, it up to the
client/browser how to handle it.

------------------------------------------------------------------------

[2007-11-16 03:26:53] judas dot iscariote at gmail dot com

corrected/working patch is here now (previuos had errors ..I should
test patches before submitting them :) ) 

http://www.flyspray.org/patches/setcookie-4096btyesonly.patch

------------------------------------------------------------------------

[2007-11-16 01:30:40] crrodriguez at suse dot de

Description:
------------
The following report caught my attention 

http://www.securityfocus.com/archive/1/483705

That is indeed a bug in Konqueror, but if you look the "reproduce code"
it says.

Reproduce code:
---------------
<?php

ini_set("memory_limit","200M");

setcookie("hi_fox", str_repeat("A",19999999));

?>

Expected result:
----------------
PHP limiting the cookie size to what both the spec says and other
browsers do, that is name_len + value_len not larger than 4096 bytes.

http://www.15seconds.com/faq/Cookies/388.htm

http://wp.netscape.com/newsref/std/cookie_spec.html


E-Warning "Cookie cannot store more than %d bytes of data"

Actual result:
--------------
PHP setting a 200MB cookie anyway.


patch here : http://rafb.net/p/zs0ojA57.html


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=43311&edit=1

Reply via email to