ID: 43311
Comment by: crrodriguez+php at suse dot de
Reported By: crrodriguez at suse dot de
Status: Open
Bug Type: *General Issues
Operating System: Irrelevant
PHP Version: 5.3CVS-2007-11-16 (CVS)
New Comment:
also imagine the following code
setcookie ("foo", $_GET['reallybigdata'])
it can also exausts the PHP process or system memory(dependding on the
memory limit)for no gain because the browser will truncate it anyway.
Previous Comments:
------------------------------------------------------------------------
[2007-11-16 08:23:38] judas dot iscariote at gmail dot com
PHP implements the netscape spec, **not** the RFC one
"When a cookie larger than 4 kilobytes is encountered the cookie should
be trimmed to fit, but the name should remain intact as long as it is
less than 4 kilobytes"
"Servers should not expect clients to be able to exceed these limits"
In the case of PHP, sending a cookie bigger than 4kb is useless because
no browser will use it correctly, and truncating it without emitting any
warning just makes debugging harder.
------------------------------------------------------------------------
[2007-11-16 08:17:45] yoy dot noneoff at dfgh dot net
http://www.faqs.org/rfcs/rfc2109
http://www.faqs.org/rfcs/rfc2965
RFCS linked from the setcookie function docs
"
...
* at least 300 cookies
* at least 4096 bytes per cookie (as measured by the characters
that comprise the cookie non-terminal in the syntax
description
of the Set-Cookie2 header, and as received in the Set-Cookie2
header)
...
"
keyword:at least
so basicly php should not limit cookie length, it up to the
client/browser how to handle it.
------------------------------------------------------------------------
[2007-11-16 03:26:53] judas dot iscariote at gmail dot com
corrected/working patch is here now (previuos had errors ..I should
test patches before submitting them :) )
http://www.flyspray.org/patches/setcookie-4096btyesonly.patch
------------------------------------------------------------------------
[2007-11-16 01:30:40] crrodriguez at suse dot de
Description:
------------
The following report caught my attention
http://www.securityfocus.com/archive/1/483705
That is indeed a bug in Konqueror, but if you look the "reproduce code"
it says.
Reproduce code:
---------------
<?php
ini_set("memory_limit","200M");
setcookie("hi_fox", str_repeat("A",19999999));
?>
Expected result:
----------------
PHP limiting the cookie size to what both the spec says and other
browsers do, that is name_len + value_len not larger than 4096 bytes.
http://www.15seconds.com/faq/Cookies/388.htm
http://wp.netscape.com/newsref/std/cookie_spec.html
E-Warning "Cookie cannot store more than %d bytes of data"
Actual result:
--------------
PHP setting a 200MB cookie anyway.
patch here : http://rafb.net/p/zs0ojA57.html
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=43311&edit=1
