You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is some historical ambiguity as to what the cookie value can contain. While there is a convention that the cookie value should be URL encoded, the specs don't seem to enforce this. lambda-api expects that the cookie value be URL encoded string. Any cookie containing a "%" character without a valid sequence will fail cookie decoding and can create an exception and a denial of service.
Fixing this is a bit tricky, as we would still want to correctly URL decode any standard cookie value while supporting non-standard ones. It might be worth discussing the correct solution here.
Some reference I found regarding the permitted characters in a cookie value:
There is some historical ambiguity as to what the cookie value can contain. While there is a convention that the cookie value should be URL encoded, the specs don't seem to enforce this.
lambda-apiexpects that the cookie value be URL encoded string. Any cookie containing a "%" character without a valid sequence will fail cookie decoding and can create an exception and a denial of service.Fixing this is a bit tricky, as we would still want to correctly URL decode any standard cookie value while supporting non-standard ones. It might be worth discussing the correct solution here.
Some reference I found regarding the permitted characters in a cookie value:
The text was updated successfully, but these errors were encountered: