Harden cookie parsing logic

stormpath · May 17, 2016 · 7ec7005 · 7ec7005
1 parent 130844c
commit 7ec7005
Showing 1 changed file with 16 additions and 6 deletions.
diff --git a/src/Stormpath.Owin.Middleware/Internal/CookieParser.cs b/src/Stormpath.Owin.Middleware/Internal/CookieParser.cs
@@ -69,12 +69,22 @@ private static void ParseDelimited(string text, char[] delimiters, Action<string
                     {
                         ++scanIndex;
                     }
-                    var name = text.Substring(scanIndex, equalIndex - scanIndex);
-                    var value = text.Substring(equalIndex + 1, delimiterIndex - equalIndex - 1);
-                    callback(
-                        Uri.UnescapeDataString(name),
-                        Uri.UnescapeDataString(value),
-                        state);
+
+                    try
+                    {
+                        var name = text.Substring(scanIndex, equalIndex - scanIndex);
+                        var value = text.Substring(equalIndex + 1, delimiterIndex - equalIndex - 1);
+                        callback(
+                            Uri.UnescapeDataString(name),
+                            Uri.UnescapeDataString(value),
+                            state);
+                    }
+                    catch (ArgumentOutOfRangeException)
+                    {
+                        // bad cookie data
+                        // todo log
+                    }
+
                     equalIndex = text.IndexOf('=', equalIndex + 1);
                     if (equalIndex == -1)
                     {