Handle mismatched cookie chunk counts (#463)

Tratcher · web-flow · commit f5cf9c48ca39 · 2022-05-10T15:00:26.000-07:00
diff --git a/src/Microsoft.Owin/Infrastructure/ChunkingCookieManager.cs b/src/Microsoft.Owin/Infrastructure/ChunkingCookieManager.cs
@@ -73,7 +73,7 @@ public string GetRequestCookie(IOwinContext context, string key)
             if (chunksCount > 0)
             {
                 bool quoted = false;
-                string[] chunks = new string[chunksCount];
+                var chunks = new List<string>(10); // chunksCount may be wrong, don't trust it.
                 for (int chunkId = 1; chunkId <= chunksCount; chunkId++)
                 {
                     string chunk = requestCookies[key + "C" + chunkId.ToString(CultureInfo.InvariantCulture)];
@@ -98,7 +98,8 @@ public string GetRequestCookie(IOwinContext context, string key)
                         quoted = true;
                         chunk = RemoveQuotes(chunk);
                     }
-                    chunks[chunkId - 1] = chunk;
+
+                    chunks.Add(chunk);
                 }
                 string merged = string.Join(string.Empty, chunks);
                 if (quoted)
@@ -236,13 +237,22 @@ public void DeleteCookie(IOwinContext context, string key, CookieOptions options
             List<string> keys = new List<string>();
             keys.Add(escapedKey + "=");
 
-            string requestCookie = context.Request.Cookies[key];
-            int chunks = ParseChunksCount(requestCookie);
+            var requestCookies = context.Request.Cookies;
+            var requestCookie = requestCookies[key];
+            long chunks = ParseChunksCount(requestCookie);
             if (chunks > 0)
             {
                 for (int i = 1; i <= chunks + 1; i++)
                 {
                     string subkey = escapedKey + "C" + i.ToString(CultureInfo.InvariantCulture);
+
+                    // Only delete cookies we received. We received the chunk count cookie so we should have received the others too.
+                    if (string.IsNullOrEmpty(requestCookies[subkey]))
+                    {
+                        chunks = i - 1;
+                        break;
+                    }
+
                     keys.Add(subkey + "=");
                 }
             }
diff --git a/tests/Microsoft.Owin.Tests/CookieChunkingTests.cs b/tests/Microsoft.Owin.Tests/CookieChunkingTests.cs
@@ -146,7 +146,7 @@ public void GetLargeChunkedCookieWithMissingChunk_ThrowingDisabled_NotReassemble
         public void DeleteChunkedCookieWithOptions_AllDeleted()
         {
             IOwinContext context = new OwinContext();
-            context.Request.Headers.AppendValues("Cookie", "TestCookie=chunks:7");
+            context.Request.Headers.AppendValues("Cookie", "TestCookie=chunks:7;TestCookieC1=1;TestCookieC2=2;TestCookieC3=3;TestCookieC4=4;TestCookieC5=5;TestCookieC6=6;TestCookieC7=7");
 
             new ChunkingCookieManager().DeleteCookie(context, "TestCookie", new CookieOptions() { Domain = "foo.com" });
             var cookies = context.Response.Headers.GetValues("Set-Cookie");
@@ -163,5 +163,38 @@ public void DeleteChunkedCookieWithOptions_AllDeleted()
                 "TestCookieC7=; domain=foo.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT",
             }, cookies);
         }
+
+        [Fact]
+        public void DeleteChunkedCookieWithMissingRequestCookies_OnlyPresentCookiesDeleted()
+        {
+            IOwinContext context = new OwinContext();
+            context.Request.Headers.Append("Cookie", "TestCookie=chunks:7;TestCookieC1=1;TestCookieC2=2");
+            new ChunkingCookieManager().DeleteCookie(context, "TestCookie", new CookieOptions() { Domain = "foo.com", Secure = true });
+            var cookies = context.Response.Headers.GetValues("Set-Cookie");
+            Assert.Equal(3, cookies.Count);
+            Assert.Equal(new[]
+            {
+                "TestCookie=; domain=foo.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure",
+                "TestCookieC1=; domain=foo.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure",
+                "TestCookieC2=; domain=foo.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure",
+            }, cookies);
+        }
+
+        [Fact]
+        public void DeleteChunkedCookieWithMissingRequestCookies_StopsAtMissingChunk()
+        {
+            IOwinContext context = new OwinContext();
+            // C3 is missing so we don't try to delete C4 either.
+            context.Request.Headers.Append("Cookie", "TestCookie=chunks:7;TestCookieC1=1;TestCookieC2=2;TestCookieC4=4");
+            new ChunkingCookieManager().DeleteCookie(context, "TestCookie", new CookieOptions() { Domain = "foo.com", Secure = true });
+            var cookies = context.Response.Headers.GetValues("Set-Cookie");
+            Assert.Equal(3, cookies.Count);
+            Assert.Equal(new[]
+            {
+                "TestCookie=; domain=foo.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure",
+                "TestCookieC1=; domain=foo.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure",
+                "TestCookieC2=; domain=foo.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure",
+            }, cookies);
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ public string GetRequestCookie(IOwinContext context, string key)`
`73`	`73`	`if (chunksCount > 0)`
`74`	`74`	`{`
`75`	`75`	`bool quoted = false;`
`76`		`- string[] chunks = new string[chunksCount];`
	`76`	`+ var chunks = new List<string>(10); // chunksCount may be wrong, don't trust it.`
`77`	`77`	`for (int chunkId = 1; chunkId <= chunksCount; chunkId++)`
`78`	`78`	`{`
`79`	`79`	`string chunk = requestCookies[key + "C" + chunkId.ToString(CultureInfo.InvariantCulture)];`
`@@ -98,7 +98,8 @@ public string GetRequestCookie(IOwinContext context, string key)`
`98`	`98`	`quoted = true;`
`99`	`99`	`chunk = RemoveQuotes(chunk);`
`100`	`100`	`}`
`101`		`- chunks[chunkId - 1] = chunk;`
	`101`	`+`
	`102`	`+ chunks.Add(chunk);`
`102`	`103`	`}`
`103`	`104`	`string merged = string.Join(string.Empty, chunks);`
`104`	`105`	`if (quoted)`
`@@ -236,13 +237,22 @@ public void DeleteCookie(IOwinContext context, string key, CookieOptions options`
`236`	`237`	`List<string> keys = new List<string>();`
`237`	`238`	`keys.Add(escapedKey + "=");`
`238`	`239`
`239`		`- string requestCookie = context.Request.Cookies[key];`
`240`		`- int chunks = ParseChunksCount(requestCookie);`
	`240`	`+ var requestCookies = context.Request.Cookies;`
	`241`	`+ var requestCookie = requestCookies[key];`
	`242`	`+ long chunks = ParseChunksCount(requestCookie);`
`241`	`243`	`if (chunks > 0)`
`242`	`244`	`{`
`243`	`245`	`for (int i = 1; i <= chunks + 1; i++)`
`244`	`246`	`{`
`245`	`247`	`string subkey = escapedKey + "C" + i.ToString(CultureInfo.InvariantCulture);`
	`248`	`+`
	`249`	`+ // Only delete cookies we received. We received the chunk count cookie so we should have received the others too.`
	`250`	`+ if (string.IsNullOrEmpty(requestCookies[subkey]))`
	`251`	`+ {`
	`252`	`+ chunks = i - 1;`
	`253`	`+ break;`
	`254`	`+ }`
	`255`	`+`
`246`	`256`	`keys.Add(subkey + "=");`
`247`	`257`	`}`
`248`	`258`	`}`