Document the 256 spaces limit

salesforce · Sep 21, 2017 · 4e2fb0b · 4e2fb0b
1 parent f1ed420
commit 4e2fb0b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -134,6 +134,9 @@ else
   cookies = [Cookie.parse(res.headers['set-cookie'])];
 ```
 
+_Potentially non-standard behavior:_ currently, tough-cookie will limit the number of spaces before the `=` to 256 characters.
+See [Issue 92](https://github.com/salesforce/tough-cookie/issues/92)
+
 ### Properties
 
 Cookie object properties:

diff --git a/lib/cookie.js b/lib/cookie.js
@@ -53,6 +53,10 @@ var COOKIE_OCTETS = new RegExp('^'+COOKIE_OCTET.source+'+$');
 
 var CONTROL_CHARS = /[\x00-\x1F]/;
 
+// For COOKIE_PAIR and LOOSE_COOKIE_PAIR below, the number of spaces has been
+// restricted to 256 to side-step a ReDoS issue reported here:
+// https://github.com/salesforce/tough-cookie/issues/92
+
 // Double quotes are part of the value (see: S4.1.1).
 // '\r', '\n' and '\0' should be treated as a terminator in the "relaxed" mode
 // (see: https://github.com/ChromiumWebApps/chromium/blob/b3d3b4da8bb94c1b2e061600df106d590fda3620/net/cookies/parsed_cookie.cc#L60)