From b593be8627a905a7e48468f05108df7461eebeb2 Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Fri, 6 Jan 2023 19:02:20 +1100
Subject: [PATCH] Add some reasonable limits to cookie parsing, reduce impact
 of possible attack

---
 src/libs/cookie.lua | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/libs/cookie.lua b/src/libs/cookie.lua
index 9da861e..4e71509 100644
--- a/src/libs/cookie.lua
+++ b/src/libs/cookie.lua
@@ -11,11 +11,12 @@ local SEMICOLON     = byte(";")
 local SPACE         = byte(" ")
 local HTAB          = byte("\t")
 
+local MAX_LEN       = 10 * 1024 -- in case you are a dumbass and set a high tune.maxrewrite
+local MAX_COOKIES   = 100
 
 local _M = {}
 _M._VERSION = '0.01'
 
-
 function _M.get_cookie_table(text_cookie)
     if type(text_cookie) ~= "string" then
         return {}
@@ -27,10 +28,16 @@ function _M.get_cookie_table(text_cookie)
 
     local n = 0
     local len = #text_cookie
+    if len > MAX_LEN then
+        return {}
+    end
 
     for i=1, len do
         if byte(text_cookie, i) == SEMICOLON then
             n = n + 1
+            if n > MAX_COOKIES then
+                return {}
+            end
         end
     end