Comments (2)
SergioBenitez
commented on May 28, 2024
1
In general we want to avoid leaking any kind of information when performing sensitive cryptographic operations. The danger here would be that a consumer of the verify() API would make decisions based on the error value and, in doing so, leak more information than they intend. Said another way, we want to restrict consumers to making decisions based on a single bit of information, success or failure, and nothing beyond that.
I'm not sure what your familiarity is with cryptographic operations, so I apologize if you're already aware of the above. Irrespective, this is a conservative approach to security.
After having spent a bit of time hunting for a bug due to mis-decoding on my side
What error did you make on your side? Is there something we could have done to more aptly prevent the error in the first place?
from cookie-rs.
julien-leclercq
commented on May 28, 2024
1
I totally can hear that. And my little adventure of yesterday shows me that I should not overestimate my own knowledge 😄.
What error did you make on your side? Is there something we could have done to more aptly prevent the error in the first place?
Did not realize that my cookie was percent-encoded. But I am mostly using libs that expose wrappers around yours (axum_extra and reqwest).
I am using cookie-rs in tests to perform some validations and setup tasks.
To be fully honest, I am not sure what kind of bad decisions you would expect some dev to make with that error, but I guess us developers are quite creative in messing things up!
from cookie-rs.
Related Issues (20)
- Nightly detection does not take into account whether features can actually be used HOT 9
- Panic when verifying malformed signed cookie HOT 2
- Parse multiple cookies in single string? HOT 1
- 0.16 release HOT 3
- Replace base64 with base64ct HOT 5
- Iterator over all cookies from string HOT 1
- Removing cookies by name HOT 4
- Private, signed & key methods missing
- Why was ring removed? HOT 1
- Commas are not encoded correctly
- Cookie builder doesn't ignore leading dots (as the `FromStr` implementation does) HOT 4
- Use `std::time::Duration` instead of `time::duration::Duration` for `max-age` HOT 1
- Trait bound error after upgrading to 0.17.0 HOT 1
- Support for `__Host-` cookies HOT 4
- Set Removal Cookies SameSite to Lax HOT 3
- aes-gcm vulnerability HOT 1
- Additional Message Data for signing only. HOT 3
- Does cookie-rs support cookie "Partitioned" yet, please? HOT 1
- Custom Extensions in the Set-Cookie String
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cookie-rs.