From 64ecb3818ca335ce79ef539e962ee5d02f6fb365 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 26 Jun 2022 11:00:48 +0200
Subject: [PATCH 1/3] cookie: apply limits
- Send no more than 150 cookies per request
- Cap the max length used for a cookie: header to 8K
- Cap the max number of received Set-Cookie: headers to 50
Bug: https://curl.se/docs/CVE-2022-32205.html
CVE-2022-32205
Reported-by: Harry Sintonen
Closes #9048
Upstream-commit: 48d7064a49148f03942380967da739dcde1cdc24
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/cookie.c | 14 ++++++++++++--
lib/cookie.h | 21 +++++++++++++++++++--
lib/http.c | 13 +++++++++++--
lib/urldata.h | 1 +
4 files changed, 43 insertions(+), 6 deletions(-)
diff --git a/lib/cookie.c b/lib/cookie.c
index 1b8c8f9..8a6aa1a 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -477,6 +477,10 @@ Curl_cookie_add(struct Curl_easy *data,
(void)data;
#endif
+ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
+ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
+ return NULL;
+
/* First, alloc and init a new struct for it */
co = calloc(1, sizeof(struct Cookie));
if(!co)
@@ -816,7 +820,7 @@ Curl_cookie_add(struct Curl_easy *data,
freecookie(co);
return NULL;
}
-
+ data->req.setcookies++;
}
else {
/*
@@ -1354,7 +1358,8 @@ static struct Cookie *dup_cookie(struct Cookie *src)
*
* It shall only return cookies that haven't expired.
*/
-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
+ struct CookieInfo *c,
const char *host, const char *path,
bool secure)
{
@@ -1409,6 +1414,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
mainco = newco;
matches++;
+ if(matches >= MAX_COOKIE_SEND_AMOUNT) {
+ infof(data, "Included max number of cookies (%u) in request!",
+ matches);
+ break;
+ }
}
else
goto fail;
diff --git a/lib/cookie.h b/lib/cookie.h
index 0ffe08e..7411980 100644
--- a/lib/cookie.h
+++ b/lib/cookie.h
@@ -81,10 +81,26 @@ struct CookieInfo {
*/
#define MAX_COOKIE_LINE 5000
-/* This is the maximum length of a cookie name or content we deal with: */
+/* Maximum length of an incoming cookie name or content we deal with. Longer
+ cookies are ignored. */
#define MAX_NAME 4096
#define MAX_NAME_TXT "4095"
+/* Maximum size for an outgoing cookie line libcurl will use in an http
+ request. This is the default maximum length used in some versions of Apache
+ httpd. */
+#define MAX_COOKIE_HEADER_LEN 8190
+
+/* Maximum number of cookies libcurl will send in a single request, even if
+ there might be more cookies that match. One reason to cap the number is to
+ keep the maximum HTTP request within the maximum allowed size. */
+#define MAX_COOKIE_SEND_AMOUNT 150
+
+/* Maximum number of Set-Cookie: lines accepted in a single response. If more
+ such header lines are received, they are ignored. This value must be less
+ than 256 since an unsigned char is used to count. */
+#define MAX_SET_COOKIE_AMOUNT 50
+
struct Curl_easy;
/*
* Add a cookie to the internal list of cookies. The domain and path arguments
@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data,
const char *domain, const char *path,
bool secure);
-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host,
+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
+ struct CookieInfo *c, const char *host,
const char *path, bool secure);
void Curl_cookie_freelist(struct Cookie *cookies);
void Curl_cookie_clearall(struct CookieInfo *cookies);
diff --git a/lib/http.c b/lib/http.c
index 4433824..2c8b0c4 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -2709,12 +2709,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn,
}
#if !defined(CURL_DISABLE_COOKIES)
+
CURLcode Curl_http_cookies(struct Curl_easy *data,
struct connectdata *conn,
struct dynbuf *r)
{
CURLcode result = CURLE_OK;
char *addcookies = NULL;
+ bool linecap = FALSE;
if(data->set.str[STRING_COOKIE] &&
!Curl_checkheaders(data, STRCONST("Cookie")))
addcookies = data->set.str[STRING_COOKIE];
@@ -2732,7 +2734,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
!strcmp(host, "127.0.0.1") ||
!strcmp(host, "[::1]") ? TRUE : FALSE;
Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path,
+ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path,
secure_context);
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
}
@@ -2746,6 +2748,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
if(result)
break;
}
+ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >=
+ MAX_COOKIE_HEADER_LEN) {
+ infof(data, "Restricted outgoing cookies due to header size, "
+ "'%s' not sent", co->name);
+ linecap = TRUE;
+ break;
+ }
result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"",
co->name, co->value);
if(result)
@@ -2756,7 +2765,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
}
Curl_cookie_freelist(store);
}
- if(addcookies && !result) {
+ if(addcookies && !result && !linecap) {
if(!count)
result = Curl_dyn_addn(r, STRCONST("Cookie: "));
if(!result) {
diff --git a/lib/urldata.h b/lib/urldata.h
index e006495..54faf7d 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -707,6 +707,7 @@ struct SingleRequest {
#ifndef CURL_DISABLE_DOH
struct dohdata *doh; /* DoH specific data for this request */
#endif
+ unsigned char setcookies;
BIT(header); /* incoming data has HTTP header */
BIT(content_range); /* set TRUE if Content-Range: was found */
BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding
--
2.35.3
From 2aa646531df114b99d19b33071ff53cebbd689ce Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 26 Jun 2022 11:01:01 +0200
Subject: [PATCH 2/3] test442/443: test cookie caps
442 - verify that only 150 cookies are sent
443 - verify that the cookie: header remains less than 8K in size
Upstream-commit: ff2b2bcf687572d173688832f0913a43de1a2bf8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/data/Makefile.inc | 2 +-
tests/data/test442 | 209 ++++++++++++++++++++++++++++++++++++++++
tests/data/test443 | 78 +++++++++++++++
3 files changed, 288 insertions(+), 1 deletion(-)
create mode 100644 tests/data/test442
create mode 100644 tests/data/test443
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 9b5f4fb..fe04fee 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -72,7 +72,7 @@ test409 test410 \
\
test430 test431 test432 test433 test434 test435 test436 \
\
-test440 test441 \
+test440 test441 test442 test443 \
\
test490 test491 test492 test493 test494 \
\
diff --git a/tests/data/test442 b/tests/data/test442
new file mode 100644
index 0000000..1b00d20
--- /dev/null
+++ b/tests/data/test442
@@ -0,0 +1,209 @@
+# perl:
+#
+# for(1 .. 151) {
+# print join("\t",
+# "attack.invalid", "TRUE", "/", "FALSE", "0",
+# "name$_", "could-be-large-$_")."\n";
+# }
+#
+<testcase>
+<info>
+<keywords>
+HTTP
+cookies
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+
+-foo-
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+Send capped huge number of matching cookies
+</name>
+<command>
+http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -b log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -L
+</command>
+<file name="log/cookie%TESTNUMBER" mode="text">
+attack.invalid TRUE / FALSE 0 name1 could-be-large-1
+attack.invalid TRUE / FALSE 0 name2 could-be-large-2
+attack.invalid TRUE / FALSE 0 name3 could-be-large-3
+attack.invalid TRUE / FALSE 0 name4 could-be-large-4
+attack.invalid TRUE / FALSE 0 name5 could-be-large-5
+attack.invalid TRUE / FALSE 0 name6 could-be-large-6
+attack.invalid TRUE / FALSE 0 name7 could-be-large-7
+attack.invalid TRUE / FALSE 0 name8 could-be-large-8
+attack.invalid TRUE / FALSE 0 name9 could-be-large-9
+attack.invalid TRUE / FALSE 0 name10 could-be-large-10
+attack.invalid TRUE / FALSE 0 name11 could-be-large-11
+attack.invalid TRUE / FALSE 0 name12 could-be-large-12
+attack.invalid TRUE / FALSE 0 name13 could-be-large-13
+attack.invalid TRUE / FALSE 0 name14 could-be-large-14
+attack.invalid TRUE / FALSE 0 name15 could-be-large-15
+attack.invalid TRUE / FALSE 0 name16 could-be-large-16
+attack.invalid TRUE / FALSE 0 name17 could-be-large-17
+attack.invalid TRUE / FALSE 0 name18 could-be-large-18
+attack.invalid TRUE / FALSE 0 name19 could-be-large-19
+attack.invalid TRUE / FALSE 0 name20 could-be-large-20
+attack.invalid TRUE / FALSE 0 name21 could-be-large-21
+attack.invalid TRUE / FALSE 0 name22 could-be-large-22
+attack.invalid TRUE / FALSE 0 name23 could-be-large-23
+attack.invalid TRUE / FALSE 0 name24 could-be-large-24
+attack.invalid TRUE / FALSE 0 name25 could-be-large-25
+attack.invalid TRUE / FALSE 0 name26 could-be-large-26
+attack.invalid TRUE / FALSE 0 name27 could-be-large-27
+attack.invalid TRUE / FALSE 0 name28 could-be-large-28
+attack.invalid TRUE / FALSE 0 name29 could-be-large-29
+attack.invalid TRUE / FALSE 0 name30 could-be-large-30
+attack.invalid TRUE / FALSE 0 name31 could-be-large-31
+attack.invalid TRUE / FALSE 0 name32 could-be-large-32
+attack.invalid TRUE / FALSE 0 name33 could-be-large-33
+attack.invalid TRUE / FALSE 0 name34 could-be-large-34
+attack.invalid TRUE / FALSE 0 name35 could-be-large-35
+attack.invalid TRUE / FALSE 0 name36 could-be-large-36
+attack.invalid TRUE / FALSE 0 name37 could-be-large-37
+attack.invalid TRUE / FALSE 0 name38 could-be-large-38
+attack.invalid TRUE / FALSE 0 name39 could-be-large-39
+attack.invalid TRUE / FALSE 0 name40 could-be-large-40
+attack.invalid TRUE / FALSE 0 name41 could-be-large-41
+attack.invalid TRUE / FALSE 0 name42 could-be-large-42
+attack.invalid TRUE / FALSE 0 name43 could-be-large-43
+attack.invalid TRUE / FALSE 0 name44 could-be-large-44
+attack.invalid TRUE / FALSE 0 name45 could-be-large-45
+attack.invalid TRUE / FALSE 0 name46 could-be-large-46
+attack.invalid TRUE / FALSE 0 name47 could-be-large-47
+attack.invalid TRUE / FALSE 0 name48 could-be-large-48
+attack.invalid TRUE / FALSE 0 name49 could-be-large-49
+attack.invalid TRUE / FALSE 0 name50 could-be-large-50
+attack.invalid TRUE / FALSE 0 name51 could-be-large-51
+attack.invalid TRUE / FALSE 0 name52 could-be-large-52
+attack.invalid TRUE / FALSE 0 name53 could-be-large-53
+attack.invalid TRUE / FALSE 0 name54 could-be-large-54
+attack.invalid TRUE / FALSE 0 name55 could-be-large-55
+attack.invalid TRUE / FALSE 0 name56 could-be-large-56
+attack.invalid TRUE / FALSE 0 name57 could-be-large-57
+attack.invalid TRUE / FALSE 0 name58 could-be-large-58
+attack.invalid TRUE / FALSE 0 name59 could-be-large-59
+attack.invalid TRUE / FALSE 0 name60 could-be-large-60
+attack.invalid TRUE / FALSE 0 name61 could-be-large-61
+attack.invalid TRUE / FALSE 0 name62 could-be-large-62
+attack.invalid TRUE / FALSE 0 name63 could-be-large-63
+attack.invalid TRUE / FALSE 0 name64 could-be-large-64
+attack.invalid TRUE / FALSE 0 name65 could-be-large-65
+attack.invalid TRUE / FALSE 0 name66 could-be-large-66
+attack.invalid TRUE / FALSE 0 name67 could-be-large-67
+attack.invalid TRUE / FALSE 0 name68 could-be-large-68
+attack.invalid TRUE / FALSE 0 name69 could-be-large-69
+attack.invalid TRUE / FALSE 0 name70 could-be-large-70
+attack.invalid TRUE / FALSE 0 name71 could-be-large-71
+attack.invalid TRUE / FALSE 0 name72 could-be-large-72
+attack.invalid TRUE / FALSE 0 name73 could-be-large-73
+attack.invalid TRUE / FALSE 0 name74 could-be-large-74
+attack.invalid TRUE / FALSE 0 name75 could-be-large-75
+attack.invalid TRUE / FALSE 0 name76 could-be-large-76
+attack.invalid TRUE / FALSE 0 name77 could-be-large-77
+attack.invalid TRUE / FALSE 0 name78 could-be-large-78
+attack.invalid TRUE / FALSE 0 name79 could-be-large-79
+attack.invalid TRUE / FALSE 0 name80 could-be-large-80
+attack.invalid TRUE / FALSE 0 name81 could-be-large-81
+attack.invalid TRUE / FALSE 0 name82 could-be-large-82
+attack.invalid TRUE / FALSE 0 name83 could-be-large-83
+attack.invalid TRUE / FALSE 0 name84 could-be-large-84
+attack.invalid TRUE / FALSE 0 name85 could-be-large-85
+attack.invalid TRUE / FALSE 0 name86 could-be-large-86
+attack.invalid TRUE / FALSE 0 name87 could-be-large-87
+attack.invalid TRUE / FALSE 0 name88 could-be-large-88
+attack.invalid TRUE / FALSE 0 name89 could-be-large-89
+attack.invalid TRUE / FALSE 0 name90 could-be-large-90
+attack.invalid TRUE / FALSE 0 name91 could-be-large-91
+attack.invalid TRUE / FALSE 0 name92 could-be-large-92
+attack.invalid TRUE / FALSE 0 name93 could-be-large-93
+attack.invalid TRUE / FALSE 0 name94 could-be-large-94
+attack.invalid TRUE / FALSE 0 name95 could-be-large-95
+attack.invalid TRUE / FALSE 0 name96 could-be-large-96
+attack.invalid TRUE / FALSE 0 name97 could-be-large-97
+attack.invalid TRUE / FALSE 0 name98 could-be-large-98
+attack.invalid TRUE / FALSE 0 name99 could-be-large-99
+attack.invalid TRUE / FALSE 0 name100 could-be-large-100
+attack.invalid TRUE / FALSE 0 name101 could-be-large-101
+attack.invalid TRUE / FALSE 0 name102 could-be-large-102
+attack.invalid TRUE / FALSE 0 name103 could-be-large-103
+attack.invalid TRUE / FALSE 0 name104 could-be-large-104
+attack.invalid TRUE / FALSE 0 name105 could-be-large-105
+attack.invalid TRUE / FALSE 0 name106 could-be-large-106
+attack.invalid TRUE / FALSE 0 name107 could-be-large-107
+attack.invalid TRUE / FALSE 0 name108 could-be-large-108
+attack.invalid TRUE / FALSE 0 name109 could-be-large-109
+attack.invalid TRUE / FALSE 0 name110 could-be-large-110
+attack.invalid TRUE / FALSE 0 name111 could-be-large-111
+attack.invalid TRUE / FALSE 0 name112 could-be-large-112
+attack.invalid TRUE / FALSE 0 name113 could-be-large-113
+attack.invalid TRUE / FALSE 0 name114 could-be-large-114
+attack.invalid TRUE / FALSE 0 name115 could-be-large-115
+attack.invalid TRUE / FALSE 0 name116 could-be-large-116
+attack.invalid TRUE / FALSE 0 name117 could-be-large-117
+attack.invalid TRUE / FALSE 0 name118 could-be-large-118
+attack.invalid TRUE / FALSE 0 name119 could-be-large-119
+attack.invalid TRUE / FALSE 0 name120 could-be-large-120
+attack.invalid TRUE / FALSE 0 name121 could-be-large-121
+attack.invalid TRUE / FALSE 0 name122 could-be-large-122
+attack.invalid TRUE / FALSE 0 name123 could-be-large-123
+attack.invalid TRUE / FALSE 0 name124 could-be-large-124
+attack.invalid TRUE / FALSE 0 name125 could-be-large-125
+attack.invalid TRUE / FALSE 0 name126 could-be-large-126
+attack.invalid TRUE / FALSE 0 name127 could-be-large-127
+attack.invalid TRUE / FALSE 0 name128 could-be-large-128
+attack.invalid TRUE / FALSE 0 name129 could-be-large-129
+attack.invalid TRUE / FALSE 0 name130 could-be-large-130
+attack.invalid TRUE / FALSE 0 name131 could-be-large-131
+attack.invalid TRUE / FALSE 0 name132 could-be-large-132
+attack.invalid TRUE / FALSE 0 name133 could-be-large-133
+attack.invalid TRUE / FALSE 0 name134 could-be-large-134
+attack.invalid TRUE / FALSE 0 name135 could-be-large-135
+attack.invalid TRUE / FALSE 0 name136 could-be-large-136
+attack.invalid TRUE / FALSE 0 name137 could-be-large-137
+attack.invalid TRUE / FALSE 0 name138 could-be-large-138
+attack.invalid TRUE / FALSE 0 name139 could-be-large-139
+attack.invalid TRUE / FALSE 0 name140 could-be-large-140
+attack.invalid TRUE / FALSE 0 name141 could-be-large-141
+attack.invalid TRUE / FALSE 0 name142 could-be-large-142
+attack.invalid TRUE / FALSE 0 name143 could-be-large-143
+attack.invalid TRUE / FALSE 0 name144 could-be-large-144
+attack.invalid TRUE / FALSE 0 name145 could-be-large-145
+attack.invalid TRUE / FALSE 0 name146 could-be-large-146
+attack.invalid TRUE / FALSE 0 name147 could-be-large-147
+attack.invalid TRUE / FALSE 0 name148 could-be-large-148
+attack.invalid TRUE / FALSE 0 name149 could-be-large-149
+attack.invalid TRUE / FALSE 0 name150 could-be-large-150
+attack.invalid TRUE / FALSE 0 name151 could-be-large-151
+</file>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /a/b/%TESTNUMBER HTTP/1.1
+Host: attack.invalid:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+Cookie: name150=could-be-large-150; name149=could-be-large-149; name148=could-be-large-148; name147=could-be-large-147; name146=could-be-large-146; name145=could-be-large-145; name144=could-be-large-144; name143=could-be-large-143; name142=could-be-large-142; name141=could-be-large-141; name140=could-be-large-140; name139=could-be-large-139; name138=could-be-large-138; name137=could-be-large-137; name136=could-be-large-136; name135=could-be-large-135; name134=could-be-large-134; name133=could-be-large-133; name132=could-be-large-132; name131=could-be-large-131; name130=could-be-large-130; name129=could-be-large-129; name128=could-be-large-128; name127=could-be-large-127; name126=could-be-large-126; name125=could-be-large-125; name124=could-be-large-124; name123=could-be-large-123; name122=could-be-large-122; name121=could-be-large-121; name120=could-be-large-120; name119=could-be-large-119; name118=could-be-large-118; name117=could-be-large-117; name116=could-be-large-116; name115=could-be-large-115; name114=could-be-large-114; name113=could-be-large-113; name112=could-be-large-112; name111=could-be-large-111; name110=could-be-large-110; name109=could-be-large-109; name108=could-be-large-108; name107=could-be-large-107; name106=could-be-large-106; name105=could-be-large-105; name104=could-be-large-104; name103=could-be-large-103; name102=could-be-large-102; name101=could-be-large-101; name100=could-be-large-100; name99=could-be-large-99; name98=could-be-large-98; name97=could-be-large-97; name96=could-be-large-96; name95=could-be-large-95; name94=could-be-large-94; name93=could-be-large-93; name92=could-be-large-92; name91=could-be-large-91; name90=could-be-large-90; name89=could-be-large-89; name88=could-be-large-88; name87=could-be-large-87; name86=could-be-large-86; name85=could-be-large-85; name84=could-be-large-84; name83=could-be-large-83; name82=could-be-large-82; name81=could-be-large-81; name80=could-be-large-80; name79=could-be-large-79; name78=could-be-large-78; name77=could-be-large-77; name76=could-be-large-76; name75=could-be-large-75; name74=could-be-large-74; name73=could-be-large-73; name72=could-be-large-72; name71=could-be-large-71; name70=could-be-large-70; name69=could-be-large-69; name68=could-be-large-68; name67=could-be-large-67; name66=could-be-large-66; name65=could-be-large-65; name64=could-be-large-64; name63=could-be-large-63; name62=could-be-large-62; name61=could-be-large-61; name60=could-be-large-60; name59=could-be-large-59; name58=could-be-large-58; name57=could-be-large-57; name56=could-be-large-56; name55=could-be-large-55; name54=could-be-large-54; name53=could-be-large-53; name52=could-be-large-52; name51=could-be-large-51; name50=could-be-large-50; name49=could-be-large-49; name48=could-be-large-48; name47=could-be-large-47; name46=could-be-large-46; name45=could-be-large-45; name44=could-be-large-44; name43=could-be-large-43; name42=could-be-large-42; name41=could-be-large-41; name40=could-be-large-40; name39=could-be-large-39; name38=could-be-large-38; name37=could-be-large-37; name36=could-be-large-36; name35=could-be-large-35; name34=could-be-large-34; name33=could-be-large-33; name32=could-be-large-32; name31=could-be-large-31; name30=could-be-large-30; name29=could-be-large-29; name28=could-be-large-28; name27=could-be-large-27; name26=could-be-large-26; name25=could-be-large-25; name24=could-be-large-24; name23=could-be-large-23; name22=could-be-large-22; name21=could-be-large-21; name20=could-be-large-20; name19=could-be-large-19; name18=could-be-large-18; name17=could-be-large-17; name16=could-be-large-16; name15=could-be-large-15; name14=could-be-large-14; name13=could-be-large-13; name12=could-be-large-12; name11=could-be-large-11; name10=could-be-large-10; name9=could-be-large-9; name8=could-be-large-8; name7=could-be-large-7; name6=could-be-large-6; name5=could-be-large-5; name4=could-be-large-4; name3=could-be-large-3; name2=could-be-large-2; name1=could-be-large-1
+
+</protocol>
+</verify>
+</testcase>
diff --git a/tests/data/test443 b/tests/data/test443
new file mode 100644
index 0000000..996b1d3
--- /dev/null
+++ b/tests/data/test443
@@ -0,0 +1,78 @@
+# perl:
+#
+#for(1 .. 20) {
+# print join("\t",
+# "attack.invalid", "TRUE", "/", "FALSE", "0",
+# "huge-$_", ('a' x 500)."-$_")."\n";
+#}
+#
+<testcase>
+<info>
+<keywords>
+HTTP
+cookies
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+
+-foo-
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+Cookie header in request no longer than 8K
+</name>
+<command>
+http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -b log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -L
+</command>
+<file name="log/cookie%TESTNUMBER" mode="text">
+attack.invalid TRUE / FALSE 0 huge-1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-1
+attack.invalid TRUE / FALSE 0 huge-2 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-2
+attack.invalid TRUE / FALSE 0 huge-3 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-3
+attack.invalid TRUE / FALSE 0 huge-4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-4
+attack.invalid TRUE / FALSE 0 huge-5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-5
+attack.invalid TRUE / FALSE 0 huge-6 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-6
+attack.invalid TRUE / FALSE 0 huge-7 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-7
+attack.invalid TRUE / FALSE 0 huge-8 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-8
+attack.invalid TRUE / FALSE 0 huge-9 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-9
+attack.invalid TRUE / FALSE 0 huge-10 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-10
+attack.invalid TRUE / FALSE 0 huge-11 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-11
+attack.invalid TRUE / FALSE 0 huge-12 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-12
+attack.invalid TRUE / FALSE 0 huge-13 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-13
+attack.invalid TRUE / FALSE 0 huge-14 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-14
+attack.invalid TRUE / FALSE 0 huge-15 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-15
+attack.invalid TRUE / FALSE 0 huge-16 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-16
+attack.invalid TRUE / FALSE 0 huge-17 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-17
+attack.invalid TRUE / FALSE 0 huge-18 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-18
+attack.invalid TRUE / FALSE 0 huge-19 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-19
+attack.invalid TRUE / FALSE 0 huge-20 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-20
+</file>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /a/b/%TESTNUMBER HTTP/1.1
+Host: attack.invalid:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+Cookie: huge-20=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-20; huge-19=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-19; huge-18=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-18; huge-17=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-17; huge-16=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-16; huge-15=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-15; huge-14=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-14; huge-13=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-13; huge-12=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-12; huge-11=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-11; huge-10=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-10; huge-9=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-9; huge-8=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-8; huge-7=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-7; huge-6=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-6
+
+</protocol>
+</verify>
+</testcase>
--
2.35.3
From a09261fa4976562735320e4e953ca4f4c81ec452 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 26 Jun 2022 11:01:01 +0200
Subject: [PATCH 3/3] test444: test many received Set-Cookie:
The amount of sent cookies in the test is limited to 80 because hyper
has its own strict limits in how many headers it allows to be received
which triggers at some point beyond this number.
Upstream-commit: 46f8911d3942dc06fdd67e9f6f3908982e5d2fb4
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/data/Makefile.inc | 2 +-
tests/data/test444 | 189 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 190 insertions(+), 1 deletion(-)
create mode 100644 tests/data/test444
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index fe04fee..c38f2d2 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -72,7 +72,7 @@ test409 test410 \
\
test430 test431 test432 test433 test434 test435 test436 \
\
-test440 test441 test442 test443 \
+test440 test441 test442 test443 test444 \
\
test490 test491 test492 test493 test494 \
\
diff --git a/tests/data/test444 b/tests/data/test444
new file mode 100644
index 0000000..9bdd4a7
--- /dev/null
+++ b/tests/data/test444
@@ -0,0 +1,189 @@
+# perl:
+#
+#for(1 .. 200) {
+#
+#}
+#
+<testcase>
+<info>
+<keywords>
+HTTP
+cookies
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+Set-Cookie: cookie-1=yes;
+Set-Cookie: cookie-2=yes;
+Set-Cookie: cookie-3=yes;
+Set-Cookie: cookie-4=yes;
+Set-Cookie: cookie-5=yes;
+Set-Cookie: cookie-6=yes;
+Set-Cookie: cookie-7=yes;
+Set-Cookie: cookie-8=yes;
+Set-Cookie: cookie-9=yes;
+Set-Cookie: cookie-10=yes;
+Set-Cookie: cookie-11=yes;
+Set-Cookie: cookie-12=yes;
+Set-Cookie: cookie-13=yes;
+Set-Cookie: cookie-14=yes;
+Set-Cookie: cookie-15=yes;
+Set-Cookie: cookie-16=yes;
+Set-Cookie: cookie-17=yes;
+Set-Cookie: cookie-18=yes;
+Set-Cookie: cookie-19=yes;
+Set-Cookie: cookie-20=yes;
+Set-Cookie: cookie-21=yes;
+Set-Cookie: cookie-22=yes;
+Set-Cookie: cookie-23=yes;
+Set-Cookie: cookie-24=yes;
+Set-Cookie: cookie-25=yes;
+Set-Cookie: cookie-26=yes;
+Set-Cookie: cookie-27=yes;
+Set-Cookie: cookie-28=yes;
+Set-Cookie: cookie-29=yes;
+Set-Cookie: cookie-30=yes;
+Set-Cookie: cookie-31=yes;
+Set-Cookie: cookie-32=yes;
+Set-Cookie: cookie-33=yes;
+Set-Cookie: cookie-34=yes;
+Set-Cookie: cookie-35=yes;
+Set-Cookie: cookie-36=yes;
+Set-Cookie: cookie-37=yes;
+Set-Cookie: cookie-38=yes;
+Set-Cookie: cookie-39=yes;
+Set-Cookie: cookie-40=yes;
+Set-Cookie: cookie-41=yes;
+Set-Cookie: cookie-42=yes;
+Set-Cookie: cookie-43=yes;
+Set-Cookie: cookie-44=yes;
+Set-Cookie: cookie-45=yes;
+Set-Cookie: cookie-46=yes;
+Set-Cookie: cookie-47=yes;
+Set-Cookie: cookie-48=yes;
+Set-Cookie: cookie-49=yes;
+Set-Cookie: cookie-50=yes;
+Set-Cookie: cookie-51=yes;
+Set-Cookie: cookie-52=yes;
+Set-Cookie: cookie-53=yes;
+Set-Cookie: cookie-54=yes;
+Set-Cookie: cookie-55=yes;
+Set-Cookie: cookie-56=yes;
+Set-Cookie: cookie-57=yes;
+Set-Cookie: cookie-58=yes;
+Set-Cookie: cookie-59=yes;
+Set-Cookie: cookie-60=yes;
+Set-Cookie: cookie-61=yes;
+Set-Cookie: cookie-62=yes;
+Set-Cookie: cookie-63=yes;
+Set-Cookie: cookie-64=yes;
+Set-Cookie: cookie-65=yes;
+Set-Cookie: cookie-66=yes;
+Set-Cookie: cookie-67=yes;
+Set-Cookie: cookie-68=yes;
+Set-Cookie: cookie-69=yes;
+Set-Cookie: cookie-70=yes;
+Set-Cookie: cookie-71=yes;
+Set-Cookie: cookie-72=yes;
+Set-Cookie: cookie-73=yes;
+Set-Cookie: cookie-74=yes;
+Set-Cookie: cookie-75=yes;
+Set-Cookie: cookie-76=yes;
+Set-Cookie: cookie-77=yes;
+Set-Cookie: cookie-78=yes;
+Set-Cookie: cookie-79=yes;
+Set-Cookie: cookie-80=yes;
+
+-foo-
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+Many Set-Cookie response headers
+</name>
+<command>
+http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -c log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /a/b/%TESTNUMBER HTTP/1.1
+Host: attack.invalid:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<file name="log/cookie%TESTNUMBER" mode="text">
+# Netscape HTTP Cookie File
+# https://curl.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+attack.invalid FALSE /a/b/ FALSE 0 cookie-50 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-49 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-48 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-47 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-46 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-45 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-44 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-43 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-42 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-41 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-40 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-39 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-38 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-37 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-36 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-35 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-34 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-33 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-32 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-31 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-30 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-29 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-28 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-27 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-26 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-25 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-24 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-23 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-22 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-21 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-20 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-19 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-18 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-17 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-16 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-15 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-14 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-13 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-12 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-11 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-10 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-9 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-8 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-7 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-6 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-5 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-4 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-3 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-2 yes
+attack.invalid FALSE /a/b/ FALSE 0 cookie-1 yes
+</file>
+</verify>
+</testcase>
--
2.35.3