http/cookie: Enforce max_cookie_length when storing

Author: daurnimator

doc/modules/http.cookie.md

@@ -57,7 +57,8 @@ Defaults to a function based on [`os.time`](https://www.lua.org/manual/5.3/manua
 
 ### `store.max_cookie_length` <!-- --> {#http.cookie.store.max_cookie_length}
 
-The default maximum cookie length for store methods such as `:lookup()`.
+The maximum length (in bytes) of cookies in the store; this value is also used as default maximum cookie length for `:lookup()`.
+Decreasing this value will only prevent new cookies from being added, it will not remove old cookies.
 
 Defaults to infinity (no maximum size).
 

http/cookie.lua

@@ -193,6 +193,11 @@ local function add_to_store(self, cookie, req_is_http, now)
 		self:remove(cookie.domain, cookie.path, cookie.name)
 	else
 		local name = cookie.name
+		local cookie_length = #name + 1 + #cookie.value
+		if cookie_length > self.max_cookie_length then
+			return false
+		end
+
 		local domain = cookie.domain
 		local domain_cookies = self.domains[domain]
 		local path_cookies

spec/cookie_spec.lua

@@ -381,6 +381,14 @@ describe("cookie module", function()
 			assert.same("foo=path; bar=path; bar=domain; bar=time; foo=time", s:lookup("sub.example.com", "/path/longerpath", true, true))
 		end)
 	end)
+	it("enforces store.max_cookie_length", function()
+		local s = http_cookie.new_store()
+		s.max_cookie_length = 3
+		assert.falsy(s:store("example.com", "/", true, true, nil, http_cookie.parse_setcookie("foo=foo")))
+		s.max_cookie_length = 8
+		assert.truthy(s:store("example.com", "/", true, true, nil, http_cookie.parse_setcookie("foo=foo")))
+		assert.falsy(s:store("example.com", "/", true, true, nil, http_cookie.parse_setcookie("bar=longervalue")))
+	end)
 	it("enforces store.max_cookies", function()
 		local s = http_cookie.new_store()
 		s.max_cookies = 0