Fix SetCookieHeaderValue.TryParse throwing ArgumentOutOfRangeException for Max-Age overflow

[Copilot]

The SetCookieHeaderValue.TryParse method was throwing ArgumentOutOfRangeException when the Max-Age value exceeded TimeSpan's maximum representable seconds (922337203685), violating the expected behavior of TryParse methods which should return false for invalid input rather than throwing exceptions.

Problem

// This would throw ArgumentOutOfRangeException instead of returning false
bool result = SetCookieHeaderValue.TryParse("name=value; max-age=922337203686", out var cookie);

The issue occurred because TimeSpan.FromSeconds(maxAge) throws when maxAge exceeds the valid range, but the calling code didn't validate the input before the conversion.

Solution

Added overflow validation in GetSetCookieLength before calling TimeSpan.FromSeconds:

// Check if maxAge would cause TimeSpan.FromSeconds to overflow
const long MaxTimeSpanSeconds = 922337203685L;
const long MinTimeSpanSeconds = -922337203685L;
if (maxAge > MaxTimeSpanSeconds || maxAge < MinTimeSpanSeconds)
{
    // MaxAge value would overflow TimeSpan, abort
    return 0;
}

Now overflow cases return false as expected:

// These now correctly return false instead of throwing
bool result1 = SetCookieHeaderValue.TryParse("name=value; max-age=922337203686", out var cookie1);   // false
bool result2 = SetCookieHeaderValue.TryParse("name=value; max-age=-922337203686", out var cookie2);  // false

// Valid edge cases still work
bool result3 = SetCookieHeaderValue.TryParse("name=value; max-age=922337203685", out var cookie3);   // true

Added comprehensive tests covering both overflow cases (which should fail parsing) and valid edge cases (which should succeed).

Fixes #61735.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull Request Overview

This PR fixes a bug where SetCookieHeaderValue.TryParse would throw ArgumentOutOfRangeException instead of returning false when parsing Max-Age values that exceed TimeSpan's maximum representable seconds (922337203685). The fix ensures proper TryParse behavior by handling overflow conditions gracefully.

Key changes:

• Added exception handling in GetSetCookieLength to catch ArgumentOutOfRangeException from TimeSpan.FromSeconds
• Added comprehensive test coverage for both overflow cases and valid edge cases

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
src/Http/Headers/src/SetCookieHeaderValue.cs	Added try-catch block to handle TimeSpan overflow in Max-Age parsing
src/Http/Headers/test/SetCookieHeaderValueTest.cs	Added test methods covering Max-Age overflow scenarios and valid edge cases

[danmoseley]

@BrennanConroy any concerns

[danmoseley]

Also, is this worth porting into RC2?

[danmoseley]

@copilot please go back to original approach without try catch

[Copilot]

@copilot please go back to original approach without try catch

Done! Reverted to the manual validation approach without try-catch as requested. The code now uses explicit bounds checking instead of exception handling. See commit 74c8f83.

[halter73]

Also, is this worth porting into RC2?

Sure. It's a very safe improvement, but I don't think anything in the framework calls SetCookieHeaderValue.TryParse internally, so it might not be worth it to backport further.

[BrennanConroy]

/ba-g Test failure is quarantined