+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: _clean_input_keys() does not follow RFC2109 (/showthread.php?tid=12379)
_clean_input_keys() does not follow RFC2109 - El Forum - 10-16-2008
[eluser]BlueCamel[/eluser]
The _clean_input_keys() function in CI 1.6.2 uses the following regex to reject cookies
with "unacceptable" chars:
"/^[a-z0-9:_\/-]+$/i"
According to rfc2109 http://rfc.net/rfc2109.html the user agent may return some spacial
cookies including $Version, $Path, and $Domain. See section:
4.4 How an Origin Server Interprets the Cookie Header
In the following section 5.1 they have an example of this exchnage where the UA returns
a $Version and $Path cookie along with the cookie set by the server.
The problem here is that the regex above trips over the $ char. Can this be adjusted to
either include $ chars in the next release of CI?
This isn't a hypothetical issue as the Mathmatica web client follows the above RFC and
returns $Version ci_session $Path similar to the example in section 5.1 of the RFC.
_clean_input_keys() does not follow RFC2109 - El Forum - 10-17-2008
[eluser]Derek Allard[/eluser]
What version of CI are you using? If you hit the SVN version, does this problem exist for you still?
_clean_input_keys() does not follow RFC2109 - El Forum - 10-17-2008
[eluser]BlueCamel[/eluser]
Without downloading it, yes.
The function in SVN Input.php hasn't changed from the 1.6.2 release I'm using. It's stlll called on each key/value pair in the cookie which means it will get tripped by the Mathmatica UA. If you want to see this at the protocol level I have a tcpdump that can be viewed with wireshark showing he issue.
Here is the function that causes the problem when run against each key/value cookie. Adding \$ to the regex obviously resolves the problem by there may be a better way. We know from section 4.3.4 of RFC2109 that only specific special cookies will be passed to us: $Version, $Path, and $Domain. I would propose that we strip off the special "$Key=" part of $str before passing it to this function.
Thoughts?
/**
* Clean Keys
*
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @access private
* @param string
* @return string
*/
function _clean_input_keys($str)
{
if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
{
exit('Disallowed Key Characters.');
}
return $str;
}
_clean_input_keys() does not follow RFC2109 - El Forum - 10-17-2008
[eluser]Derek Allard[/eluser]
This has come up recently. In response the input library now contains.
Code:
// Clean $_COOKIE Data
// Also get rid of specially treated cookies that might be set by a server
// or silly application, that are of no use to a CI application anyway
// but that when present will trip our 'Disallowed Key Characters' alarm
// http://www.ietf.org/rfc/rfc2109.txt
// note that the key names below are single quoted strings, and are not PHP variables
unset($_COOKIE['$Version']);
unset($_COOKIE['$Path']);
unset($_COOKIE['$Domain']);
$_COOKIE = $this->_clean_input_data($_COOKIE);_clean_input_keys() does not follow RFC2109 - El Forum - 10-17-2008
[eluser]BlueCamel[/eluser]
Nice. Thanks much. We'll upgrade to 1.7 when it comes out.