Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Security Implications of turning off the "Disallowed Characters" test?
Security Implications of turning off the "Disallowed Characters" test?
  • El Forum
    Guest
  •  
#1
07-30-2012, 03:14 PM

[eluser]Rob Howard[/eluser]
Hi guys, thanks for all your help and a wonderful framework in CodeIgniter.

A project that had been live for 2+ years recently started throwing a "URI has disallowed characters" error for every URL, none of which had strange or unusual characters in them as far as I could tell. I am not aware of any changes that took place on the server to cause this. To fix the problem for the time being, I've simply commented out the line of code that throws the error, effectively turning off this "disallowed characters" test.

I have seen statements that this opens up potential security issues. Could you please elaborate on what the potential security problems are, so that I can make my client aware of them and allow them to make an informed decision on how to proceed?

Thanks!
  • El Forum
    Guest
  •  
#2
08-01-2012, 03:45 PM

[eluser]Rob Howard[/eluser]
The same issue appears to be happening on all my Media Temple Grid-Service based sites. I am running CI 1.7.0 and the server is using PHP 5.3.13 - could a recent PHP update have caused the disallowed characters check to stop working properly?

Thanks!
  • El Forum
    Guest
  •  
#3
08-02-2012, 03:31 PM

[eluser]Unknown[/eluser]
[quote author="Rob Howard" date="1343861133"]The same issue appears to be happening on all my Media Temple Grid-Service based sites. I am running CI 1.7.0 and the server is using PHP 5.3.13 - could a recent PHP update have caused the disallowed characters check to stop working properly?

Thanks![/quote]

Hey there! Difficult for me to comment on the security risks of disabling that line as it is specific to CodeIgniter. However, I believe the error you are receiving is a flaw in your code that was not being checked by PHP before but is now being checked by PHP 5.3. I found the below for your reference.

http://stackoverflow.com/questions/34849...characters

Let us know if (mt) Media Temple can help you in any way. We're available 24/7.

Drew J
(mt) Media Temple
@mediatemple
877-578-4000
  • El Forum
    Guest
  •  
#4
08-02-2012, 04:44 PM

[eluser]Rob Howard[/eluser]
Thanks, Drew, it is nice to see the MT support team is monitoring outside forums.

CodeIgniter team: It looks like the regular expression used to test for the allowed characters in /system/libraries/URI.php Line 189 in CI 1.7.0 has been broken by PHP 5.3, which introduced a change to the preg_quote() function. I haven't been able to find a suitable fix for the regular expression, but I'm not an expert in that department, so if you could look into this and post a fix, that would be much appreciated. (The links in Drew's post above were a start, but didn't fix the issue for me.)

Thanks!
  • El Forum
    Guest
  •  
#5
08-02-2012, 06:30 PM

[eluser]CroNiX[/eluser]
1.7 is a few years old and is no longer maintained. You might try a newer version.




Theme © iAndrew 2016 - Forum software by © MyBB