CodeIgniter Forums

Full Version: The input library breaks my site [SOLVED]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]Paxx[/eluser]
Hi!

I've been using Codeigniter for quite a while now, and I feel I got the hang of things.
One thing i noticed today is that the input library breaks my sites functionality when I'm using Safari.

Let me explain,

I'm using http://valums.com/ajax-upload/ for fileuploading. I've rewritten the upload code to a codeigniter library, and everything is quite fine in every browser I've tested except for Safari.

If it is supported, XHR is used to pass the file to the uploader. The uploader looks for a RAW-input (php://input) and then writes the file to the disk. However, Safari seems to posts it both like POST and like RAW-input.

And I get the error message: "disallowed key characters". I've modified Input.php (which I think is located in System/libraries) so it shows which part of the string actually contains disallowed characters, and it shows me the beginning of the file. Empty files or files with just a-z characters is just fine to upload.

So I suspected the error was in Input.php. I temporarly uncommented the line that checks the characters for $_POST, and now I can upload everything.

I want a better solution and I don't want to edit code in the core-files.

I do not use the input-library in that specific method, and the easiest thing would be to just "unload" the library... Don't know if that is possible tho.

So do you guys have any ideas?

El Forum

[eluser]Paxx[/eluser]
Okay, Safari posts it as $_POST aswell. Here is a small extraction of the $_POST-array

Code:
Array
(
    [\\�˵�\"X���H���p>H~UT*���FJb�e��] => ����A����*]�c�
���r�E�%�rҿ�\\����[*�Z�-�������_���L�g¯�R2-�:�[�:7�vl������ב�[n_���
�Ѵ�v�DAk{C �͋Zk�T���|������z�ϳ.ֺ�\'�q �����Iy}�
    [;�8�������CR�X���^���
T�yBe�p�7R��B] => ���%u�bOP�6X�� IP�@u�ؾ6X\0�   �>�s�6u�B��p TE�ƾ��c����D�D\"1��L%�A��T|�Db��X�� X  �\\���z��W��[:��7~<>:�L�K�e,��\'a��ʺ ~ntz�9:||dh���=�:��tD�S��5ʱ�_:e\'���m�W�$�s�878[��d�L���%PDP �  �%C�Ch�\\ �
S,�k��@щ���Z,s�<��ё �����A�w�ˍ���ň�⥊��쓎�7�]!�;ă��X�Ap� �
�^D��^�J��y�2�|\'��0?7^��#�o�uT{3,[�a�?a����2Zk��}<3��T�U��]v��<~�ד�cX{����r��6����gj[p���njϡ��vb۸Q3��I/ϖI�[email protected]�J����O\\
P�پ�<�f�7�TՓ��K�Zf�l��io�d�/K1
    [��`�u�V5W/l���P��5�_�5���u7�݊] => ��H2
E��V�6�s�;@����l�    .�y�6^�`/0ѥTK�j���K�.j2�^�l�OG|϶P�D

El Forum

[eluser]Paxx[/eluser]
Hi again!

I did a quick and rough fix on this problem. I extended CI_Input.php and added a workaround:
Code:
class MY_Input extends CI_Input {

    /**
    * Clean Keys
    *
    * This is a helper function. To prevent malicious users
    * from trying to exploit keys we make sure that keys are
    * only named with alpha-numeric text and a few other items.
    *
    * @access    private
    * @param    string
    * @return    string
    */
    function _clean_input_keys($str)
    {
        if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
        {
            log_message('debug', 'Disallowed Key Characters.' . $str);
            $str = md5(microtime());
        }

        return $str;
    }

}

Since I don't use the $_POST-array in that specific method, It doesn't mather if I change the name of the keys... And if a user is trying to exploit the keys they will just be renamed, and neither they nor the rest of the script can access the keys 1 (which would have been the case anyway...)

1. You can always do a loop to access the keys.

If anyone has a better idea how this could be solved, please reply.

It works pretty good right now.

El Forum

[eluser]Phil Sturgeon[/eluser]
I've found the exact same problem with my REST Server stuff. I have no idea why they are trying to clean $_POST key names, as there is no real security thread here unless you do something VERY silly with $_POST like foreach($_POST as $key => $val) and dump $key straight into a MySQL query.

It means people can't send Raw files or HTTP bodies (XML, JSON, etc) to a CI page through POST or PUT which is a real shame.