CodeIgniter Forums
_clean_input_keys() does not follow RFC2109 - Printable Version

+- CodeIgniter Forums (
+-- Forum: Archived Discussions (
+--- Forum: Archived Development & Programming (
+--- Thread: _clean_input_keys() does not follow RFC2109 (/thread-12379.html)

_clean_input_keys() does not follow RFC2109 - El Forum - 10-16-2008

The _clean_input_keys() function in CI 1.6.2 uses the following regex to reject cookies
with "unacceptable" chars:


According to rfc2109 the user agent may return some spacial
cookies including $Version, $Path, and $Domain. See section:

4.4 How an Origin Server Interprets the Cookie Header

In the following section 5.1 they have an example of this exchnage where the UA returns
a $Version and $Path cookie along with the cookie set by the server.

The problem here is that the regex above trips over the $ char. Can this be adjusted to
either include $ chars in the next release of CI?

This isn't a hypothetical issue as the Mathmatica web client follows the above RFC and
returns $Version ci_session $Path similar to the example in section 5.1 of the RFC.

_clean_input_keys() does not follow RFC2109 - El Forum - 10-17-2008

[eluser]Derek Allard[/eluser]
What version of CI are you using? If you hit the SVN version, does this problem exist for you still?

_clean_input_keys() does not follow RFC2109 - El Forum - 10-17-2008

Without downloading it, yes.

The function in SVN Input.php hasn't changed from the 1.6.2 release I'm using. It's stlll called on each key/value pair in the cookie which means it will get tripped by the Mathmatica UA. If you want to see this at the protocol level I have a tcpdump that can be viewed with wireshark showing he issue.

Here is the function that causes the problem when run against each key/value cookie. Adding \$ to the regex obviously resolves the problem by there may be a better way. We know from section 4.3.4 of RFC2109 that only specific special cookies will be passed to us: $Version, $Path, and $Domain. I would propose that we strip off the special "$Key=" part of $str before passing it to this function.


* Clean Keys
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
* @access private
* @param string
* @return string
function _clean_input_keys($str)
if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
exit('Disallowed Key Characters.');

return $str;

_clean_input_keys() does not follow RFC2109 - El Forum - 10-17-2008

[eluser]Derek Allard[/eluser]
This has come up recently. In response the input library now contains.
// Clean $_COOKIE Data
        // Also get rid of specially treated cookies that might be set by a server
        // or silly application, that are of no use to a CI application anyway
        // but that when present will trip our 'Disallowed Key Characters' alarm
        // note that the key names below are single quoted strings, and are not PHP variables
        $_COOKIE = $this->_clean_input_data($_COOKIE);

_clean_input_keys() does not follow RFC2109 - El Forum - 10-17-2008

Nice. Thanks much. We'll upgrade to 1.7 when it comes out.