CodeIgniter Forums
[SOLVED] Allowing all URI characters - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: [SOLVED] Allowing all URI characters (/showthread.php?tid=26518)



[SOLVED] Allowing all URI characters - El Forum - 01-15-2010

[eluser]misplacedme[/eluser]
I'm toying with codeigniter, and ran into an issue that I need an answer on.
I'm wanting to have user-readable search queries based on the address (index.php/users/search/tom*)
Of course, I get a message saying that I have illegal values in my URI. I don't want to base64 encode my strings, and the only thing I can think of to allow this is to allow all URI characters.

What exactly are the repercussions of doing this? As far as I can see, it will just mean I will need to do more sanitization than before. Correct me if I'm wrong.


[SOLVED] Allowing all URI characters - El Forum - 01-15-2010

[eluser]Sbioko[/eluser]
Quote:I will need to do more sanitization than before
No you will not. Just do this 2 simple steps:
1) Change permitted_uri_chars option in your config.php to this:
Code:
$config['permitted_uri_chars'] = '';

2) Then, Go to your URI library(system/libraries/URI.php) and find _filter_uri function. After that, put this code:
Code:
global $IN;
return $IN->xss_clean(str_replace($bad, $good, $str));
to the end of this function.

That's all. Now you can use all URI characters and be in safety!


[SOLVED] Allowing all URI characters - El Forum - 01-15-2010

[eluser]misplacedme[/eluser]
Well thank you very much.


[SOLVED] Allowing all URI characters - El Forum - 01-16-2010

[eluser]ydp2005[/eluser]
why Call to a member function xss_clean() on a non-object?


[SOLVED] Allowing all URI characters - El Forum - 01-16-2010

[eluser]ydp2005[/eluser]
Code:
$IN =& load_class('Input');
return $IN->xss_clean(str_replace($bad, $good, $str));



[SOLVED] Allowing all URI characters - El Forum - 01-17-2010

[eluser]Ben Edmunds[/eluser]
Just to add a note to this discussion.

It is NOT a good idea to change the core system files. You need to extend the library with a MY_Library if you wish to change the core behavior. You do not want to break your site if you, or someone else, upgrades the CI core.


[SOLVED] Allowing all URI characters - El Forum - 01-17-2010

[eluser]Jamie Rumbelow[/eluser]
...neither is it a good idea to allow every single character pass through in your URL. I could hack your website in so many different ways now I know that any character is passed through, and (hypothetically) could track your username across the web to find out what site it is and then hack it.

Security's important. Limit the character set to a certain few characters. Even if you are xss_clean()ing it it's not impossible to bypass.

Jamie


[SOLVED] Allowing all URI characters - El Forum - 04-29-2010

[eluser]WanWizard[/eluser]
All very well for someone who's scope is limited to English.

I would like to have URL's, p.e. for forum or blog posts, like http://mysite/forum/post/1234-this-is-the-title-of-a-forum-post.html. This particular example passes inspection, but that changes as soon as the post title is in hebrew, chinese, or any other non-latin set of characters.

So how to deal with this issue, with keeping the potential security issues you refer to in mind?