Welcome Guest, Not a member yet? Register   Sign In
_clean_input_keys() does not follow RFC2109

The _clean_input_keys() function in CI 1.6.2 uses the following regex to reject cookies
with "unacceptable" chars:


According to rfc2109 http://rfc.net/rfc2109.html the user agent may return some spacial
cookies including $Version, $Path, and $Domain. See section:

4.4 How an Origin Server Interprets the Cookie Header

In the following section 5.1 they have an example of this exchnage where the UA returns
a $Version and $Path cookie along with the cookie set by the server.

The problem here is that the regex above trips over the $ char. Can this be adjusted to
either include $ chars in the next release of CI?

This isn't a hypothetical issue as the Mathmatica web client follows the above RFC and
returns $Version ci_session $Path similar to the example in section 5.1 of the RFC.

[eluser]Derek Allard[/eluser]
What version of CI are you using? If you hit the SVN version, does this problem exist for you still?

Without downloading it, yes.

The function in SVN Input.php hasn't changed from the 1.6.2 release I'm using. It's stlll called on each key/value pair in the cookie which means it will get tripped by the Mathmatica UA. If you want to see this at the protocol level I have a tcpdump that can be viewed with wireshark showing he issue.

Here is the function that causes the problem when run against each key/value cookie. Adding \$ to the regex obviously resolves the problem by there may be a better way. We know from section 4.3.4 of RFC2109 that only specific special cookies will be passed to us: $Version, $Path, and $Domain. I would propose that we strip off the special "$Key=" part of $str before passing it to this function.


* Clean Keys
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
* @access private
* @param string
* @return string
function _clean_input_keys($str)
if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
exit('Disallowed Key Characters.');

return $str;

[eluser]Derek Allard[/eluser]
This has come up recently. In response the input library now contains.
// Clean $_COOKIE Data
        // Also get rid of specially treated cookies that might be set by a server
        // or silly application, that are of no use to a CI application anyway
        // but that when present will trip our 'Disallowed Key Characters' alarm
        // http://www.ietf.org/rfc/rfc2109.txt
        // note that the key names below are single quoted strings, and are not PHP variables
        $_COOKIE = $this->_clean_input_data($_COOKIE);

Nice. Thanks much. We'll upgrade to 1.7 when it comes out.

Theme © iAndrew 2016 - Forum software by © MyBB