permitted_uri_chars in application/config.php not working [serious vulnerability]

[eluser]Keat Liang[/eluser]
i found out which function might cause the error

under core/URI.php

Code:

/**
* Filter segments for malicious characters
*
* @access    private
* @param    string
* @return    string
*/
function _filter_uri($str)
{
        if ($str != '' && $this->config->item('permitted_uri_chars') != '' && $this->config->item('enable_query_strings') == FALSE)
        {

                // preg_quote() in PHP 5.3 escapes -, so the str_replace() and addition of - to preg_quote() is to maintain backwards
                // compatibility as many are unaware of how characters in the permitted_uri_chars will be parsed as a regex pattern
                if ( ! preg_match("|^[".str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-'))."]+$|i", $str)) //this tricky tricky
                {
                        show_error('The URI you submitted has disallowed characters.', 400);
                }
        }

        // Convert programatic characters to entities
        $bad    = array('$',        '(',        ')',        '(',        ')');
        $good    = array('$',    '(',    ')',    '(',    ')');

        return str_replace($bad, $good, $str);
}


//so i echo it out
echo echo "|^[".str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-'))."]+$|i";

/*
i get this

|^[a-z 0-9~%\.\:_\-]+$|i

*/

don't perl syntax are look like this ??

Code:

/^[a-z 0-9~%\.\:_\-]+$/i

and i notice
_remove_url_suffix()
_explode_segments()

also use

Code:

|

update: after looking PHP documentation perl regular expression delimiter can be / # ~ (common one)

http://www.php.net/manual/en/regexp.refe...miters.php

[eluser]Keat Liang[/eluser]
i did a fix. because of $str is percent encoded so preg_match will not work on certain URL character
here is the quick and dirty fix

Code:

class MY_URI extends CI_URI
{


    function __construct()
    {
        parent::__construct();
    }


    /**
     * Filter segments for malicious characters
     *
     * with quick and dirty fix by keatliang
     *
     * @access    private
     * @param    string
     * @return    string
     */
    function _filter_uri($str)
    {
            if ($str != '' && $this->config->item('permitted_uri_chars') != '' && $this->config->item('enable_query_strings') == FALSE)
            {
                    // preg_quote() in PHP 5.3 escapes -, so the str_replace() and addition of - to preg_quote() is to maintain backwards
                    // compatibility as many are unaware of how characters in the permitted_uri_chars will be parsed as a regex pattern
                    if ( ! preg_match("|^[".str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-'))."]+$|i", urldecode($str))) //tricky tricky
                    {
                            show_error('The URI you submitted has disallowed characters.', 400);
                    }
            }

            // Convert programatic characters to entities
            $bad    = array('$',        '(',        ')',        '(',        ')');
            $good    = array('$',    '(',    ')',    '(',    ')');

            return str_replace($bad, $good, $str);
    }


}

[eluser]lwliang061[/eluser]
These things looked pretty good, and some that I can learn,I hope to learn more on it!