[eluser]BlueCamel[/eluser]
Without downloading it, yes.
The function in SVN Input.php hasn't changed from the 1.6.2 release I'm using. It's stlll called on each key/value pair in the cookie which means it will get tripped by the Mathmatica UA. If you want to see this at the protocol level I have a tcpdump that can be viewed with wireshark showing he issue.
Here is the function that causes the problem when run against each key/value cookie. Adding \$ to the regex obviously resolves the problem by there may be a better way. We know from section 4.3.4 of RFC2109 that only specific special cookies will be passed to us: $Version, $Path, and $Domain. I would propose that we strip off the special "$Key=" part of $str before passing it to this function.
Thoughts?
/**
* Clean Keys
*
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @access private
* @param string
* @return string
*/
function _clean_input_keys($str)
{
if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
{
exit('Disallowed Key Characters.');
}
return $str;
}
