[eluser]reconstrukt[/eluser]
Hi there,
Here's something that drove me nuts when recently developing a site on CI (craftstylish.com).
Here's the sceanrio. We're running a bunch of web apps on subdomains, and sometimes we'd run into another webapp that sets a global domain cookie that looked like this:
cm.BH$hBnAri9sTB2HN$tA2dgn3.Ari9sToOh-0
When encountered, the CI app running on a subdomain would encounter this cookie, and barf - throwing up the "Disallowed Key Chars" error.
After much head-banging (especially b/c it wasn't a cookie set by our app!) we determined that the regexp that cleans input keys in the Input.php Lib is flawed.
The regexp, as implemented, doesn't like the $ in the name. Although, according to the spec, this is OK:
----
The name must conform to RFC 2109.
That means it can contain only ASCII alphanumeric characters and cannot contain commas, semicolons, or white space or begin with a $ character.
----
So, we need a regexp that disallows $ character as the 1st char - but allows it to appear elsewhere in the string. I've posted the corrected code below.
(Thanks, Nate and Jay!)
- Matt
/**
* Clean Keys
*
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @access private
* @param string
* @return string
*/
function _clean_input_keys($str)
{
/*
This regexp match is incorrectly implemented.
An error is thrown by a cookie named: cm.BH$hBnAri9sTB2HN$tA2dgn3.Ari9sToOh-0
It won't like the $ in the name. Although, according to the spec, this is OK:
The name must conform to RFC 2109.
That means it can contain only ASCII alphanumeric characters and cannot contain commas, semicolons, or white space or begin with a $ character.
The cookie's name cannot be changed after creation.
So, we need a regexp that disallows $ character as the 1st char - but allows it to appear elsewhere in the string.
*/
// if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
if ( ! preg_match("/^[a-z0-9:_\/-][\$a-z0-9:_\/-]*$/i", $str))
{
exit('Disallowed Key Characters: ' . $str);
}
return $str;
}
