_clean_input_keys() does not follow RFC2109 |
[eluser]BlueCamel[/eluser]
The _clean_input_keys() function in CI 1.6.2 uses the following regex to reject cookies with "unacceptable" chars: "/^[a-z0-9:_\/-]+$/i" According to rfc2109 http://rfc.net/rfc2109.html the user agent may return some spacial cookies including $Version, $Path, and $Domain. See section: 4.4 How an Origin Server Interprets the Cookie Header In the following section 5.1 they have an example of this exchnage where the UA returns a $Version and $Path cookie along with the cookie set by the server. The problem here is that the regex above trips over the $ char. Can this be adjusted to either include $ chars in the next release of CI? This isn't a hypothetical issue as the Mathmatica web client follows the above RFC and returns $Version ci_session $Path similar to the example in section 5.1 of the RFC.
[eluser]Derek Allard[/eluser]
What version of CI are you using? If you hit the SVN version, does this problem exist for you still?
[eluser]BlueCamel[/eluser]
Without downloading it, yes. The function in SVN Input.php hasn't changed from the 1.6.2 release I'm using. It's stlll called on each key/value pair in the cookie which means it will get tripped by the Mathmatica UA. If you want to see this at the protocol level I have a tcpdump that can be viewed with wireshark showing he issue. Here is the function that causes the problem when run against each key/value cookie. Adding \$ to the regex obviously resolves the problem by there may be a better way. We know from section 4.3.4 of RFC2109 that only specific special cookies will be passed to us: $Version, $Path, and $Domain. I would propose that we strip off the special "$Key=" part of $str before passing it to this function. Thoughts? /** * Clean Keys * * This is a helper function. To prevent malicious users * from trying to exploit keys we make sure that keys are * only named with alpha-numeric text and a few other items. * * @access private * @param string * @return string */ function _clean_input_keys($str) { if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str)) { exit('Disallowed Key Characters.'); } return $str; }
[eluser]Derek Allard[/eluser]
This has come up recently. In response the input library now contains. Code: // Clean $_COOKIE Data
[eluser]BlueCamel[/eluser]
Nice. Thanks much. We'll upgrade to 1.7 when it comes out. |
Welcome Guest, Not a member yet? Register Sign In |