[eluser]Keat Liang[/eluser]
i did a fix. because of $str is percent encoded so preg_match will not work on certain URL character
here is the quick and dirty fix
Code:
class MY_URI extends CI_URI
{
function __construct()
{
parent::__construct();
}
/**
* Filter segments for malicious characters
*
* with quick and dirty fix by keatliang
*
* @access private
* @param string
* @return string
*/
function _filter_uri($str)
{
if ($str != '' && $this->config->item('permitted_uri_chars') != '' && $this->config->item('enable_query_strings') == FALSE)
{
// preg_quote() in PHP 5.3 escapes -, so the str_replace() and addition of - to preg_quote() is to maintain backwards
// compatibility as many are unaware of how characters in the permitted_uri_chars will be parsed as a regex pattern
if ( ! preg_match("|^[".str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-'))."]+$|i", urldecode($str))) //tricky tricky
{
show_error('The URI you submitted has disallowed characters.', 400);
}
}
// Convert programatic characters to entities
$bad = array('$', '(', ')', '(', ')');
$good = array('$', '(', ')', '(', ')');
return str_replace($bad, $good, $str);
}
}