Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Flawed Regexp in Input Library
Flawed Regexp in Input Library
  • El Forum
    Guest
  •  
#1
04-16-2008, 02:27 PM

[eluser]reconstrukt[/eluser]
Hi there,

Here's something that drove me nuts when recently developing a site on CI (craftstylish.com).

Here's the sceanrio. We're running a bunch of web apps on subdomains, and sometimes we'd run into another webapp that sets a global domain cookie that looked like this:

cm.BH$hBnAri9sTB2HN$tA2dgn3.Ari9sToOh-0

When encountered, the CI app running on a subdomain would encounter this cookie, and barf - throwing up the "Disallowed Key Chars" error.

After much head-banging (especially b/c it wasn't a cookie set by our app!) we determined that the regexp that cleans input keys in the Input.php Lib is flawed.

The regexp, as implemented, doesn't like the $ in the name. Although, according to the spec, this is OK:

----

The name must conform to RFC 2109.

That means it can contain only ASCII alphanumeric characters and cannot contain commas, semicolons, or white space or begin with a $ character.

----

So, we need a regexp that disallows $ character as the 1st char - but allows it to appear elsewhere in the string. I've posted the corrected code below.

(Thanks, Nate and Jay!)

- Matt


/**
* Clean Keys
*
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @access private
* @param string
* @return string
*/
function _clean_input_keys($str)
{

/*

This regexp match is incorrectly implemented.
An error is thrown by a cookie named: cm.BH$hBnAri9sTB2HN$tA2dgn3.Ari9sToOh-0

It won't like the $ in the name. Although, according to the spec, this is OK:

The name must conform to RFC 2109.
That means it can contain only ASCII alphanumeric characters and cannot contain commas, semicolons, or white space or begin with a $ character.
The cookie's name cannot be changed after creation.

So, we need a regexp that disallows $ character as the 1st char - but allows it to appear elsewhere in the string.
*/

// if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
if ( ! preg_match("/^[a-z0-9:_\/-][\$a-z0-9:_\/-]*$/i", $str))
{
exit('Disallowed Key Characters: ' . $str);
}

return $str;
}
  • El Forum
    Guest
  •  
#2
04-16-2008, 03:28 PM

[eluser]Derek Jones[/eluser]
RFC 2965 I believe supersedes 2109, but regardless, that something is allowed in an RFC does not always translate to being a good idea to allow at the script level, particularly with PHP in this instance. This restriction is intentional to keep security tight; one of CodeIgniter's goals is to help developers keep their applications secure, even protecting them from themselves in some cases. In this instance, doing a foreach on GPC and outputting the keys, where in some circumstances, PHP would attempt to parse portions of keys named such as the one above as variables.

You are of course free to extend the Input class and override this method to meet your needs. We might consider instead of disallowing them and exiting, simply replacing dollar signs in cookie keys so that CI is still protected, without requiring that applications running along side it follow the same stringency.




Theme © iAndrew 2016 - Forum software by © MyBB