• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
_clean_input_keys() does not follow RFC2109

#1
[eluser]BlueCamel[/eluser]
The _clean_input_keys() function in CI 1.6.2 uses the following regex to reject cookies
with "unacceptable" chars:

"/^[a-z0-9:_\/-]+$/i"

According to rfc2109 http://rfc.net/rfc2109.html the user agent may return some spacial
cookies including $Version, $Path, and $Domain. See section:

4.4 How an Origin Server Interprets the Cookie Header

In the following section 5.1 they have an example of this exchnage where the UA returns
a $Version and $Path cookie along with the cookie set by the server.

The problem here is that the regex above trips over the $ char. Can this be adjusted to
either include $ chars in the next release of CI?

This isn't a hypothetical issue as the Mathmatica web client follows the above RFC and
returns $Version ci_session $Path similar to the example in section 5.1 of the RFC.

#2
[eluser]Derek Allard[/eluser]
What version of CI are you using? If you hit the SVN version, does this problem exist for you still?

#3
[eluser]BlueCamel[/eluser]
Without downloading it, yes.

The function in SVN Input.php hasn't changed from the 1.6.2 release I'm using. It's stlll called on each key/value pair in the cookie which means it will get tripped by the Mathmatica UA. If you want to see this at the protocol level I have a tcpdump that can be viewed with wireshark showing he issue.

Here is the function that causes the problem when run against each key/value cookie. Adding \$ to the regex obviously resolves the problem by there may be a better way. We know from section 4.3.4 of RFC2109 that only specific special cookies will be passed to us: $Version, $Path, and $Domain. I would propose that we strip off the special "$Key=" part of $str before passing it to this function.

Thoughts?

/**
* Clean Keys
*
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @access private
* @param string
* @return string
*/
function _clean_input_keys($str)
{
if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
{
exit('Disallowed Key Characters.');
}

return $str;
}

#4
[eluser]Derek Allard[/eluser]
This has come up recently. In response the input library now contains.
Code:
// Clean $_COOKIE Data
        // Also get rid of specially treated cookies that might be set by a server
        // or silly application, that are of no use to a CI application anyway
        // but that when present will trip our 'Disallowed Key Characters' alarm
        // http://www.ietf.org/rfc/rfc2109.txt
        // note that the key names below are single quoted strings, and are not PHP variables
        unset($_COOKIE['$Version']);
        unset($_COOKIE['$Path']);
        unset($_COOKIE['$Domain']);
        $_COOKIE = $this->_clean_input_data($_COOKIE);

#5
[eluser]BlueCamel[/eluser]
Nice. Thanks much. We'll upgrade to 1.7 when it comes out.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.