• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
I want to allow all URI chars... am I really insane?

#1
[eluser]dtrenz[/eluser]
According to CodeIgniter, you would have to be insane to permit all URI chars. Isn't that just a little bit of an overreaction?

What is the worst that could happen?

There are millions of sites out in the world that have no such filtering on their URIs/Query Strings, and they do just fine. Does CI have a specific vulnerability that makes such a overly strict URI policy necessary?

If I am insane for considering this, please tell me why?

Because if I see, "The URI you submitted has disallowed characters" one more time, I swear I will throw my keyboard through my monitor.

I know this issue is a legacy EE issue that has been brought up numerous time in the forum, but I didn't see any posts about allowing all.

Any advice or insight is welcome. Thanks -d

#2
[eluser]pistolPete[/eluser]
Think of SQL injection, XSS etc. It's nothing CI specifig.
It is really safer to restrict the URI chars.
Counter question: Why would you need all URI chars?

#3
[eluser]TheFuzzy0ne[/eluser]
Yes, you probably are insane, I highly recommend a check-up from the neck up. Wink

The permitted_uri_chars config is only for characters that appear in the URI. This doesn't include characters posted from a form.

#4
[eluser]dtrenz[/eluser]
SQL injection? If you don't escape all of your SQL queries, then you really are insane. I'd hate to think that people are relying on CI to protect them from injection.

I want to allow all, because I keep discovering exceptions in the form of a stupid “The URI you submitted has disallowed characters” error. I'd much rather give my users a well designed 404 then that.

#5
[eluser]dtrenz[/eluser]
BTW, if you use the active record class, then you are extra safe because in the CI docs it says, "Note: All values are escaped automatically producing safer queries" after every method in the active record class.

#6
[eluser]TheFuzzy0ne[/eluser]
./system/application/libraries/MY_URI.php
Code:
<?php

class MY_URI extends CI_URI {

    function _filter_uri($str)
    {
        if ($str != '' && $this->config->item('permitted_uri_chars') != '' && $this->config->item('enable_query_strings') == FALSE)
        {
            if ( ! preg_match("|^[".preg_quote($this->config->item('permitted_uri_chars'))."]+$|i", $str))
            {
                $this->show_disallowed_uri_page();
                exit();
            }
        }    
        
        // Convert programatic characters to entities
        $bad    = array('$',         '(',         ')',         '(',         ')');
        $good    = array('$',    '(',    ')',    '(',    ')');
        
        return str_replace($bad, $good, $str);
    }
    
    function show_disallowed_uri_page()
    {
?>
<html>
<head>
    <title>Bad URI</title>
    <link rel="stylesheet" href="/some/stylesheet.css" />
</head>    
    <body>
        The URI you submitted contains disallowed characters.
    </body>
</html>    
    
<?php
    }
}

// End of file: MY_URI.php
// Location: ./system/application/libraries/MY_URI.php
The above code is untested, but should work.

#7
[eluser]TheFuzzy0ne[/eluser]
Also, please [url="http://www.freesoft.org/CIE/RFC/1738/4.htm"]check out this article[/url].

[quote author="www.freesoft.org/CIE/RFC/1738/4.htm" date=""]
Characters can be unsafe for a number of reasons. The space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs. The characters "<" and ">" are unsafe because they are used as the delimiters around URLs in free text; the quote mark (""") is used to delimit URLs in some systems. The character "#" is unsafe and should always be encoded because it is used in World Wide Web and in other systems to delimit a URL from a fragment/anchor identifier that might follow it. The character "%" is unsafe because it is used for encodings of other characters. Other characters are unsafe because gateways and other transport agents are known to sometimes modify such characters. These characters are "{", "}", "|", "\", "^", "~", "[", "]", and "`".

All unsafe characters must always be encoded within a URL. For example, the character "#" must be encoded within URLs even in systems that do not normally deal with fragment or anchor identifiers, so that if the URL is copied into another system that does use them, it will not be necessary to change the URL encoding.
[/quote]

#8
[eluser]dtrenz[/eluser]
So, it sounds like this is a bit of hyperbole.

Is it a good idea to filter URI chars? Yes.

If you are escaping all queries and writing smart code, can you probably get away with turning this off? Yes.

#9
[eluser]jdfwarrior[/eluser]
Quote:Because if I see, "The URI you submitted has disallowed characters" one more time, I swear I will throw my keyboard through my monitor.

Any advice or insight is welcome. Thanks -d

code better? Smile

#10
[eluser]dtrenz[/eluser]
[quote author="jdfwarrior" date="1236046325"]
Quote:Because if I see, "The URI you submitted has disallowed characters" one more time, I swear I will throw my keyboard through my monitor.

Any advice or insight is welcome. Thanks -d

code better? Smile[/quote]

ha.

The issue I'm having is that the former version of a site (not written by me) that I am rebuilding, was done using horribly cryptic URLs containing lots of bad URI chars... but I can't just blackhole any legacy links out there, so I have to let them in so I can redirect them to the nice new pretty CI URLs.

I would never code anything that would put disallowed chars in the URI (except maybe a "+").


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.