[SOLVED] Allowing all URI characters

#1
[eluser]misplacedme[/eluser]
I'm toying with codeigniter, and ran into an issue that I need an answer on.
I'm wanting to have user-readable search queries based on the address (index.php/users/search/tom*)
Of course, I get a message saying that I have illegal values in my URI. I don't want to base64 encode my strings, and the only thing I can think of to allow this is to allow all URI characters.

What exactly are the repercussions of doing this? As far as I can see, it will just mean I will need to do more sanitization than before. Correct me if I'm wrong.

#2
[eluser]Sbioko[/eluser]
Quote:I will need to do more sanitization than before
No you will not. Just do this 2 simple steps:
1) Change permitted_uri_chars option in your config.php to this:
Code:
$config['permitted_uri_chars'] = '';

2) Then, Go to your URI library(system/libraries/URI.php) and find _filter_uri function. After that, put this code:
Code:
global $IN;
return $IN->xss_clean(str_replace($bad, $good, $str));
to the end of this function.

That's all. Now you can use all URI characters and be in safety!

#3
[eluser]misplacedme[/eluser]
Well thank you very much.

#4
[eluser]ydp2005[/eluser]
why Call to a member function xss_clean() on a non-object?

#5
[eluser]ydp2005[/eluser]
Code:
$IN =& load_class('Input');
return $IN->xss_clean(str_replace($bad, $good, $str));

#6
[eluser]Ben Edmunds[/eluser]
Just to add a note to this discussion.

It is NOT a good idea to change the core system files. You need to extend the library with a MY_Library if you wish to change the core behavior. You do not want to break your site if you, or someone else, upgrades the CI core.

#7
[eluser]Jamie Rumbelow[/eluser]
...neither is it a good idea to allow every single character pass through in your URL. I could hack your website in so many different ways now I know that any character is passed through, and (hypothetically) could track your username across the web to find out what site it is and then hack it.

Security's important. Limit the character set to a certain few characters. Even if you are xss_clean()ing it it's not impossible to bypass.

Jamie

#8
[eluser]WanWizard[/eluser]
All very well for someone who's scope is limited to English.

I would like to have URL's, p.e. for forum or blog posts, like http://mysite/forum/post/1234-this-is-the-title-of-a-forum-post.html. This particular example passes inspection, but that changes as soon as the post title is in hebrew, chinese, or any other non-latin set of characters.

So how to deal with this issue, with keeping the potential security issues you refer to in mind?


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.