what will be the problem if allowing all characters in permitted_uri_chars

#1
[eluser]jayapalchandran[/eluser]
Code:
$config['permitted_uri_chars'] = '+=\a-z 0-9~%.:_-';

What will happen if i am allowing +=/ or some more chars?

I would like to send and receive base64 of an email address as an unique identification and when i do base64 i can see = appearing mostly as the last character.

so i want to use = in uri. and it is working well.

What will be the security risk?

#2
[eluser]WanWizard[/eluser]
The reason they are 'illegal' is that they can be used to craft an attack via the URI.

See http://ellislab.com/forums/viewthread/109429/ for a solution that doesn't require altering this regex.

#3
[eluser]jayapalchandran[/eluser]
ok. let me read that. and will come back.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.