Welcome Guest, Not a member yet? Register   Sign In
what will be the problem if allowing all characters in permitted_uri_chars
#1

[eluser]jayapalchandran[/eluser]
Code:
$config['permitted_uri_chars'] = '+=\a-z 0-9~%.:_-';

What will happen if i am allowing +=/ or some more chars?

I would like to send and receive base64 of an email address as an unique identification and when i do base64 i can see = appearing mostly as the last character.

so i want to use = in uri. and it is working well.

What will be the security risk?
#2

[eluser]WanWizard[/eluser]
The reason they are 'illegal' is that they can be used to craft an attack via the URI.

See http://ellislab.com/forums/viewthread/109429/ for a solution that doesn't require altering this regex.
#3

[eluser]jayapalchandran[/eluser]
ok. let me read that. and will come back.




Theme © iAndrew 2016 - Forum software by © MyBB