• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Allowed URL Characters

#1
[eluser]JuanitoDelCielo[/eluser]
Hi guys. I was using the method

Code:
$this->uri->segment(2);

And it works fine but, if the user uses uppercase in the url it changes the result.

1. http://localhost/pu/user/insert
2. http://localhost/pu/user/INSERT

Both of them load the same controller/method.

Reading the config file I found the regex a-z 0-9~%.:_\- so if the user uses uppercase the secound one should show a 404 page right? beacuse if doesn't =(.

Code:
/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs.  When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible.  By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

#2
[eluser]JHackamack[/eluser]
What your seeing is only part of the query:

Code:
if ( ! preg_match("|^[".str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-'))."]+$|i", $str))

The i at the end of the preg_match means its case insensitive and thus insert and INSERT are treated the same.

#3
[eluser]JuanitoDelCielo[/eluser]
Thank you so much. I know about the i on regex but, I didnt know about that portion of code.

To solve my problem

if ( ! function_exists('mb_strtolower')) {

strtolower()


} else {

mb_strtolower()

}


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.