• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
problems passing base64_encoded value

#1
I'm trying to pass a password reset token as part of a CI4 url --it's 32 random bytes encoded using base64_encode. Suppose the token was generated this way:
PHP Code:
// returns LGziiALPuVrzIruXQNiFzDWbJuZNIT//zjgTh5FO288=
$token base64_encode(random_bytes(32)); 
NOTE the two slashes in it. I'll need to urlencode.

I'm having a few problems:

1) If I try to add this token to a url like so:
PHP Code:
$url site_url("/password-reset/token/" urlencode($token)); 
then, for some strange reason, site_url function decodes the urlencoded token, yielding this:
Code:
https://example.com/password-reset/tokenLGziiALPuVrzIruXQNiFzDWbJuZNIT/zjgTh5FO288=

2) If I create the site url without the token (which seems awkward, to be honest) and then append the urlencoded token like this:
PHP Code:
$url site_url('/password-reset/token/') . urlencode($token); 
then I get a url that looks good:
Code:
https://example.com/password-reset/token/LGziiALPuVrzIruXQNiFzDWbJuZNIT%2F%2FzjgTh5FO288%3D
but CI4 doesn't like the url and gives me 404 Not Found. It doesn't like the % chars.

Is there some way to get codeigniter to allow url-encoded values in its segments? Is there any security risk in doing so? It seems pretty limited if we can't urlencode values to pass them in as autorouted parameters.
Reply

#2
I would use the Text helper for this purpose to avoid URL issues with Base64; it uses bin2hex() on the result of random_bytes() instead of base64_encode().

Code:
echo random_string('crypto', 64);

https://codeigniter.com/user_guide/helpe...dom_string
Reply

#3
(03-25-2021, 02:50 AM)craig Wrote: I would use the Text helper for this purpose to avoid URL issues with Base64; it uses bin2hex() on the result of random_bytes() instead of base64_encode().

Code:
echo random_string('crypto', 64);

https://codeigniter.com/user_guide/helpe...dom_string
Sadly, bin2hex takes up a lot more space -- it doubles the length of whatever you encode.

Also, I think there's a bug in site_url (or more specifically the URI class) and how it deals with your query string. Turns out CI4 will urlencode your query string whether you like it or not:
PHP Code:
// slash in query string gets encoded:
$url '/controller/method?a=b/c'
This could be problematic if you have already taken steps to encode any values in the query string yourself. Like what if your query string is %25? site_url does NOT encode the % in this url. Both site_url produces the same output here even though $url1 and $url2 are quite different:
PHP Code:
$v '%';
$url1 '?x=' urlencode($v);
echo 
site_url($url1) . '<br>';
$url2 '?x=' $v;
echo 
site_url($url2) . '<br>'

The + char, in particular, has problems. site_url returns the exact same url for both $url1 and $url2:
PHP Code:
$url1 '?x=2+2';
echo 
site_url($url1) . '<br>';
$url2 '?x=2 2';
echo 
site_url($url2) . '<br>'

Call me crazy, but I don't think site_url should be urldecoding your path segments or urlencoding your query strings. Furthermore, it's urlencoding behavior is unpredictable.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.