Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Avoiding sanitizing of the POST data. #1136

Closed
stpetr opened this Issue Mar 6, 2012 · 6 comments

Comments

Projects
None yet
6 participants

stpetr commented Mar 6, 2012

Unfortunately, there is no way to avoid sanitizing of the POST data which is desperately needed. On my app when a user sets a password which includes "%00" substring (or something like that), f.e. "foo%00bar" I can see only the "foobar" string in my model. I think it's because of _sanitize_globals function which is called in Input constructor.

It is within _sanitize_globals, more specifically within remove_invisible_chars. Can anyone confirm this is intended behavior, it also seems to be wrapped in a function_exists tag so it could possibly be overwritten in scenarios like this?

veenix commented Mar 30, 2012

I believe that the bug is in the function "_clean_input_data($str)". The bug is this line:

// Remove control characters
$str = remove_invisible_characters($str);

It should be:

// Remove control characters
$str = remove_invisible_characters($str, false);

The $_POST, $_GET, and $_COOKIE variables are not urlencoded, but remove_invisible_characters assume that it is and will remove characters such as "%00" unless the url_encoded parameter is set to false.

Because the $_REQUEST variables are not cleaned, you can use $_REQUEST in replace of $_POST.

Contributor

narfbg commented Oct 26, 2012

Duplicate of #346.

@narfbg narfbg closed this Oct 26, 2012

t3nsor commented Jan 29, 2013

I don't think this is really a duplicate of #346. This issue exists even when global XSS filtering is turned off. The constructor for the Input class unconditionally calls _sanitize_globals, which unconditionally calls _clean_input_data on each $_POST value, which unconditionally calls remove_invisible_characters with $url_encoded = true. As OP points out, this makes it impossible to submit a string in a form that contains "%00" or anything like this. This is clearly incorrect behaviour.

mvd7793 commented Jan 29, 2013

I agree, you should be able to disable this, especially for things like passwords

Contributor

narfbg commented Jan 8, 2014

Sorry, it was a duplicate of #148 instead - just fixed it.

@narfbg narfbg referenced this issue in benedmunds/CodeIgniter-Ion-Auth Dec 11, 2014

Closed

Edit User fails to update Groups in Codeigniter 3 #683

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment