Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Avoiding sanitizing of the POST data. #1136

Closed
stpetr opened this Issue · 6 comments

6 participants

@stpetr

Unfortunately, there is no way to avoid sanitizing of the POST data which is desperately needed. On my app when a user sets a password which includes "%00" substring (or something like that), f.e. "foo%00bar" I can see only the "foobar" string in my model. I think it's because of _sanitize_globals function which is called in Input constructor.

@danlamanna

It is within _sanitize_globals, more specifically within remove_invisible_chars. Can anyone confirm this is intended behavior, it also seems to be wrapped in a function_exists tag so it could possibly be overwritten in scenarios like this?

@veenix

I believe that the bug is in the function "_clean_input_data($str)". The bug is this line:

// Remove control characters
$str = remove_invisible_characters($str);

It should be:

// Remove control characters
$str = remove_invisible_characters($str, false);

The $_POST, $_GET, and $_COOKIE variables are not urlencoded, but remove_invisible_characters assume that it is and will remove characters such as "%00" unless the url_encoded parameter is set to false.

Because the $_REQUEST variables are not cleaned, you can use $_REQUEST in replace of $_POST.

@narfbg
Owner

Duplicate of #346.

@narfbg narfbg closed this
@t3nsor

I don't think this is really a duplicate of #346. This issue exists even when global XSS filtering is turned off. The constructor for the Input class unconditionally calls _sanitize_globals, which unconditionally calls _clean_input_data on each $_POST value, which unconditionally calls remove_invisible_characters with $url_encoded = true. As OP points out, this makes it impossible to submit a string in a form that contains "%00" or anything like this. This is clearly incorrect behaviour.

@mvd7793

I agree, you should be able to disable this, especially for things like passwords

@narfbg
Owner

Sorry, it was a duplicate of #148 instead - just fixed it.

@narfbg narfbg referenced this issue in benedmunds/CodeIgniter-Ion-Auth
Closed

Edit User fails to update Groups in Codeigniter 3 #683

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.