Hello, I have an urlencoded URI so it doesn't contain any malicious characters and match default "permitted_uri_chars" setting in config.php, but first CodeIgniter decodes every segment and then check for characters what is wrong i think. URI should be first filtered and checked for malicious characters and then it should be decoded. And here is live example:
I have uri like this: gallery/add_image/(page_name)/(base64- and then url-encoded string). It is routed to gallery/add_image/$1/$2 (it's the same, because few lines later i have a wildcard for all addresses that doesn't match previous). When i try to visit this uri i get following error: "The URI you submitted has disallowed characters." called from _filter_uri function in system/core/URI.php which is caused by characters in base64 string (exactly equal - "=").
I'm not sure, but this could give some security issues. Definitely it's not intuitive.
I was sure that uri was urlencoded, but flash file decoded before sending request.