Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

"Filter segments for malicious characters", really ? #47

Closed
bitbucket-import opened this Issue · 13 comments

9 participants

bitbucket-import Andrey Andreev Jochem Maas Instructor, Computer Systems Technology Iban Eguia Gabriel Potkány Ivan Tcholakov Ben Edmunds Lonnie Ezell
bitbucket-import

When requesting a URI containing URI encoded parenthesis (I mean %28 and %29), they reach the controller maimed and unusable. Their strlen() reads wrong and they wont be matched as parenthesis by regex.

The reason for this is in system/core/URI.php at lines 238-241. Why would the parenthesis be replaced by shitty HTML entities that damage the string ?

// Convert programatic characters to entities
$bad    = array('$',        '(',        ')',        '%28',      '%29');
$good   = array('$',    '(',    ')',    '(',    ')');
return str_replace($bad, $good, $str);

Unless there's a good reason for it, I think this replacement should be removed altogether. You don't want to know how many hours it took me to pinpoint this issue.

With love,

Antoine Gersant

Andrey Andreev
Owner

This really depends on wether #388 is considered a bug or not.

Andrey Andreev
Owner

... or not - ignore my last comment.

Jochem Maas

+1 for scrapping the "conversion programatic characters" - it is pointless, has the potential to waste a lot of time 'debugging' and it is incorrect. the code essentially performs a limited "html entitizing" ... html entitizing is something you do to output not input!

Instructor, Computer Systems Technology
Owner

Hasn't this been address by #388? Can this be closed?

Andrey Andreev
Owner

#388 has nothing to do with this ... other issues related to this one have been fixed, but the suggestion here is to remove this filter altogether.

Iban Eguia

I think enough people are having issues with it and that it does not have a clear advantage, so in my opinion it should be removed.

Instructor, Computer Systems Technology
Owner

I agree that the substitution should be removed. RFC 3986 says that the dollar sign and parentheses are safe characters and do not need encoding. They are also flagged as "reserved" characters, which can be encoded and interpreted by an application, but that appears to be subsequent to any use as a URI.

Instructor, Computer Systems Technology jim-parry removed the Dead Issue? label
Iban Eguia Razican referenced this issue from a commit in Razican/CodeIgniter
Iban Eguia Razican Remove URI filter for parenthesis and dollar symbols, as talked in #47.
Signed-off-by: Razican <admin@razican.com>
8d35053
Iban Eguia Razican referenced this issue from a commit in Razican/CodeIgniter
Iban Eguia Razican Remove URI filter for parenthesis and dollar symbols, as talked in #47.
Signed-off-by: Razican <admin@razican.com>
1c775e7
Gabriel Potkány

I'm voting for removing it.

Ivan Tcholakov

+1 for "conversion programatic characters" removal. The three presented justifications are good enough.


Edit: Justification 4: Such characters within a segment may be needed as a result of sloppy slug generation. If you use url_title() for this purpose, the segment would be clean, and then the "programatic characters" simply may not be enabled using the setting $config['permitted_uri_chars'].

url_title() may be reworked to transliterate from non-Latin languages, but this is another story.

Iban Eguia

I vote for it too.

Andrey Andreev
Owner

Well, the public opinion seems to be unanimous.

@pfote @benedmunds @druu @lonnieezell Any objections?

Ben Edmunds

No objection.

Lonnie Ezell

I can't think of a reason it's really needed, but haven't scoured the code about this either.

No objection.

Andrey Andreev narfbg closed this in bc11439
Andrey Andreev narfbg referenced this issue from a commit
Andrey Andreev narfbg Further changes related to issue #47, PR #3323
 - Removed a test that was created specifically for the 'convert programmatic characters to entities' feature.
 - Changed filter_uri() to accept by reference and to not return anything as its only purpose now is to trigger a show_error() call.
 - Added changelog messages and updated the upgrade instructions.
bfa233f
Garrett O'Reilly garrettair referenced this issue from a commit in garrettair/CodeIgniter
Iban Eguia Razican Remove URI filter for parenthesis and dollar symbols, as talked in #47.
Signed-off-by: Razican <admin@razican.com>
69eb9d6
Garrett O'Reilly garrettair referenced this issue from a commit in garrettair/CodeIgniter
Andrey Andreev narfbg Further changes related to issue #47, PR #3323
 - Removed a test that was created specifically for the 'convert programmatic characters to entities' feature.
 - Changed filter_uri() to accept by reference and to not return anything as its only purpose now is to trigger a show_error() call.
 - Added changelog messages and updated the upgrade instructions.
6e30282
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.