Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodeIgniter attempts to validate data it didn't create and crashes #33

Closed
bitbucket-import opened this issue Aug 19, 2011 · 1 comment
Closed

CodeIgniter attempts to validate data it didn't create and crashes #33

bitbucket-import opened this issue Aug 19, 2011 · 1 comment

Comments

@bitbucket-import
Copy link

In system/core/Input.php::_sanitize_globals(), CodeIgniter checks all the cookies on the current domain, and crashes the app (in _clean_input_keys()) if one of the cookie names is considered invalid.

The problem is that CI is also checking cookies that it didn't create. So, for example, if a website on the same domain created a cookie that CI doesn't like, it's going to crash, even though the other website might be completely unrelated.

This is easy to test with Glype, which creates cookies with names such as "c[nameofwebsite.com][/][authtoken]":

  • Put a clean install of Glype (http://www.glype.com/downloads.php) and a clean install of CI on the same domain.
  • Run Glype once then run CI.
  • CI crashes even though it's a clean install.

I think this is a big problem because it means CI can randomly crashes when things outside of its own environment change. For now, the problem can be "fixed" by clearing the cookies, but a permanent solution would obviously be better.
@danspiteri
Copy link

This seems like a usability issue, rather than a bug. Although the _sanitize_globals() function is sort of odd. It attempts to unset the _GET _POST and _COOKIE keys that are in the global namespace, but it leaves the _REQUEST variable alone. So basically you can still access an invalid cookie key using _REQUEST['_COOKIE'][$key].

Nevertheless, a user can extend the Input library and create their own version of the _clean_input_keys() method to allow the extended characters.

This was referenced Dec 16, 2011
Closed
Closed
@it-can it-can mentioned this issue Jan 9, 2012
Closed
narfbg added a commit that referenced this issue Sep 23, 2013
@narfbg
Fix issue #33
fd0aabb
@narfbg narfbg closed this as completed Sep 23, 2013
@nfreear nfreear mentioned this issue Aug 17, 2015
Closed
nfreear added a commit to IET-OU/open-media-player that referenced this issue Aug 17, 2015
@nfreear
Bug #22, Fix 'disallowed key characters' error message [iet:3729355]
b9f13ac 
* Forward port fix to `CI_Input::_clean_input_keys(..)` - declare & call
* Commit: bcit-ci/CodeIgniter@fd0aabb1e6
* Related bug: bcit-ci/CodeIgniter#33
nfreear added a commit to IET-OU/open-media-player that referenced this issue Aug 18, 2015
@nfreear
Bug #22, Fix 'disallowed key characters' error message [iet:3729355]
6643170 
* Forward port fix to `CI_Input::_clean_input_keys(..)` - declare & call
* Commit: bcit-ci/CodeIgniter@fd0aabb1e6
* Related bug: bcit-ci/CodeIgniter#33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bitbucket-import @narfbg @danspiteri