-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CodeIgniter attempts to validate data it didn't create and crashes #33
Comments
This seems like a usability issue, rather than a bug. Although the _sanitize_globals() function is sort of odd. It attempts to unset the _GET _POST and _COOKIE keys that are in the global namespace, but it leaves the _REQUEST variable alone. So basically you can still access an invalid cookie key using _REQUEST['_COOKIE'][$key]. Nevertheless, a user can extend the Input library and create their own version of the _clean_input_keys() method to allow the extended characters. |
* Forward port fix to `CI_Input::_clean_input_keys(..)` - declare & call * Commit: bcit-ci/CodeIgniter@fd0aabb1e6 * Related bug: bcit-ci/CodeIgniter#33
* Forward port fix to `CI_Input::_clean_input_keys(..)` - declare & call * Commit: bcit-ci/CodeIgniter@fd0aabb1e6 * Related bug: bcit-ci/CodeIgniter#33
In system/core/Input.php::_sanitize_globals(), CodeIgniter checks all the cookies on the current domain, and crashes the app (in _clean_input_keys()) if one of the cookie names is considered invalid.
The problem is that CI is also checking cookies that it didn't create. So, for example, if a website on the same domain created a cookie that CI doesn't like, it's going to crash, even though the other website might be completely unrelated.
This is easy to test with Glype, which creates cookies with names such as "c[nameofwebsite.com][/][authtoken]":
I think this is a big problem because it means CI can randomly crashes when things outside of its own environment change. For now, the problem can be "fixed" by clearing the cookies, but a permanent solution would obviously be better.
The text was updated successfully, but these errors were encountered: