Fixed Cookie with URL encoding

Dad. · Aug 6, 2011

Hello,

On my site, we use CodeIgniter, which is a common framework. It has a function that searches for all cookies on a given domain. This is the function:

PHP:

 /**
* Clean Keys
*
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @access private
* @param string
* @return string
*/
function _clean_input_keys($str)
{
  if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
  {
  exit('Disallowed Key Characters.');
  }

  // Clean UTF-8 if supported
  if (UTF8_ENABLED === TRUE)
  {
  $str = $this->uni->clean_string($str);
  }

  return $str;
}

I noticed while styling themes, my main site would break and leave an error message (Disallowed Key Characters). We were able to figure out exactly what was going on and it was the following cookie causing the issue:

Code:

xf_FilterList_admin.php%3Ftemplates%2F

Its not a huge issue I suppose, but it is rather annoying.

Thanks a lot!
Mike Creuzer
Audentio.com

Mike · Aug 24, 2011

It may be worth working around this, but I believe this is a bug in CodeIgniter. I'm just looking at RFCs to be clear.

Mike · Aug 24, 2011

Well, it's not necessarily a bug in CI, more of a strange design decision (IMO). However, the RFCs do allow % in cookie names (which may be decoded to the raw character by the time CI sees it). That said, it's probably still ok to remove special chars.

Hades · Jan 21, 2013

<?php
$title=urlencode('Title of Your iFrame Tab');
$url=urlencode('http://www.facebook.com/wordpressdesign');
$summary=urlencode('Custom message that summarizes what your tab is about, or just a simple message to tell people to check out your tab.');
$image=urlencode('http://www.yourdomain.com/images/share-thumbnail.jpg');
?>

<a onClick="window.open('http://www.facebook.com/sharer.php?s=100&p[title]=<?php echo $title;?>&p[summary]=<?php echo $summary;?>&p=<?php echo $url; ?>&&p[images][0]=<?php echo $image;?>','sharer','toolbar=0,status=0,width=548,height=325');" href="javascript: void(0)">Insert text or an image here.</a>

Plz convent to xenforo code.

[/COLOR]

Slavik · Jan 21, 2013

Hades said:
<?php
$title=urlencode('Title of Your iFrame Tab');
$url=urlencode('http://www.facebook.com/wordpressdesign');
$summary=urlencode('Custom message that summarizes what your tab is about, or just a simple message to tell people to check out your tab.');
$image=urlencode('http://www.yourdomain.com/images/share-thumbnail.jpg');
?>

<a onClick="window.open('http://www.facebook.com/sharer.php?s=100&p[title]=<?php echo $title;?>&p[summary]=<?php echo $summary;?>&p=<?php echo $url; ?>&&p[images][0]=<?php echo $image;?>','sharer','toolbar=0,status=0,width=548,height=325');" href="javascript: void(0)">Insert text or an image here.</a>

Plz convent to xenforo code.

[/COLOR]

Hi,
I see you haven't linked your forum account to your license. You can do that in the Forum Users section of the Customer Area here: http://xenforo.com/customers
Then we will be able to provide forum support.
Thanks.
//Slav

Fixed Cookie with URL encoding

Dad.

Well-known member

Mike

XenForo developer

Mike

XenForo developer

Hades

Member

Slavik

XenForo moderator

Similar threads

We value your privacy