4

Our site was hit by a ddos attack and some malformed cookies were sent out. We use the CodeIgniter framework. As it is unreasonable to ask our users to clear their cookies, I was wondering what the ramifications would be of changing the following function in the core. The cookies that are producing the error are of the form:

__utmt_~1

The original function is:

if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
{
    exit('Disallowed Key Characters.');
}

What are the possible side effects if I change it to allow a ~? I know that this is here to prevent malicious users and I want to make sure that this won't have undesirable effect.

if ( ! preg_match("/^[a-z0-9:_\/-\~]+$/i", $str))
{
    exit('Disallowed Key Characters.');
}
user2694306
  • 3,832
  • 10
  • 47
  • 95

2 Answers2

1

Here is my way, it solves problem and keeps the CI core original

Just put this code to file application/core/MY_Input.php

Rename the class and php file if your $config['subclass_prefix'] is not 'MY_'

<?php
if (!defined('BASEPATH'))
    exit('No direct script access allowed');

class MY_Input extends CI_Input {

    function _sanitize_globals() {

        // Avoid error come from cookie __utmt_~1, it set by Google Analatics
        foreach($_COOKIE as $key => $val) {
            if (strpos($key, '~') !== false) {
                unset($_COOKIE[$key]);
            }
        }

        parent::_sanitize_globals();
    }
}
trungnnh
  • 263
  • 2
  • 7
0

In this answer @Kristian explain the risks of changing that regex, and as he say:

I've got the feeling that they're overprotecting simply because CodeIgniter is so widely used that they need to protect against things they themselves haven't thought of yet for the sake of their users who may be even less-aware of such attacks than CodeIgniter's developers.

Community
  • 1
  • 1
Nicolas Durán
  • 292
  • 8
  • 19