开发者

@ character allowed in URL, dangerous?

问答 作者:

From the CodeIgniter config.php file:

/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|-----------开发者_高级运维---------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs.  When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible.  By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

Would it be safe for me to add the @ character to this list of permitted characters? What are the risks?

Thanks

@ is used to prepend username and possibly password to URL-s that require HTTP auth. How that is insecure I can not tell from this comment. Theoretically, depending on the context you may not want users to enter such url-s.

Other than that this kind of security check is a bit .. dumb, there are increasing amounts of top-level domains out there that use characters others than ASCII, Russia was allocated .рф, Mainland China got .中國, there are many more examples.

http://en.wikipedia.org/wiki/Internationalized_domain_name

its safe, see the list of unsafe chars

http://www.blooberry.com/indexdot/html/topics/urlencoding.htm

It is not listed here to prevent this kind of url:

http://mybank.com-some-very-long-string@hacker.com/

This would go to hacker.com while looking like mybank.com to casual ussr.

You shouldn't, unless you encode it. The unencoded @ is reserved for a special meaning, like an FTP user (monty@ftp.python.com) or an email address (monty.python@camelot.com).

So, regardless of the temptation, don't do it. Why would you want to anyway?

RFC 1738 permits only the following characters in the path segment of a URI: A-Za-z0-9_\-\.!~*\'"(), (not the query part)

You can find more specific details about it here, it suggest you how you can use dangerous characters too using encoding

http://perishablepress.com/stop-using-unsafe-characters-in-urls/ more over javascript:could be danger

You can use &lt replacing < signs and other special danger characters with respective substitutes.

继续阅读:codeignitercodeigniter-urlphpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9