EE changing external encrypted cookie |
|||
|---|---|---|---|
| Date: | 06/16/2008 | Severity: | Major |
| Status: | Not a Bug | Reporter: | pfleming |
| Version: | EE 1.6.3 | Assigned To: | Not Assigned |
| Keywords: | User Interface, General Problems | ||
Details
Our site requires sign in and sign in is authenticated via an encrypted cookie. The cookie is set by a process external to EE.
When I try to read the cookie from inside ee using $_COOKIE, the cookie is changed.
The call $IN->fetch_input_data() in core.system.php modifies the cookie data in such a way that our external application no longer recognizes it.
Being that everything we allow a user to do is determined by the contents of the cookie, this issue has us dead in the water. I could comment out your code that ‘cleans’ the cookie, but I would like to know if this would be addressed in a future release. I don’t want to have to comment out code in your app whenever you put out a release.
Sample code to reproduce the problem has been posted in the support forum at http://expressionengine.com/forums/viewthread/82310/
Comment on Bug Report
| Posted by: Derek Jones on 16 June 2008 8:53am | |
|
All input data goes through some minor modifications for both standardization and security. In this case, tabs are converted in ExpressionEngine 1.x to 4 space characters for a specific issue encountered years ago, and this has continued for legacy support reasons. 2.0 will be the earliest break from this behavior, but a simple hack to core.input.php at the top of the file that will be safe and easy to maintain is to change:
var $trim_input = TRUE;
to
var $trim_input = FALSE;
And ExpressionEngine will no longer trim whitespace from your input data nor convert tabs to spaces. |
| Posted by: pfleming on 16 June 2008 3:44pm | |
|
I set $trim_input = FALSE inside of core.input.php. Deleted all my cookies. Set the cookie and read it from inside EE. The cookie is still being modified by EE. |
| Posted by: Derek Jones on 16 June 2008 7:06pm | |
|
|
Check and make sure your core.input.php file is not being cached by a server mechanism such as eAccelerator. You can generally force a refresh in these instances by introducing a syntax error, accessing the site, and then correcting the error. That is where the tab (ASCII 9) is being converted to four spaces (ASCII 32). |
| Posted by: pfleming on 17 June 2008 11:10am | |
|
|
I can confirm that setting $trim_input to FALSE doesn’t solve the issue I’m having and that it’s not a matter of caching. (Just to be absolutely certain, I tried it on a second machine that never had EE installed.) Strangely enough, if I comment out this code in core.input.php:
if ($this->trim_input == TRUE)
Then my cookie is unchanged. I don’t know this piece of code is ignoring the $this->trim_input flag, but it is. |
| Posted by: pfleming on 17 June 2008 11:20am | |
|
|
Figured it out. This line in core.system.php which appears right after core.input.php is substantiated was overriding the $trim_input flag that’s set in the class. $IN->trim_input = (isset($uri)) ? TRUE : FALSE; |
| Posted by: pfleming on 17 June 2008 1:57pm | |
|
|
That still didn’t correct the problem. It stopped inserting the four spaces, but it replaced the tab with a single space. I had to comment out this section of core.input.php to get some relief
/** -----------------------------------
if (is_array($_COOKIE) AND count($_COOKIE) > 0)
|
| Posted by: Derek Jones on 17 June 2008 6:31pm | |
|
|
Ah yes, indeed. Though you could also in fetch_input_data() set that class property to FALSE just for the $_COOKIE scrubbing, and reset it to its previous value afterward. You’ll still want the keys cleaned and the data run through the XSS filter, afterall. |