Thread

Example URL that doesn’t work, but I don’t understand why, seeing as how it’s encoded:

// remove spaces at the end
<a href="http://www.bluestatedigital.com/?url=%">http://www.bluestatedigital.com/?url=%</a> 3 F

That is on EE1.6.9, though it looks to also happen on EE2.1.3.

Hi, BSD -

This is likely a security issue that we are protecting against, but let me check with my team to confirm that for you.

Thank you!

Hi, Blue State Digital.
Just out of curiosity, what’s the purpose behind trying this?

Lisa’s right- it hits the security filter.  The GET variables are passed through urldecode() (http://php.net/manual/en/reserved.variables.get.php)- so it’s effectively a ? by the time it hits the check.

Make sense?

We are trying to have a full URL as a GET variable.  So http://domain.com/template?u=http://url.com/path?var-of-their-own

(non converted version: http://pastie.org/1769694)

Shouldn’t the security filter be done before urldecode(), so that encoded characters can be used?

Hi Blue Slate Digital,

It looks like that conversion is done before EE can run it’s checks. However, where is this URL coming from? Do you have the option to pass this data in a different format (base64 encoded for example)?

Cheers

Greg

Greg, we ended up base64 ecoding and that did work for that one. 

But today we ran into a different issue with Google site search, where if you search for ‘foo$bar’, the dollar sign gets converted to % 24, but again, invalid get data.

Hi Blue Slate Digital,

Can you provide us a little bit more information about this? Do you mean that you are using Google CSE? That particular query doesn’t seem like it should be valid. What is the context for this search?

Cheers

Greg