Thread

I decided to just flat out google “disallowed key characters” (DKC’s) rather than searching for that phrase here in the forums. I came upon an interesting post in the EE Wiki regarding DKC’s and mobile sites: Mobile Site - Disallowed Key Characters

Particularly towards the end:

Replace line 138

$_COOKIE[$this->clean_input_keys($key)] = $REGX->xss_clean($this->clean_input_data($val));

with

if (substr($key, 0, 4) == 'exp_') {
$_COOKIE[$this->clean_input_keys($key)] = $REGX->xss_clean($this->clean_input_data($val));
}

Note this forces Expression Engine to only check cookies with the prefix “exp”. [...] Your alternative is to allow $ inside your forms but this is usually not a good thing from a security perspective.

We’re only running into issues with cookies from this one vendor, and those cookies start with “cm”. I"ve a feeling I could do something like this:

if (substr($key, 0, 2) != 'cm') {
  $_COOKIE[$this->clean_input_keys($key)] = $REGX->xss_clean($this->clean_input_data($val));
}

That should hit and clean every cookie that isn’t from that particular vendor. I think.

Sounds good. Would be a hack to maintain, of course, but I think your logic is sound. Have you tried it?

(Thanks for renaming the post…it has a much more descriptive title and should be easier to locate in future searches relating to this problem)

I think we’ll probably try that last “solution”. There is a well-documented hack file for this build, so we’d just have to make sure to explain the what’s and why’s in that file after implementing it.

Thanks, Ryan. Please do keep us posted; also, feel free to log a feature request to change that behavior of EE.

Well, the first change works great. I can purposely set a bad cookie in Firefox - one that starts with ‘cm’ and has a dollar sign in it - and I won’t see the “Disallowed” message at all.

The second change doesn’t work at all (and man, the docs could use some examples! I’m looking at the Functions in the docs, and there isn’t a single real example under “Redirect”). What I’d like to do is redirect users to a real basic page that at least allows them to email the webmaster, or generically explain how they might have gotten there. No matter what I do…I can’t redirect here, I end up just getting a white page.

Seems that if I put any $FNS class stuff in that function that nothing works (and yes, I added “global $FNS”). Seems that doing anything other then echoing some text on the page with that function isn’t allowed.

If I even put this line in that function, anywhere:

$return_url = $FNS->create_url('site/error');

the resulting page blanks out.

Shouldn’t I be able to redirect from here?

What happens if you just hard code the redirect:

if ( ! ereg("^[A-Za-z0-9\:\_\/\-]+$", $str))
  {
     
header('Location: <a href="http://www.mysite.com/basic/error/">http://www.mysite.com/basic/error/'</a>);
    exit;
etc…

Robin, that does not seem to work. I’ve tried your code, and there really seems to be a problem with “exit”. I’m in the PHP docs now, looking to see if there is something about “exit” I’m missing.

Anyway, Firefox throws an error that says

“Firefox has detected that the server is redirecting the request for this address in a way that will never complete.”

There has GOT to be a way to do something gracefully here, rather than stopping the site cold. Granted, this will only be for users of the site who have visited previously and are stuck in this “bad cookie” loop, but on this site, that could mean thousands of users.

Here’s where I’m at:

function clean_input_keys($str)
    {
      
     if ( ! ereg("^[A-Za-z0-9\:\_\/\-]+$", $str))
     {
       header('Location: <a href="http://www.site.com/site/error/">http://www.site.com/site/error/'</a>);
       exit;
     }

        if ( ! get_magic_quotes_gpc())
        {
            $str = addslashes($str);
        }
        
        return $str;
    }

All that says is if it fails the test, redirect to page x and exit - but I get into the eror loop with Firefox.

I’ve tried redirecting to different pages that I know exist, but I don’t think that’s the problem here. I’ve also attached a pic of the error message.

ADD: Might the .htaccess file be interfering with the redirect?

I think I’ll probably have to just resort to something like the following exit message and hope the users have any idea how to clear cookies!

exit('Disallowed Key Characters: '.$str.' To solve this, please clear your cookies for site.com. 
We are sorry for the inconvenience.');

Hm- were we creating a loop trying to redirect?  Now that I look at it- maybe.  Except- you were redirecting to a non-EE page, so unless htaccess was snagging it in anyway, I don’t see how that would be in play.

Strikes me as weird, though.  Not sure- you want me to close this one out?  I’m thinking it’s about done- and if the issue crops up again, this thread could simply be referenced.

Or I may need to poke the crew- as I don’t quite get why it borks on exit.

Actually I was redirecting to an EE page. Maybe I should try redirecting to a non-EE page?

hey, mdesign; this has gone quite a bit beyond what we can offer as standard tech support. Did you want me to move this to How To?

Sure, I even suggested splitting this thread over into How To back at the bottom of comment #21 😉