I want to have URLs like
http://www.example.com/(*.)
but CodeIgniter does not allow me to do that. When I try to access some URLs I get 404 error (and the requested page exists).
I know I can set allowed characters in URL, but I thought about encoding it. However, if I do something like this:
http://www.example.com/<?php echo rawurlencode(string) ?>
or even:
http://www.example.com/<?php echo rawurlencode(rawurlencode(string)) ?>
I still got the 404. Why is that? '%'s are allowed characters, so why it won't work? And what can I do to fix it?
You can allow certain signs through config/config.php and the permitted_uri_chars key.
However, though I'm not fully certain, I do believe these are restricted by default to increase security. As relevant explanation suggests:
/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs. When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
For instance, what's so neat about the current settings is that you allow few enough uris to parse IDs without risking to have them compromised by '', "" or similiar. Of course there's automatic and manual $this->db->escape(), but this just adds more failsafes.
WHen trying to pass urlencoded strings to the URI it will generate an error if the encoded string has a /, codeigniter will try to parse this as a segment, thus rendering a 404, what you need to use is query strings.
$string = rawurlencode(string)
http://www.example.com/class/method/?string=$string
then on your method
use get
function method()
{
$this->input->get('string');
}
In case you want to have slashes / in the URL, use double raw encoding. For example:
$string = rawurlencode(rawurlencode('/sth/sth'));
Related
I'm trying to determine if there's a way to create a custom Predicate to handle searches for text that contains accented characters.
The problem I am trying to solve is that I have the string "Montréal" stored in the JCR, and want it to show up if my query contains a search for "Montreal" or even "Montre".
I am trying to use the XPATH function fn:replace to do something like this:
replace('Montréal', '[éè]+', 'e')
Here's an example xpath query (run using the query tool in the CRX/DE):
/jcr:root/content/dam/mysite/en//*
[
(#jcr:primaryType = 'dam:AssetContent' and jcr:like(fn:replace(fn:lower-case(data/master/#city), '[éè]+', 'e'),'%montre%'))
]
However, when I attempt to use it, I get the error:
expected: jcr:like | jcr:contains | jcr:score | xs:dateTime | fn:lower-case | fn:upper-case | fn:name | rep:similar | rep:spellcheck | rep:suggest
Is there some way to enable the replace function?
I had faced a similar issue.
I will explain what I did to overcome that.
The requirement : There is a search bar, and in that user were using accented chars.
The problem : same. jcr:like & fn:replace didn't work.
What I did was, sent the search param as it is intp the backend (Java) through servlet, as I was building queries through a service there.
Then I just encoded them in base64, and added the same in the query, as AEM keeps non-english chars in base64 encoded values.
Then just decoded the results in the FE ( but you can do that in Java as well.)
I tried to find a solution for this issue but nothing worked. When my REST api URI request is, ex. https://serverip/meeting/userlist/0
I always get the error "The URI you submitted has disallowed characters”. I have even tried to leave this parameter in the config file blank:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-+';
But I get the same error.
Is not allowed to have a 0 at the end of the URI as unique content of that segment? Because I need that to retrieve user with id = 0.
Thanks a lot.
EDIT - SOLVED:
Hi Again,
finally I solved it. I found that long time ago we commented a check related to UTF8 encodig in URI.php
if ( ! empty($str) && ! empty($this->_permitted_uri_chars) && ! preg_match('/^['.$this->_permitted_uri_chars.']+$/i'.(UTF8_ENABLED ? 'u' : ''), $str))
And we only left the first condition. We had some code issues that seem not to reproduce after revert that comment. And /0 now works fine.
So sorry, at the end it was a problem related to our own modifications.
Thanks.
$config['permitted_uri_chars'] is used as a PCRE character class pattern.
With the last character in there being a dash, it looks for a dash. However, when a dash is between two characters, it triggers a range search. So ... when you append the + (plus) sign after the dash, you get:
[_-+] // a range between underscore and plus in the ASCII table
You might be thinking "So what? Zeros are already allowed previously via 0-9", and you'd be correct, but that's not the problem. The problem is that the plus sign has a lower ASCII number than the underscore, and ranges don't work backwards, so _-+ is invalid and triggers a PCRE compilation failure, which in turn means the entire check fails and nothing is actually allowed.
You would see this if you had error_reporting enabled and/or looked at the error logs.
This doesn't happen if you only append the plus sign to the default pattern - the dash is not only the last character, but also escaped with a backslash - as you'd have this instead:
[_\-+] // Underscore, dash and plus sign as individual characters; not a range
I guess you thought it was an actual character to be allowed and removed it. Just add it back:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-+';
Is there a way to say (programmatically, I mean their API) the Google URL shortener not to produce short URL with characters like:
0 O
1 l
Because people often make mistake when reading those characters from displays and typing them elsewhere.
You cannot request the API to use a custom charset, so no.
Not a proper solution, but you could check the url for unwanted characters and request another short URL for the same long URL until you get one you like. Google URL shortner issues a unique short URL for an already shortned URL if you provide an OAuth token with the request. However I am not sure if a user is limited to one unique short URL per a specific long URL in which case this won't work either.
Since you're doing it programmatically, you could swap out those chars for their ascii value, '%6F' for the letter o, for instance. In this case, just warn the users that in doubt, it's a numeral.
Alternatively, use a font that distinguishes ambiguous chars, or better yet, color-code them (or underline numerals, or whatever visual mark)
I newly started using jmeter.
my application returns an url with encryption value as response which has to be passed as request to get the next page. The encryption value always ends with "=" ex. "http://mycompany.com/enc=EncRypTedValue=". while passing the value as request, the "=" is replaced with some other character like '%3d' ex "http://mycompany.com/enc=EncRypTedValue%3d" . Since the token has been changed my application is not serving the request.
It took me a while to understand this, unlike other languages and environments in network standards URIs (URLs) do not use quotes or some escape characters to hide special characters.
Instead, a URL needs to be properly encoded by encoding each individual parameter separately in order to build the complete URL. In JavaScript encoding/decoding of the parameters is done with encodeURIComponent() and decodeURIComponent() respectively.
For example, the following:
http://example.com/?p1=hello=hi&p2=three=3
should be encoded using encodeURIComponent() on each parameters to build the following:
http://example.com/?p1=hello%3Dhi&p2=three%3D3
Note that the equal sign used for parameters p1= ... p2= remain as is.
Do not try encode/decode the whole URL, it won't work. :)
Do not be fooled by what is displayed on a browser address bar/field, that is only the human friendly string, the moment you copy it to the clipboard the browser will encoded it.
Hope this helps someone.
Your application has a problem then, because that's the way it should be sent. Url parameters should be encoded as specified in rfc3986. Browsers can do it automatically even, so that's something that should be fixed on your web app, if it is not working.
If data for a URI component would conflict with a reserved character's
purpose as a delimiter, then the conflicting data must be
percent-encoded before the URI is formed.
reserved = gen-delims / sub-delims
gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "#"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="
What you are experiencing is URL Encoding - = is a reserved character in URLs and you cannot just append it to your URL unencoded. It needs to be encoded. This obviously already happened in your case. On the server side the url parameters need to be decoded again. This is the job of the container normally, though.
Basing on your use case you may with to consider one of the following approaches:
You can use Regular Expression Extractor Post Processor to capture you response and store it to JMeter variable. As variables as Java Unicode Strings you shouldn't experience any problem with extra encoding of your "=" symbol.
JMeter provides __urldecode function which you can utilize to decode your request.
You can pre-process the request with kind of __Beanshell function or BeanShell preprocessor to decode the whole URL with something like:
URLDecoder.decode(vars.get("your_URL_to be decoded"),"encoding");
If your are adding encryption values in the subsequent request as request parameter then make sure 'Encoding?' is unchecked
Use quotes for your values. E.g. -Jkey="val=ue"
I'm trying to download the HTML content from a URL without success.
Here is the URL:
http://example.com/some_string[value]
When use RestClient I get this error:
URI::InvalidURIError: bad URI(is not URI?)
I got some help from the Ruby on Rails IRC. The Idea is to escape the end of the URL.
$ "http://example.com/" + CGI::escape("some_string[value]")
=> "http://example.com/some_string%5Bvalue%5D"
The generated URL does not work, I'm getting a 404.
It works in the browsers though.
Anyone knows how to get it to work?
According to the URI RFC:
Other characters are excluded because gateways and other transport
agents are known to sometimes modify such characters, or they are
used as delimiters.
unwise = "{" | "}" | "|" | "\" | "^" | "[" | "]" | "`"
Data corresponding to excluded characters must be escaped in order to
be properly represented within a URI.
Trusting a browser's response or ability to handle a link is risky. They do everything they can to return a page, instead of enforcing the standards, so they are not authoritative sources whether a page or URL is correctly defined.
RestClient's response is probably based on URI's, which returned the same error when I tested parsing the URL using URI.
I haven't ever seen a URL using unencoded "[" and "]" characters.