«
»

CodeIgniter 1.7: The URI you submitted has disallowed characters.

on Tuesday 14th July, 2009 Gabe speculated thusly…

I was getting the above error from CodeIgniter after urlencoding some base64 encoded binary data and passing it as a URI parameter to CodeIgniter. I looked in the config.php file and found that percent signs were allowed here:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

After some hunting around I found that CodeIgniter is not accepting this in the URI because the actual characters (that are encoded) fall outside the ASCII range. CodeIgniter is actually decoding the characters before testing them. The fix was quite simple, open up libraries/URI.php and go to line 189 where it says:
if ( ! preg_match("|^[".preg_quote($this->config->item('permitted_uri_chars'))."]+$|i", $str))
and change it to:

if ( ! preg_match("|^[".preg_quote($this->config->item('permitted_uri_chars'))."]+$|i", rawurlencode($str)))

Basically wrapping $str in the urlencode() function.

This entry was posted on Tuesday, July 14th, 2009 at 10:24 GMT and is filed under CodeIgniter, Development, Frameworks, Information, Programming. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “CodeIgniter 1.7: The URI you submitted has disallowed characters.”

  1. August 6th, 2009 at 8:37 GMT Webdesign Berlin Says:

    i got the same problem today. thx, it helped me a lot

  2. August 12th, 2009 at 3:32 GMT Imran Says:

    I was looking for same for over a week in the official CI forum with no responses… My luck (Google) brought me to your website…
    I can’t thank you enough for this post… :-)

  3. August 18th, 2009 at 18:42 GMT Mayank Jain Says:

    This solved my problem http://codeigniter.com/forums/viewthread/125550/#623818

  4. September 10th, 2009 at 17:56 GMT Saurabh Sahni Says:

    This mean you can be easily XSSed, its equal to allowing everything in the input!

  5. September 11th, 2009 at 8:27 GMT Gabe Says:

    You can’t just be spontaneously XSSed, you would have to manipulate and preserve the data somehow, then redisplay it. I hope nobody relies on the URI allowed character string only, before saving to a database, all input should be thoroughly validated using your own methods and/or the included validation class.

    I normally only pass numeric IDs around in a codeigniter URI, so a preg_replace() removing all non-numeric characters is a good start…

  6. June 23rd, 2011 at 6:27 GMT Dileep Says:

    but the following worked for me try it and find that in following link

    if ( ! preg_match(“|^[".str_replace('\\-', '-', preg_quote ($this->config->item('permitted_uri_chars')))."]+$|i”, $str))

    http://theosmblog.com/2009/07/25/fresh-install-wamp-codeigniter-running/

Leave a Reply