Closed bitbucket-import closed 10 years ago
This seems like a usability issue, rather than a bug. Although the _sanitize_globals() function is sort of odd. It attempts to unset the _GET _POST and _COOKIE keys that are in the global namespace, but it leaves the _REQUEST variable alone. So basically you can still access an invalid cookie key using _REQUEST['_COOKIE'][$key].
Nevertheless, a user can extend the Input library and create their own version of the _clean_input_keys() method to allow the extended characters.
In system/core/Input.php::_sanitize_globals(), CodeIgniter checks all the cookies on the current domain, and crashes the app (in _clean_input_keys()) if one of the cookie names is considered invalid.
The problem is that CI is also checking cookies that it didn't create. So, for example, if a website on the same domain created a cookie that CI doesn't like, it's going to crash, even though the other website might be completely unrelated.
This is easy to test with Glype, which creates cookies with names such as "c[nameofwebsite.com][/][authtoken]":
I think this is a big problem because it means CI can randomly crashes when things outside of its own environment change. For now, the problem can be "fixed" by clearing the cookies, but a permanent solution would obviously be better.