On Sun, 24 Apr 2005, Stefan Esser wrote:
As now it handles these strings it gets the same:
name="whatever,this,might,be";name2="value2"
name="whatever,this,might,be",name2="value2"
These were actually invalid examples.
'name' can NOT contain any of these chars: =,; \t\r\n\013\014
'value' can NOT contain any of these chars: ,; \t\r\n\013\014
If you want such chars in them, you have to encode them.
How can this affect modsecurity at all????
Forgive me my ignorance, but I do not see any handling of " chars.
And there wasn't such before I added the , as acceptable separator.
your strings should now result in 5 variables
1. variable: name - content: "whatever
2. variable: this - empty
3. variable: might - empty
4. variable: be" - empty
5. variable: name2 - content: "value"
Yes, and with this the same would happen:
name="whatever;this;might;be";name2="value2"
If I could set a cookie with such value, that is.
Off course this is wrong :)
Yes it is, if it was allowed.
--Jani
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
