#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    1
    Rep Power
    0

    Character regex control, allawing $ char


    I have a regex rule In my firewall
    Name : Non-allowed characters
    Rule : [^-.0-9a-zA-Z_\[\]]

    Is this rule blocking "$" charecter.
    I want to allow this character.

    Thank you.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by mcetintr
    Is this rule blocking "$" charecter.
    I want to allow this character.
    And what exactly prevents you from adding the character to the list?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. Turn left at the third duck
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2011
    Location
    Nelson, NZ
    Posts
    112
    Rep Power
    93
    No, the $ is not blocked by your rule.
    The caret (^) in the rule means "NOT": it means any character that is NOT a dash, a period, a digit etc. The dollar sign is not in that list, so it is not blocked.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by ragax
    No, the $ is not blocked by your rule.
    I doubt that.

    First of all, blocking simple alphabetic characters, digits etc. and allowing anything else is rather unlikely. It also can't be done with this regex, at least not in a single pass. You'd have to match every single character of the input string against this regex rather than just looking for the first match.

    Anyway, as long as the OP doesn't explain what this firewall does and how it works, it's all just speculation.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. Turn left at the third duck
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2011
    Location
    Nelson, NZ
    Posts
    112
    Rep Power
    93
    Well, we don't know how this firewall's rules work.
    But to me there is a fairly simple hypothesis. One line says "non-allowed characters". The next line gives a character class that says "match any character that is not in that list", which seems consistent.
    If the firewall implements the rule by just adding a + to the character class, that would definitely do the job. For instance, in php,
    $goodstring = preg_match('~[^-.0-9a-zA-Z_\[\]]+~',$string);

    If that simple hypothesis is correct, the rule allows a $, and forbids the dash, period, digits, letters, underscore and square brackets ó which btw could be expressed more compactly as [^[-\w\]]

    But doubt is healthy.
    And as you point out, Jacques, with the data provided there's no way to be 100% sure; and there's the question of what situation would call for matching something like *&#!@%^()+=/?<>,. (if indeed we are matching more than one character.) It's fun to speculate.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2012
    Posts
    836
    Rep Power
    496
    It says : Name : Non-allowed characters.

    And it is a negated character class. So my understanding is that a string having any character matching [^-.0-9a-zA-Z_\[\]] should be rejected. In other words, the only authorized characters are whose belonging to [-.0-9a-zA-Z_\[\]]. And is this interpretation is correct there is no need to add a +. Since $ is not in the list, it is not authorized and a string containing $ will be rejected.

    If $ should be authorized, then it simply has to be added to the character class.
  12. #7
  13. Turn left at the third duck
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2011
    Location
    Nelson, NZ
    Posts
    112
    Rep Power
    93
    Ah, yes, that interpretation does make more sense.
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    ... and that's what I tried to tell you yesterday.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  16. #9
  17. Turn left at the third duck
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2011
    Location
    Nelson, NZ
    Posts
    112
    Rep Power
    93
    Yes, indeed. I didn't get it then.

IMN logo majestic logo threadwatch logo seochat tools logo