July 24th, 2013, 09:41 AM
Character regex control, allawing $ char
I have a regex rule In my firewall
Name : Non-allowed characters
Rule : [^-.0-9a-zA-Z_\[\]]
Is this rule blocking "$" charecter.
I want to allow this character.
July 24th, 2013, 10:09 AM
And what exactly prevents you from adding the character to the list?
Originally Posted by mcetintr
July 25th, 2013, 08:35 PM
No, the $ is not blocked by your rule.
The caret (^) in the rule means "NOT": it means any character that is NOT a dash, a period, a digit etc. The dollar sign is not in that list, so it is not blocked.
July 26th, 2013, 01:50 AM
I doubt that.
Originally Posted by ragax
First of all, blocking simple alphabetic characters, digits etc. and allowing anything else is rather unlikely. It also can't be done with this regex, at least not in a single pass. You'd have to match every single character of the input string against this regex rather than just looking for the first match.
Anyway, as long as the OP doesn't explain what this firewall does and how it works, it's all just speculation.
July 26th, 2013, 06:23 AM
Well, we don't know how this firewall's rules work.
But to me there is a fairly simple hypothesis. One line says "non-allowed characters". The next line gives a character class that says "match any character that is not in that list", which seems consistent.
If the firewall implements the rule by just adding a + to the character class, that would definitely do the job. For instance, in php,
$goodstring = preg_match('~[^-.0-9a-zA-Z_\[\]]+~',$string);
If that simple hypothesis is correct, the rule allows a $, and forbids the dash, period, digits, letters, underscore and square brackets ó which btw could be expressed more compactly as [^[-\w\]]
But doubt is healthy.
And as you point out, Jacques, with the data provided there's no way to be 100% sure; and there's the question of what situation would call for matching something like *&#!@%^()+=/?<>,. (if indeed we are matching more than one character.) It's fun to speculate.
July 27th, 2013, 10:30 AM
It says : Name : Non-allowed characters.
And it is a negated character class. So my understanding is that a string having any character matching [^-.0-9a-zA-Z_\[\]] should be rejected. In other words, the only authorized characters are whose belonging to [-.0-9a-zA-Z_\[\]]. And is this interpretation is correct there is no need to add a +. Since $ is not in the list, it is not authorized and a string containing $ will be rejected.
If $ should be authorized, then it simply has to be added to the character class.
July 27th, 2013, 05:56 PM
Ah, yes, that interpretation does make more sense.
July 27th, 2013, 05:59 PM
... and that's what I tried to tell you yesterday.
July 27th, 2013, 08:36 PM
Yes, indeed. I didn't get it then.