Uri security issue

[Jelmer Schreuder]

Hey guys,

Looks like we have a serious security issue: http://fuelphp.com/forums/topics/view/1405

I tested it and his findings look right, the Uri isn't filtered. Somewhere along the rewrites of routing Security::uri_clean() wasn't called anymore and we're not cleaning the Uri input anymore. Maybe this was by design because we moved to Output encoding, but then the uri_filter value of app/config/config.php should still work and it doesn't.

I'm not sure where this was done before, can any of you look into this?

Jelmer

[Dan Horrigan]

This has been fixed here https://github.com/fuel/core/commit/6c6f181b75c6d14cb6ee534bc90ad1a2df64e4c6

RC3 will be pushed out tonight with this fix.

Dan