开发者

Is this PHP redirect insecure?

Hmm I can't really indentify a开发者_运维问答ny insecurities but was wondering whether you can, if so how to possibly patch/mend?

Heres the code:

header("Location: http://example.com/search/{$_POST['term']}/{$_POST['type']}");

The site which i'm redirecting too does the validation & sanitization on their side, but what I'm concerned about is - is this redirecting insecure in any way (on my side - seeing as I'm using direct $_POST's).

Appreciate all help.

PS: Just became curious as I've always thought using unsanizited user input is dangerous (or atleast that applies to XSS and SQLi).


Overall, for most websites running a modern version of PHP, it is secure.

There are two concerns at hand:

  • A malicious user may be able to trick a victim into unwittingly visiting any page of the form /search/*/* on the site by linking them to a malicious page that POSTs to the page with your redirect. (Note that they are not limited to just two slashes after/search because their POST variables may contain slashes.) This is similar to handing someone a shortened bit.ly URL that redirects them, so it's not too bad.
  • HTTP response splitting. If a malicious user includes newlines (specifically, CRLF / \r\n) within their POST data, they can cause your header() call to output multiple headers, including headers to set cookies, and so on. However, as of PHP 5.1.2 this has been fixed.


This isn't a security issue, but you should probably URL-encode these arguments with urlencode($_POST['term']).


Yes, it's quite insecure. One should NEVER EVER put unchecked user input into a script. I'd recommend, at a minimum, using filter_input_array to sanitize your $_POST array before doing anything with it.


Hopefully the web tier that receives the redirected URL from the client will perform validation on the URL as a whole, so you're probably safe. But it wouldn't hurt to run the two fields through simple validation before sending the redirect.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜