I've got this code on my page:
header("Location: $page");
$page is passed to the script as a GET variable, do I need any security? (if so what)
I was going to just use addslashes() but that would stuff up the URL...
+7
A:
I could forward your users anywhere I like if I get them to click a link, which is definitely a big security flaw (Please login on www.yoursite.com?page=badsite.com). Now think of a scenario where badsite.com looks exactly like your site, except that it catches your user's credentials.
You're better off defining a $urls array in your code and passing only the index to an entry in that array, for example:
$urls = array(
'pageName1' => '/link/to/page/number/1',
'pageNumber2' => '/link/to/page/number/2',
'fancyPageName3' => '/link/to/page/number/3',
);
# Now your URL can look like this:
# www.yoursite.com?page=pageName1
soulmerge
2009-05-22 12:21:30
Do you mean define an array on URL's on that page and make sure the url that was passed to the script is in that array? I was originally going to do that but I realized that means I need to edit that page every time I add a URL.
Hintswen
2009-05-22 12:26:31
added an example
soulmerge
2009-05-22 12:42:56
Hintswen, if that's a problem, add a database table, give it a RESTful API for adding data (wouldn't worry about making a fancy method of editing or deleting stuff until you can be bothered) and make a bookmarklet which adds a URL to the list.
Samir Talwar
2009-05-22 12:45:59
Why not just check if the url is on the same domain or not?I didn't end up using a header redirect for my purpose but I just thought of that.
Hintswen
2010-05-26 05:06:39
+2
A:
Yes, you do. Just because you or I can't immediately think of a way to take advantage of that little bit of code doesn't mean a more clever person can't. What you want to do is make sure that the redirect is going to a page that you deem accessible. Even this simple validation could work:
$safe_pages = array('index.php', 'login.php', 'signup.php');
if (in_array($page, $safe_pages)) {
header("Location: $page");
}
else {
echo 'That page is not accessible.';
}
Justin Poliey
2009-05-22 12:22:47
got it. that's actually what I originally had. but as I said to soulmerge I realized I would need to edit it every time I add a page/url
Hintswen
2009-05-22 12:28:10
+2
A:
This is a code injection vulnerability by the book. The user can enter any value he wants and your script will obey without any complaints.
But one of the most important rules – if even not the most important rule – is:
Never trust the user data!
So you should check what value has been passed and validate it. Even though a header injection vulnerability was fixed with PHP 4.4.2 and 5.1.2 respectivly, you can still enter any valid URI and the user who calls it would be redirected to it. Even such cryptic like ?page=%68%74%74%70%3a%2f%2f%65%76%69%6c%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d%2f what’s URL encoded for ?page=http://evil.example.com/.
Gumbo
2009-05-22 12:30:28
A:
Or, at the very least, define a whitelist of allowed URLs, and only forward the user if the URL they supplied is in the GET variable is in the list.
Brian
2009-05-22 12:51:48