dongzouqie4220 2010-10-24 06:23
浏览 370
已采纳

如何正确转义Location:header值?

In my webapp I'm using HTTP Location: headers for redirect (e.g. POST/redirect/GET). But the target locations have to be dynamic (e.g. login.php?dest=pagexy.php). We all know that any user-modifiable input has to be properly escaped to prevent XSS, so

 header('Location: '.$_REQUEST['dest']);

looks wrong. Simple urlencode-ing can only be used for simple files, not paths (e.g. cross-domain URLs with Single-Sign-On).

I've also read about vulnerabilities like:

Location: javascript:...bad.stuff...  or
Location: data:text/html:base64,...

Having an explicit whitelist of destinations would probably the most secure solution, but is tedious and might even not be possible for all use-cases.

Solutions?

Edit:

  1. Is urlencoding enough/correct for simple files? Assume a recent PHP version (> 5.1.2, AFAIK) that forbids newlines in header().

  2. How can I safely handle cross-domain credential-checking without knowing each other-domain beforehand?

  • 写回答

2条回答 默认 最新

  • douquqiang1513 2010-10-24 06:30
    关注

    Simple: DON'T EVER DO THAT.

    If you must redirect the user, don't ever let them tell you where they are going.

    If you absolutely must do that, urlencode the the input, whitelist the domains, and strip parameters that you haven't whitelisted. Better yet, don't let them tell you what domain - produce that using some other backend switch.

    If you don't seriously lock that down, you will be vulnerable to all kinds of things. Be especially careful that they can't put a linebreak in there.

    More info:

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 用stata实现聚类的代码
  • ¥15 请问paddlehub能支持移动端开发吗?在Android studio上该如何部署?
  • ¥170 如图所示配置eNSP
  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效
  • ¥15 悬赏!微信开发者工具报错,求帮改
  • ¥20 wireshark抓不到vlan
  • ¥20 关于#stm32#的问题:需要指导自动酸碱滴定仪的原理图程序代码及仿真
  • ¥20 设计一款异域新娘的视频相亲软件需要哪些技术支持
  • ¥15 stata安慰剂检验作图但是真实值不出现在图上