Sanitation for the URL used in the header: location?

Question

Sanitation for the URL used in the header: location?

In a multi-step process, I get the URL as a form field.

After processing, my PHP script redirects to this address using header("Location: ...");

Besides being able to be used as a redirect service for porn sites to create harmless looking email links ( Open Redirect , which can be helped by matching URLs for a local domain), are there any dangers for hacking / exploitation that you should be aware of in this process?

One thing that came to mind was that new lines were exported to the URL, which could open up the possibility of sending arbitrary headers to the client.

+4

security php http-headers

Pekka 웃 Feb 05 '10 at 19:42

source share

1 answer

rook · Accepted Answer · 2010-02-05T19:50:11+0000

In older versions of PHP, you had to worry about the CRLF injection being \ r \ n. This is a header response split vulnerability. If you cross out these characters, you don’t have to worry. In the latest PHP build, the header () function is safe and will take care of you automatically.

Sanitation for the URL used in the header: location?

More articles: