1 (edited by doniboy 2008-02-28 08:40)

Topic: Safe Page Redirection

I know that newline characters (e.g. \n, \r, %0d, %0a) need to be stripped off to circumvent HTTP Response Splitting, but what security measure should I consider when redirecting to an user supplied location via PHP's header() function? Is there a white or black list of acceptable or problematic/unsafe URL characters that I should know about?

Also, in the following snippet of code pulled from punBB's redirect() function, what is the purpose of the last condition, i.e. (;[\s]*data[\s]*:)?

$destination_url = preg_replace('/([\r\n])|(%0[ad])|(;[\s]*data[\s]*:)/i', '', $destination_url);

Thanks in advance.

Re: Safe Page Redirection

Removing the data: URI, which can be used in attacks.
And I think the code you have above is good.