Protect from Header injection?

[helraizer]

Hi folks,

 

I am setting up a form for users to post shouts for their shoutbox from their site (external from mine), so on their form there is a hidden field named "redirect". On my page I have this code.

 

if(isset($_POST['redirect'])) {
$redirect = htmlspecialchars($_POST['redirect']);

header("Location:".$redirect);
exit;

} else {}

 

but this leaves it open to XSS and Header Injection.. How can I protect against this effectively?

 

Thanks,

Sam

[cooldude832]

the possibilities of redirects you have should be limited so you can use an array

<?php
$pages =  array("index.php", "login.php", "exit.php");
if(isset($_POST['redirect'])){
if(in_array($_POST['redirect'],$pages)){
header("location: ".htmlspecialchars($_POST['redirect']));
}
else{
header("location: ".$pages[0]);
}
?>

simple idea

[helraizer]

the possibilities of redirects you have should be limited so you can use an array

<?php
$pages =  array("index.php", "login.php", "exit.php");
if(isset($_POST['redirect'])){
if(in_array($_POST['redirect'],$pages)){
header("location: ".htmlspecialchars($_POST['redirect']));
}
else{
header("location: ".$pages[0]);
}
?>

simple idea

 

That's an interesting idea and I'll keep it in mind but the user would have to decide then and there where they want to host the shoutbox on their site and post the URL for me to save it in an array. This limits things because then if they change the location they would have to repost the location and thus update the array each time.

 

Sam

 

Any other ideas?

[cooldude832]

well you can try and confirm it with the $_SERVER['HTTP_REFERER'] variable but it to isn't "secure"

 

so you have remote servers posting to your server via POST data for shoutboxes that is then redisplayed on the remote server?

 

you can try using cURL and have that server post to itself, but its own POST processor then sends the data via cURL to your server in turn masking your server preventing a direct chain to your server making it impossible for anyone other than server admins to know where the data is stored or to inject it.

[MadTechie]

i guess as its a redirect you would only really need to stop it pointing to other site in this case you could just use

$redirect = str_replace("http://","",$_POST['redirect']);

thus all injections will stay on your site.. off hand i can't see any harm..

 

i have no idea why you are using htmlspecialchars ???

[helraizer]

i have no idea why you are using htmlspecialchars ???

 

Hmm.. come to think of it, neither do I. I've taken that out now anyway. I think it's just force of habbit for protecting variables really.

[discomatt]

Well, depends on the build of PHP

 

As of 4.4.2 and 5.1.2 the function prevents more than 1 header being sent at a time.

 

I think everyone is over complicating this though... If I'm correct, each 'header' sent must be on it's own line, therefor, simply strip any line breaks from the code and any injection attempts will only break the redirect.

 

As an alternative, you could also strip spaces and other characters that would usually not be in a url... or simply attempt to match them with regex, and fail on a match. Something like this would probably work fairly well

 

if (preg_match('/([\s:])/', $header)) {
# Possible injection attempt
}

 

It checks for any white space (space, line break, tab) or a colon in $header.. all of which are usually necessary for injection, and should not show up in a URL