1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
<?php
/**
* A script to redirect to a given URL, used for example in IMP to hide any
* referrer data being passed to the remote server and potentially exposing
* any session IDs.
*
* Copyright 2003-2006 Marko Djukic <marko@oblo.com>
*
* See the enclosed file COPYING for license information (LGPL). If you did
* not receive this file, see http://www.fsf.org/copyleft/lgpl.html.
*
* $Horde: horde/services/go.php,v 1.6.2.16 2006/06/22 02:43:24 chuck Exp $
*
* @author Marko Djukic <marko@oblo.com>
*/
if (empty($_GET['url'])) {
exit;
}
$url = trim($_GET['url']);
if (preg_match('/;\s*url\s*=/i', $url)) {
/* IE will process the last ;URL= string, not the first, allowing
* protocols that shouldn't be let through. */
exit;
}
if (get_magic_quotes_gpc()) {
$parsed_url = @parse_url(stripslashes($url));
} else {
$parsed_url = @parse_url($url);
}
if (empty($parsed_url) || empty($parsed_url['host'])) {
exit;
}
if (empty($parsed_url['path'])) {
$parsed_url['path'] = false;
}
// Do a little due diligence on the target URL. If it's on the same server
// that we're already on, display an intermediate page asking people if
// they're sure they want to click through.
if (substr(php_sapi_name(), 0, 3) == 'cgi') {
// When using CGI PHP, SCRIPT_NAME may contain the path to the PHP binary
// instead of the script being run; use PHP_SELF instead.
$myurl = $_SERVER['PHP_SELF'];
} else {
$myurl = isset($_SERVER['SCRIPT_NAME']) ?
$_SERVER['SCRIPT_NAME'] :
$_SERVER['PHP_SELF'];
}
// 16 is the length of "/services/go.php".
$webroot = substr($myurl, 0, -16);
// Build a list of hosts considered dangerous (local hosts, the user's
// host, etc).
$dangerous_hosts = array('localhost', 'localhost.localdomain', '127.0.0.1');
if (!empty($_SERVER['SERVER_NAME'])) {
$dangerous_hosts[] = $_SERVER['SERVER_NAME'];
}
if (!empty($_SERVER['HTTP_HOST'])) {
$dangerous_hosts[] = $_SERVER['HTTP_HOST'];
}
// List of allowed services.
$allowed_uris = array();
// Check against our lists.
if ((empty($webroot) || strpos($parsed_url['path'], $webroot) === 0) &&
!empty($parsed_url['query']) &&
!in_array($parsed_url['path'], $allowed_uris) &&
in_array($parsed_url['host'], $dangerous_hosts)) {
?>
<html>
<head>
<title>Potentially Dangerous URL</title>
</head>
<body>
<h1>Potentially Dangerous URL</h1>
<p>
A referring site, an email you were reading, or some other
potentially untrusted source has attempted to send you to <?php echo
htmlspecialchars($url) ?>. This may be an attempt to
delete data or change settings without your knowledge. If
you have any concerns about this URL, please contact your
System Administrator. If you are confident that it is safe,
you may follow the link by clicking below.
</p>
<p>
<a href="<?php echo htmlspecialchars($url) ?>"><?php echo htmlspecialchars($url) ?></a>
</p>
</body>
</html>
<?php
exit;
}
header('Refresh: 0; URL=' . $url);
|
