redirecting security

bull

hi,

every link in my web page i send through goto.php, here is its content:

<?
$url = $_GET['url'];
if ($url!=''){
	header('Location: '.$url);
}
else{
	header('Location: http://defaulthomepage.com/');
}
?>

for example in my web there is:

<a href="goto.php?url=http://newpage.com">newpage.com</a>

is there any security issues i need to correct in this goto.php file or there is no way of outter injections to occur?

how do you think?

laserlight

I am not entirely sure of this, but I believe that merely sending a location header in the way you demonstrated should not allow for some kind of malicious code injection. A malicious user may be able to use it to trick someone into thinking that it is a link to your site (and it is, just redirected), but that is about it.

I might suggest an improvement that properly uses empty to check if $GET['url'] exists:

<?php
$url = empty($_GET['url']) ? 'http://www.example.com' : $_GET['url'];
header('Location: ' . $url);
exit;
?>

halojoy

yes,
I am sure this can be a security issue.

It is better you use some alias list.
This will restrict what locations can be redirected to.
Only those you approve of.
And nobody can submit whatever links.

There are many ways to do this.
Maybe an array like this

<?php

$urlalias = array(
    'alias1' => 'link1',
    'alias2' => 'link2',
);

$location = "";
foreach( $urlalias AS $alias => $link ){

if ( $geturl == $alias ){
    $location = $link;
    break;
}

}

if( !empty($location)){
     header('Location: '.$location );
     exit();
}

// else header to my default location    

?>

Horizon88

Halo, he's looking for specifics, and I'm guessing it's some sort of outbound link tracker so an array whitelist would be prohibitive.

That code looks fine, bull, just possibly use laserlight's suggestion so it doesn't throw an error if they get linked to it without a url specified.