BackUrl::sanitizeForLinks 增强：拒绝协议相对 URL（//evil.com）并补单测

2026-03-15 04:18:54 +00:00
parent cbc05e59b7
commit 0126a5aed7
2 changed files with 8 additions and 0 deletions
--- a/app/Support/BackUrl.php
+++ b/app/Support/BackUrl.php
@@ -22,6 +22,11 @@ class BackUrl
            return '';
        }

+        // 拒绝协议相对 URL（例如 //evil.com），避免 open redirect
+        if (str_starts_with($incomingBack, '//')) {
+            return '';
+        }
+
        if (preg_match('/["\'<>]/', $incomingBack)) {
            return '';
        }
--- a/tests/Unit/BackUrlSanitizeForLinksTest.php
+++ b/tests/Unit/BackUrlSanitizeForLinksTest.php
@@ -16,6 +16,9 @@ class BackUrlSanitizeForLinksTest extends TestCase
    {
        $this->assertSame('', BackUrl::sanitizeForLinks('https://evil.com/a'));
        $this->assertSame('', BackUrl::sanitizeForLinks('http://evil.com/a'));
+
+        // 协议相对 URL
+        $this->assertSame('', BackUrl::sanitizeForLinks('//evil.com/a'));
    }

    public function test_sanitize_for_links_should_reject_quotes_and_angle_brackets(): void