From 0126a5aed7a592e0552e75ba197d2030074212cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sun, 15 Mar 2026 04:18:54 +0000 Subject: [PATCH] =?UTF-8?q?BackUrl::sanitizeForLinks=20=E5=A2=9E=E5=BC=BA?= =?UTF-8?q?=EF=BC=9A=E6=8B=92=E7=BB=9D=E5=8D=8F=E8=AE=AE=E7=9B=B8=E5=AF=B9?= =?UTF-8?q?=20URL=EF=BC=88//evil.com=EF=BC=89=E5=B9=B6=E8=A1=A5=E5=8D=95?= =?UTF-8?q?=E6=B5=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/Support/BackUrl.php | 5 +++++ tests/Unit/BackUrlSanitizeForLinksTest.php | 3 +++ 2 files changed, 8 insertions(+) diff --git a/app/Support/BackUrl.php b/app/Support/BackUrl.php index 0b76f1f..21b6547 100644 --- a/app/Support/BackUrl.php +++ b/app/Support/BackUrl.php @@ -22,6 +22,11 @@ class BackUrl return ''; } + // 拒绝协议相对 URL(例如 //evil.com),避免 open redirect + if (str_starts_with($incomingBack, '//')) { + return ''; + } + if (preg_match('/["\'<>]/', $incomingBack)) { return ''; } diff --git a/tests/Unit/BackUrlSanitizeForLinksTest.php b/tests/Unit/BackUrlSanitizeForLinksTest.php index f35cf2b..a8a70b4 100644 --- a/tests/Unit/BackUrlSanitizeForLinksTest.php +++ b/tests/Unit/BackUrlSanitizeForLinksTest.php @@ -16,6 +16,9 @@ class BackUrlSanitizeForLinksTest extends TestCase { $this->assertSame('', BackUrl::sanitizeForLinks('https://evil.com/a')); $this->assertSame('', BackUrl::sanitizeForLinks('http://evil.com/a')); + + // 协议相对 URL + $this->assertSame('', BackUrl::sanitizeForLinks('//evil.com/a')); } public function test_sanitize_for_links_should_reject_quotes_and_angle_brackets(): void