linxianzhuang/saasshop
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BackUrl::sanitizeForLinks 增强:拒绝控制字符与 CRLF 注入 并补单测

Browse Source
This commit is contained in:
萝卜
2026-03-15 04:17:10 +00:00
parent e86257e866
commit cbc05e59b7
2 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Support/BackUrl.php
View File

@@ -26,6 +26,14 @@ class BackUrl
return ''; return '';
} }
// 拒绝控制字符/CRLF 注入(包括明文与常见 URL 编码形式)
if (preg_match('/[\r\n\t]/', $incomingBack)) {
return '';
}
if (preg_match('/%0d|%0a|%09/i', $incomingBack)) {
return '';
}
// 拒绝 back 自身再包含 back=(避免无限嵌套导致 URL 膨胀,且容易绕过页面侧护栏) // 拒绝 back 自身再包含 back=(避免无限嵌套导致 URL 膨胀,且容易绕过页面侧护栏)
// 同时拒绝“二次编码”的 back%3D例如 %2526back%253D 经过一次 urldecode 后变成 %26back%3D // 同时拒绝“二次编码”的 back%3D例如 %2526back%253D 经过一次 urldecode 后变成 %26back%3D
// 在浏览器点击后会再次被解码为 &back=,形成绕过)。 // 在浏览器点击后会再次被解码为 &back=,形成绕过)。

4
tests/Unit/BackUrlSanitizeForLinksTest.php
View File

@@ -24,6 +24,10 @@ class BackUrlSanitizeForLinksTest extends TestCase
$this->assertSame('', BackUrl::sanitizeForLinks("/admin/x?keyword='a'")); $this->assertSame('', BackUrl::sanitizeForLinks("/admin/x?keyword='a'"));
$this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=<b>')); $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=<b>'));
$this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=>')); $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=>'));
// 控制字符/CRLF 注入
$this->assertSame('', BackUrl::sanitizeForLinks("/admin/x?x=1\nSet-Cookie:evil=1"));
$this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?x=1%0aSet-Cookie:evil=1'));
} }
public function test_sanitize_for_links_should_reject_nested_back_param(): void public function test_sanitize_for_links_should_reject_nested_back_param(): void