linxianzhuang/saasshop
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BackUrl::sanitizeForLinks 加强:拒绝二次编码 back%3D 绕过 并补单测

Browse Source
This commit is contained in:
萝卜
2026-03-15 04:11:42 +00:00
parent 54f356f52d
commit e86257e866
2 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Support/BackUrl.php
View File

@@ -27,9 +27,17 @@ class BackUrl
} }
// 拒绝 back 自身再包含 back=(避免无限嵌套导致 URL 膨胀,且容易绕过页面侧护栏) // 拒绝 back 自身再包含 back=(避免无限嵌套导致 URL 膨胀,且容易绕过页面侧护栏)
// 同时拒绝“二次编码”的 back%3D例如 %2526back%253D 经过一次 urldecode 后变成 %26back%3D
// 在浏览器点击后会再次被解码为 &back=,形成绕过)。
if (preg_match('/(?:^|[?&])back=/', $incomingBack)) { if (preg_match('/(?:^|[?&])back=/', $incomingBack)) {
return ''; return '';
} }
if (preg_match('/(?:^|[?&]|%26|%3f)back%3d/i', $incomingBack)) {
return '';
}
if (preg_match('/back%253d/i', $incomingBack)) {
return '';
}
return $incomingBack; return $incomingBack;
} }

4
tests/Unit/BackUrlSanitizeForLinksTest.php
View File

@@ -31,6 +31,10 @@ class BackUrlSanitizeForLinksTest extends TestCase
$this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?back=/admin/y')); $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?back=/admin/y'));
$this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&back=/admin/y')); $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&back=/admin/y'));
$this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&b=2&back=/admin/y')); $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&b=2&back=/admin/y'));
// 二次编码绕过:%26back%3D 在浏览器/中间层解码后会变回 &back=,因此也应拒绝
$this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1%26back%3D/admin/y'));
$this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1%2526back%253D/admin/y'));
} }
public function test_sanitize_for_links_should_reject_paths_not_starting_with_slash(): void public function test_sanitize_for_links_should_reject_paths_not_starting_with_slash(): void