2016-10-22 14:57:10 +00:00
|
|
|
<?php
|
|
|
|
|
/* vim: set expandtab sw=4 ts=4 sts=4: */
|
|
|
|
|
/**
|
|
|
|
|
* URL redirector to avoid leaking Referer with some sensitive information.
|
|
|
|
|
*
|
|
|
|
|
* @package PhpMyAdmin
|
|
|
|
|
*/
|
2018-04-14 09:18:00 +00:00
|
|
|
|
|
|
|
|
use PhpMyAdmin\Core;
|
|
|
|
|
use PhpMyAdmin\Sanitize;
|
|
|
|
|
use PhpMyAdmin\Response;
|
2016-10-22 14:57:10 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Gets core libraries and defines some variables
|
|
|
|
|
*/
|
|
|
|
|
define('PMA_MINIMUM_COMMON', true);
|
|
|
|
|
require_once './libraries/common.inc.php';
|
|
|
|
|
|
|
|
|
|
// Only output the http headers
|
2017-04-20 10:55:30 +00:00
|
|
|
$response = Response::getInstance();
|
2016-10-22 14:57:10 +00:00
|
|
|
$response->getHeader()->sendHttpHeaders();
|
|
|
|
|
$response->disable();
|
|
|
|
|
|
2018-04-14 09:18:00 +00:00
|
|
|
if (! Core::isValid($_REQUEST['url'])
|
2016-10-22 14:57:10 +00:00
|
|
|
|| ! preg_match('/^https:\/\/[^\n\r]*$/', $_REQUEST['url'])
|
2018-04-14 09:18:00 +00:00
|
|
|
|| ! Core::isAllowedDomain($_REQUEST['url'])
|
2016-10-22 14:57:10 +00:00
|
|
|
) {
|
2018-04-14 09:18:00 +00:00
|
|
|
Core::sendHeaderLocation('./');
|
2016-10-22 14:57:10 +00:00
|
|
|
} else {
|
|
|
|
|
// JavaScript redirection is necessary. Because if header() is used
|
|
|
|
|
// then web browser sometimes does not change the HTTP_REFERER
|
|
|
|
|
// field and so with old URL as Referer, token also goes to
|
|
|
|
|
// external site.
|
|
|
|
|
echo "<script type='text/javascript'>
|
|
|
|
|
window.onload=function(){
|
2017-04-20 10:55:30 +00:00
|
|
|
window.location='" , Sanitize::escapeJsString($_REQUEST['url']) , "';
|
2016-10-22 14:57:10 +00:00
|
|
|
}
|
|
|
|
|
</script>";
|
|
|
|
|
// Display redirecting msg on screen.
|
|
|
|
|
// Do not display the value of $_REQUEST['url'] to avoid showing injected content
|
|
|
|
|
echo __('Taking you to the target site.');
|
|
|
|
|
}
|
|
|
|
|
die();
|
