3 * URL redirector to avoid leaking Referer with some sensitive information.
6 declare(strict_types
=1);
9 use PhpMyAdmin\DatabaseInterface
;
10 use PhpMyAdmin\Response
;
11 use PhpMyAdmin\Sanitize
;
13 if (! defined('ROOT_PATH')) {
14 // phpcs:disable PSR1.Files.SideEffects
15 define('ROOT_PATH', __DIR__
. DIRECTORY_SEPARATOR
);
19 global $containerBuilder, $dbi;
21 // phpcs:disable PSR1.Files.SideEffects
22 define('PMA_MINIMUM_COMMON', true);
25 require_once ROOT_PATH
. 'libraries/common.inc.php';
27 // Load database service because services.php is not available here
28 $dbi = DatabaseInterface
::load();
29 $containerBuilder->set(DatabaseInterface
::class, $dbi);
31 // Only output the http headers
32 $response = Response
::getInstance();
33 $response->getHeader()->sendHttpHeaders();
37 ! Core
::isValid($_GET['url'])
38 ||
! preg_match('/^https:\/\/[^\n\r]*$/', $_GET['url'])
39 ||
! Core
::isAllowedDomain($_GET['url'])
41 Core
::sendHeaderLocation('./');
43 // JavaScript redirection is necessary. Because if header() is used
44 // then web browser sometimes does not change the HTTP_REFERER
45 // field and so with old URL as Referer, token also goes to
47 $template = $containerBuilder->get('template');
48 echo $template->render('javascript/redirect', [
49 'url' => Sanitize
::escapeJsString($_GET['url']),
51 // Display redirecting msg on screen.
52 // Do not display the value of $_GET['url'] to avoid showing injected content
53 echo __('Taking you to the target site.');