README reworked
[phpmyadmin.git] / url.php
blob2ba85ddb1f2d0f73c2c150e2aa1081d0b60f032d
1 <?php
2 /**
3 * URL redirector to avoid leaking Referer with some sensitive information.
4 */
6 declare(strict_types=1);
8 use PhpMyAdmin\Core;
9 use PhpMyAdmin\DatabaseInterface;
10 use PhpMyAdmin\Response;
11 use PhpMyAdmin\Sanitize;
13 if (! defined('ROOT_PATH')) {
14 // phpcs:disable PSR1.Files.SideEffects
15 define('ROOT_PATH', __DIR__ . DIRECTORY_SEPARATOR);
16 // phpcs:enable
19 global $containerBuilder, $dbi;
21 // phpcs:disable PSR1.Files.SideEffects
22 define('PMA_MINIMUM_COMMON', true);
23 // phpcs:enable
25 require_once ROOT_PATH . 'libraries/common.inc.php';
27 // Load database service because services.php is not available here
28 $dbi = DatabaseInterface::load();
29 $containerBuilder->set(DatabaseInterface::class, $dbi);
31 // Only output the http headers
32 $response = Response::getInstance();
33 $response->getHeader()->sendHttpHeaders();
34 $response->disable();
36 if (! Core::isValid($_GET['url'])
37 || ! preg_match('/^https:\/\/[^\n\r]*$/', $_GET['url'])
38 || ! Core::isAllowedDomain($_GET['url'])
39 ) {
40 Core::sendHeaderLocation('./');
41 } else {
42 // JavaScript redirection is necessary. Because if header() is used
43 // then web browser sometimes does not change the HTTP_REFERER
44 // field and so with old URL as Referer, token also goes to
45 // external site.
46 $template = $containerBuilder->get('template');
47 echo $template->render('javascript/redirect', [
48 'url' => Sanitize::escapeJsString($_GET['url']),
49 ]);
50 // Display redirecting msg on screen.
51 // Do not display the value of $_GET['url'] to avoid showing injected content
52 echo __('Taking you to the target site.');
54 die;