url.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * URL redirector to avoid leaking Referer with some sensitive information.
   5  *
   6  * @package PhpMyAdmin
   7  */
   8 use PMA\libraries\Sanitize;
   9
  10 /**
  11  * Gets core libraries and defines some variables
  12  */
  13 define('PMA_MINIMUM_COMMON', true);
  14 require_once './libraries/common.inc.php';
  15
  16 if (! PMA_isValid($_REQUEST['url'])
  17     || ! preg_match('/^https?:\/\/[^\n\r]*$/', $_REQUEST['url'])
  18     || ! PMA_isAllowedDomain($_REQUEST['url'])
  19 ) {
  20     header('Location: ./');
  21 } else {
  22     // JavaScript redirection is necessary. Because if header() is used
  23     //  then web browser sometimes does not change the HTTP_REFERER
  24     //  field and so with old URL as Referer, token also goes to
  25     //  external site.
  26     echo "<script type='text/javascript'>
  27             window.onload=function(){
  28                 window.location='" , Sanitize::escapeJsString($_REQUEST['url']) , "';
  29             }
  30         </script>";
  31     // Display redirecting msg on screen.
  32     // Do not display the value of $_REQUEST['url'] to avoid showing injected content
  33     echo __('Taking you to the target site.');
  34 }
  35 die();