如何避免HTTP标头注入(新行字符) [英] How to avoid HTTP Header Injection (new lines characters)
问题描述
我有时会在php函数中使用用户数据 header
,如下所示:
I sometimes use user data in php function header
like this :
header('Location : test' . $user_data);
我曾经删除 \ n
和 \ r
以防止标头注入,但是还有其他新行字符吗?我在我的示例中写了 Location
,但它可能是其他内容,我知道我必须验证并清理URL,我的问题是关于标题中的新行。
I used to remove \n
and \r
to prevent header injection but is there any other new lines characters ? I wrote Location
in my example, but it can be something else, I know I have to validate and sanitize URL, my question is about new lines in header.
推荐答案
引用文档:
(自4.4.2和5.1.2开始)此功能现在防止一次发送多个
标头作为防止标头注入
攻击的保护。
(since 4.4.2 and 5.1.2) This function now prevents more than one header to be sent at once as a protection against header injection attacks.
所以我想即使你已经做过的CRLF替换也没有必要。
So I suppose even that CRLF replacement you've already did is not necessary.
这篇关于如何避免HTTP标头注入(新行字符)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!