I thought I would share this section of code I found in the Zend Framework. It truncates PHP_SELF at the first embedded new line in order to prevent unwanted code being inserted into the headers.
// Carefully construct this value to avoid application security problems.
$php_self = htmlentities(substr($_SERVER[‘PHP_SELF’], 0, strcspn($_SERVER[‘PHP_SELF’], "\n\r")), ENT_QUOTES);
header(‘Location: ‘ . $php_self);
The long and short of it is that if you include ANY unfiltered, unclean variables when you construct your header, you’ve opened a security hole.
Cleaning user supplied variables part of the basics. I just haven’t been all that careful with the use of PHP_SELF before now.
To quote the Zend Documentation "The treatment of the $php_self variable in the example above is a general security guideline [..] You should always filter content you output to http headers."
Just thought I would share…