header location: $_SERVER["PHP_SELF"] security vulnerability

I thought I would share this section of code I found in the Zend Framework.  It truncates PHP_SELF at the first embedded new line in order to prevent unwanted code being inserted into the headers.

// Carefully construct this value to avoid application security problems.
$php_self = htmlentities(substr($_SERVER[‘PHP_SELF’], 0,  strcspn($_SERVER[‘PHP_SELF’], "\n\r")), ENT_QUOTES);

header(‘Location: ‘ . $php_self);

The long and short of it is that if you include ANY unfiltered, unclean variables when you construct your header, you’ve opened a security hole.

Cleaning user supplied variables part of the basics.  I just haven’t been all that careful with the use of PHP_SELF before now.

To quote the Zend Documentation "The treatment of the $php_self variable in the example above is a general security guideline [..] You should always filter content you output to http headers."

Just thought I would share…

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *