这是如何简单检测外部URL的方法:
$url = 'https://my-domain.com/demo/';
$domain = 'my-domain.com';
$internal = (
false !== stripos( $url, '//' . $domain ) || // include "//my-domain.com" and "http://my-domain.com"
stripos( $url, '.' . $domain ) || // include subdomains, like "www.my-domain.com". DANGEROUS (see below)!
(
0 !== strpos( $url, '//' ) && // exclude protocol relative URLs, like "//example.com"
0 === strpos( $url, '/' ) // include root-relative URLs, like "/demo"
)
);
上述检查将把
www.my-domain.com
和
my-domain.com
视为“内部”的。
为什么这个规则是危险的:
子域逻辑引入了一个弱点,可能会被利用:当外部URL在路径中包含您的域时,例如,
https://external.com/www.my-domain.com
被视为内部!
更安全的代码:
可以通过删除子域支持来消除此问题(我建议这样做):
$url = 'https://my-domain.com/demo/';
$domain = 'my-domain.com';
$internal = (
false !== stripos( $url, '//' . $domain ) || // include "//my-domain.com" and "http://my-domain.com"
(
0 !== strpos( $url, '//' ) && // exclude protocol relative URLs, like "//example.com"
0 === strpos( $url, '/' ) // include root-relative URLs, like "/demo"
)
);
$site == 'abc.com'
?) - Apolo