php security for location header injection via $_GET

Question

I\'ve got this code on my page:

header(\"Location: $page\");

$page is passed to the script as a GET variable, do I need any security? (if so what)

<

Answer 1

This is a code injection vulnerability by the book. The user can enter any value he wants and your script will obey without any complaints.

But one of the most important rules – if even not the most important rule – is:

Never trust the user data!

So you should check what value has been passed and validate it. Even though a header injection vulnerability was fixed with PHP 4.4.2 and 5.1.2 respectivly, you can still enter any valid URI and the user who calls it would be redirected to it. Even such cryptic like ?page=%68%74%74%70%3a%2f%2f%65%76%69%6c%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d%2f what’s URL encoded for ?page=http://evil.example.com/.