Skip to content
Snippets Groups Projects
Normal view History Permalink
l.php 857 B
Newer Older
Jared Hancock's avatar
Redirect URL clicks from within ticket viewing
Jared Hancock committed
1 2 3 4 5 6 7 
<?php
/*********************************************************************
    l.php

    Link redirection

    Jared Hancock <jared@osticket.com>
Peter Rotich's avatar
Update copyright (c) to 2013!  
Peter Rotich committed
8 
    Copyright (c)  2006-2013 osTicket
Jared Hancock's avatar
Redirect URL clicks from within ticket viewing
Jared Hancock committed
9 10 11 12 13 14 15 16 
    http://www.osticket.com

    Released under the GNU General Public License WITHOUT ANY WARRANTY.
    See LICENSE.TXT for details.

    vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require 'secure.inc.php';
Peter Rotich's avatar
Add CSRF ( and open redirect) protection  
Peter Rotich committed
17 
//Basic url validation + token check.
Jared Hancock's avatar
External URLs need to route through l.php  
Jared Hancock committed
18 19 20 21 22 23 24 25 26 27 

# PHP < 5.4.7 will not handle a URL like //host.tld/path correctly
if (!($url=trim($_GET['url'])))
    Http::response(422, 'Invalid URL');

$check = (strpos($url, '//') === 0) ? 'http:' . $url : $url;
if (!Validator::is_url($check) || !$ost->validateLinkToken($_GET['auth']))
    Http::response(403, 'URL link not authorized');
else
    Http::redirect($url);
Jared Hancock's avatar
Redirect URL clicks from within ticket viewing
Jared Hancock committed
28 
?>