-2

I have a short url website where i only allow users to create short urls from one specific website. Some people have been trying to abuse this by using @ inbetween urls when shortening urls to make bad redirects. If you try let's say to enter "https://idg.se@stackoverflow.com" you will end up at stackoverflow and now idg.se. Try to paste "https://idg.se@stackoverflow.com" without the "" into your browser and se what happens.

So the problem is that people are now shortening "https://example.com@malware.com" and i want a way to stop this which would be not allowing the to use @.

Currently i have tried to copy my function for the valid url to check if there is an @ in there and currently i only end up "Invalid Character in the URL" whatever i am entering into the form to create a shorturl.

Anyone got any ideas how to get this to work? basically i do not want anyone to be able to use @.

FUNCTIONS

function DenySpeciallCharacters($url)
{
    $strAllow2 = 'example.com';
    $strBase2  = getBaseUrl($url);
    if(preg_match('@', $url, $strAllow2) === false)
    {
        return true;
    }

}

    function denyNonValidUrl($url)
    {
        $strAllow = 'example.com'; 
        $strBase  = getBaseUrl($url);
        if(strpos($url, $strAllow) === false)
        {
            return true;
        }
                
    }

INDEX FILE

if (!isErrors())


//do not allow non special characters
            elseif(DenySpeciallCharacters($longUrl) )
            {
                    setError("Invalid Character in the URL");
            }
Michael
  • 1
  • 4
  • What does that mean, “you will end up at stackoverflow and now idg.se”? – deceze Mar 16 '21 at 12:34
  • What have you tried so far? Where **exactly** are you stuck? Why not simple check whether an `@` occurs? – Nico Haase Mar 16 '21 at 12:34
  • 2
    From your description it's hard to follow what exactly is not working here. Maybe you can clarify this. What is the current behaviour, what is the expected behaviour and what is the error you are seeing? The only thing I noticed is that the variable `$longUrl` is not defined in the loop, this might cause some issues. – Christoph Mar 16 '21 at 12:36
  • Why to paste "https://idg.se@stackoverflow.com" without the "" into your browser and you will se what happens. – Michael Mar 16 '21 at 12:45
  • Then I'm at stackoverflow.com… – deceze Mar 16 '21 at 12:46
  • and that is how people abuse the urlshortener. They shorten "https://example.com@malware.com" to get people redirected to a bad site. – Michael Mar 16 '21 at 12:49
  • An @ in the URL's host is the official syntax to embed *authentication credentials* into the URL. So you could send someone the link `http://user:password@example.com`. It's a legit feature. You could of course prevent that, but that also limits the usability of your service in some way. Users only see the shortened URL anyway, no? What difference does it make to them what the long URL is? – deceze Mar 16 '21 at 12:51
  • So, if you want to forbid the usage of `@` in the URL, why not do it? How to do this is asked pretty often – Nico Haase Mar 16 '21 at 12:54
  • 2
    Does https://stackoverflow.com/questions/4366730/how-do-i-check-if-a-string-contains-a-specific-word help? – Nico Haase Mar 16 '21 at 12:54

1 Answers1

0

Modify the function

function DenySpeciallCharacters($url){
    if(strpos($url,'@') !== false){
        return true;
    }else{
        return false;
    }
}

The strpos function check for the occurance of the @ in the url string and if found the condition returns true.

Majid Ali
  • 109
  • 6