PHP redirect with Range (byte-serving) passthrough - php

I have some PHP code which frequently serves page redirects to clients via the header('Location: x') function. The header redirect works fine; I have no output before the Header function, and the user is successfully redirected to the new page. Some of the clients that connect have HTTP byte range requests tied to them, with the intent to only grab a certain portion of the requesting file that I redirect to.
I need to preserve this range request when sending to the new site; the site I redirect to should also see the range info in their headers, and be able to correctly process the user's request.
I understand that I can see the byte range that they're requesting in my PHP code by looking at $_SERVER['HTTP_RANGE'], but I'm unable to think of a way to pass this range to the redirecting site in their headers. I'm pretty sure trying to implement via the header function is wrong, since it will set the headers of my own page. Instead, I need to be able to set the headers that are sent to the page that I'm redirecting to.
Does anybody have any ideas on how to implement this?

If you don't actually need to redirect the user to another site, but just need to give them content from another site, you might want to use cURL functions to where you can set the Content-Range header on the request, get the result, and then serve it up to the end user.

Related

Restrict the requests coming to my webpage based on their url in PHP

I have to restrict the users accessing my webpage based on the url from where the request is coming to my webpage. I am able to get the url from where the request is coming using
$_SERVER['HTTP_REFERER']
As i know the HTTP_REFERER is a header which is sent by the client, most browsers default behavior is to send it, but users can disable it or even send a different referer header. So is there any way to do the proper validation of request based on their url.
Unfortunately, if the user has set the browser to modify the referrer header, there's no way for PHP to discern whether or not the request has come from a certain website.
Blocking traffic from a URL, although easy to do - cannot ever be 100% accurate.

PHP: Forward user to external site with post variables

I have a form that users post to but now this form is going to handled on an external website to my application.
I have tried using Location and curl and can not manage to get any of these to function correctly. My goal is to take the $_POST from my form and redirect the user to the external website posting the values.
Is this possible without using an html form and javascript to submit it?
Sending the Location header like that will generate a HTTP 302 response to tell the browser to go elsewhere, however, this will cause the browser to retry with a GET request.
If you want to redirect with the original method and parameters, you need to send code 307 or 308, depending on whether the redirect should be considered temporary or permanent. You can do this in PHP using http_response_code, e.g.
http_response_code(308);
header("Location: www.google.com");

How to create a redirect?

How do I create a php which redirects with use of the URL. I.e. - Redirect-To.com/Change.php?=Google.com Then goes to google etc
I'm wanting to create a php page where a user goes to
Redirect-To.com/Change.php?=Google.com
or
Redirect-To.com/Change.php?=Youtube.com
or
Redirect-To.com/Change.php?=Yahoo.com
Then the visited page redirects to Google or whatever page is after ?=
This is basically what URL shorteners do, except they lookup the destination from a database and probably store some tracking information.
Check out the header function that lets you set HTTP headers. You want to set a 302 redirect, which means moved temporarily, and a Location header to set the new location.
http://php.net/manual/en/function.header.php
header('HTTP/1.1 302 Moved Temporarily');
header('Location: ' . $newLocation');
301 is another common redirect code, but it means "Moved Permanently" and a lot of browsers will cache that status and not hit your website if the person clicks your link again.
The HTTP spec says you should give the full URL with the redirect, though most browsers will work without it.
You may also want to white list destinations; a user might follow a link to your site and be redirected to a site owned by a a malicious third party. Thinking they were in the confines of your site, they may enter information or perform actions allowing the third party to gain access to their data.
In the URL, values without keys will be ignored, so you should write:
...change.php/?redirect=http://www.google.com
Then you can access the "redirect to" address with $_GET['redirect'].
To redirect to a given address, you can use to Location header (make sure nothing is sent to the output before calling the function):
header('Location: ' . $_GET['redirect']);
You have to start the redirecting URL with "http(s)://" like I wrote above.
If you want to stop the script (as it does not stop immediately after the redirect function), you have to call the die() or the exit() function.
(If a shorter URL is better for you, the URL can be just ...change.php/?http://www.google.com, then you can access the address with $_SERVER['QUERY_STRING'].)

Do dynamic web pages always contain content-length field in HTTP header?

Do dynamic pages like CGI, PHP, ASP, SSI always contain content-length field in the HTTP headers. If not why? Please provide links to webpages hosted on servers which don't include the Content-Length field in the headers. I want to see it first hand.
Per RFC 2616:
In HTTP, it SHOULD be sent whenever
the message's length can be determined
prior to being transferred,
It is often the case that the length cannot be determined beforehand. If you want to check out headers, try curl -I http://www.example.com. You'll quickly see that some sites do and some sites don't.
I think that pages NOT need always to send their content-length.
From the browser side, if browser knows the content-length can show the loading bar, or else just wait to see the "end of the file". If you send a file is better to sent the content-length or else user can not see this loading bar and can't be sure that the file is fully loaded. But if you just have a page, the browser just load until gets the end.
The reason is that some pages can create their content while they send their data on the client. This way user no need to wait too much to see the first data coming.
This Dogs page is an example. Also amazon did not send the content-length on most page for the same reason.
The page is flush the data after find the first item, and then is flush the data time to time, so the user not need to spend time waiting for the program first find them all, then calculate the size of the page, and then start sending the data.

How can I hide $_SERVER['HTTP_REFERER']

How can I hide $_SERVER['HTTP_REFERER'] when a user browses to another site via a link from my site?
You can't, you have no control over the headers that are sent to another site. Headers are sent from the browser, to the site being navigated. This means you cannot manipulate them in any way (short of a MITM attack).
You could redirect the user to the site via an intermediary proxy, but that proxy will become the new referrer. e.g.
Your Link -> Proxy -> End result
Not only should this generally not be done, but it is not possible, at least in the way you are describing. It is up to the client to decide what to send in the request headers to a different server, not you.
I should also point out that this has nothing to do with PHP. PHP makes this header variable accessible to you via $_SERVER['HTTP_REFERRER'], but the problem you are trying to solve is avoiding the client from sending the referrer URL to the next server.
A few options:
If your site utilizes HTTPS, then it won't be sent.
If you build a redirector script on your site and use the HTTP Refresh header, the browser will typically not send the referrer, and if it did, you would only be sending the URL of your redirector. For example:
http://www.yoursite.com/redir.php?url=http%3A%2F%2Fwww.google.com
<?php
if (isset($_GET['url'])) {
header("Refresh: 0; " . $_GET['url']);
}
?>
Now, you must be careful with this little script. Anyone could then use your site to make a redirect look like it was coming from you. Also, using this method, anyone can inject whatever headers they want to the client. This is just to give you an idea. Finally, using the refresh header for this goes against the grain of the standards and should not be done.
Finally, Google, Facebook, PayPal, etc. all have redirector scripts. They use some sort of encrypted hash on the URL to determine if they generated the redirect or not. If you don't specify that hash and just give the URL, then the user will be prompted before redirecting. Not friendly.
Look, the bottom line is, there isn't really a reason to do what you are doing. If you are trying to hide something in your URL, then you have bigger problems. Security through obscurity is bad, mmkay?
If you're working in a controlled (intranet say) environment you might benefit from fixing browser configs see eg. http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ but this is far from ideal.

Categories