From 4bfc8722ad6bc7797da5f020852065c7d8d0452e Mon Sep 17 00:00:00 2001 From: Andrew Brown Date: Fri, 31 Oct 2025 15:49:21 -0500 Subject: [PATCH] allow disabling the use of the "referer" header this change will allow disabling use of the "referer" header when generating a "previous" URL. to maintain backwards compatibility it by default enabled. while the risk is small, headers can be manipulated by things like MITM attacks, so we shouldn't rely on unvalidated user input to control our redirect. --- config/app.php | 2 ++ src/Illuminate/Routing/UrlGenerator.php | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/config/app.php b/config/app.php index 1ced8bef0a14..458cfc898dd6 100644 --- a/config/app.php +++ b/config/app.php @@ -61,6 +61,8 @@ 'asset_url' => env('ASSET_URL'), + 'allow_referer_header' => true, + /* |-------------------------------------------------------------------------- | Application Timezone diff --git a/src/Illuminate/Routing/UrlGenerator.php b/src/Illuminate/Routing/UrlGenerator.php index 4808c1c0a89e..c04b47d0fa2a 100755 --- a/src/Illuminate/Routing/UrlGenerator.php +++ b/src/Illuminate/Routing/UrlGenerator.php @@ -161,7 +161,9 @@ public function current() */ public function previous($fallback = false) { - $referrer = $this->request->headers->get('referer'); + $referrer = config('app.allow_referer_header', true) + ? $this->request->headers->get('referer') + : null; $url = $referrer ? $this->to($referrer) : $this->getPreviousUrlFromSession();