A security vulnerability in an open-source php Software

See the public_get_suggest_keyword function:
/Phpcms/modules/search/index. php
[Php]
Public function public_get_suggest_keyword (){
$ Url = $ _ GET ['url']. '& q ='. $ _ GET ['q'];

$ Res = @ file_get_contents ($ url );
If (CHARSET! = 'Gbk '){
$ Res = iconv ('gbk', CHARSET, $ res );
}
Echo $ res;
}
[Php]
$ Url = $ _ GET ['url']. '& q ='. $ _ GET ['q'];
The url does not have any whitelist, and it will be included in the Code without any filtering.
[Php]
$ Res = @ file_get_contents ($ url );
Another function, if a large file is created, can directly crash the server.
After searching for a circle, this code is only used in one JS:
[Javascript]
$ (Document). ready (function (){
$ ("# Q"). suggest ("? M = search & c = index & a = public_get_suggest_keyword & url = "+ encodeURIComponent ('HTTP: // www.google.cn/complete/search? Hl = zh-CN & q = '+ $ ("# q"). val ()),{
OnSelect: function (){
Alert (this. value );
}
});
 
});

Warning:
1. The passed parameters must be filtered for security.
2. If you perform url and path operations, you must perform path filtering.
3. I don't know how to stop using @ file_get_contents.
4. The domain name white list must be implemented in the above case.