security improvement - ensure returnurl is a relativre path

2023-12-12 15:54:52 -05:00
parent e34b1b54d5
commit 3c7633564f
1 changed files with 7 additions and 0 deletions
--- a/Oqtane.Client/UI/SiteRouter.razor
+++ b/Oqtane.Client/UI/SiteRouter.razor
@ -105,11 +105,18 @@
        Route route = new Route(_absoluteUri, SiteState.Alias.Path);
        int moduleid = (int.TryParse(route.ModuleId, out moduleid)) ? moduleid : -1;
        var action = (!string.IsNullOrEmpty(route.Action)) ? route.Action : Constants.DefaultAction; 
+
        var querystring = Utilities.ParseQueryString(route.Query);
        var returnurl = "";
        if (querystring.ContainsKey("returnurl"))
        {
            returnurl = WebUtility.UrlDecode(querystring["returnurl"]);
+            if (!returnurl.StartsWith("/"))
+            {
+                // urls which are not relative are vulnerable to open redirects or XSS
+                returnurl = "";
+                querystring["returnurl"] = "";
+            }
        }

        // reload the client application from the server if there is a forced reload