kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security improvement - ensure returnurl is a relativre path

Browse Source
This commit is contained in:
sbwalker 2023-12-12 15:54:52 -05:00
parent e34b1b54d5
commit 3c7633564f
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Oqtane.Client/UI/SiteRouter.razor
View File

@ -105,11 +105,18 @@
Route route = new Route(_absoluteUri, SiteState.Alias.Path); Route route = new Route(_absoluteUri, SiteState.Alias.Path);
int moduleid = (int.TryParse(route.ModuleId, out moduleid)) ? moduleid : -1; int moduleid = (int.TryParse(route.ModuleId, out moduleid)) ? moduleid : -1;
var action = (!string.IsNullOrEmpty(route.Action)) ? route.Action : Constants.DefaultAction; var action = (!string.IsNullOrEmpty(route.Action)) ? route.Action : Constants.DefaultAction;
var querystring = Utilities.ParseQueryString(route.Query); var querystring = Utilities.ParseQueryString(route.Query);
var returnurl = ""; var returnurl = "";
if (querystring.ContainsKey("returnurl")) if (querystring.ContainsKey("returnurl"))
{ {
returnurl = WebUtility.UrlDecode(querystring["returnurl"]); returnurl = WebUtility.UrlDecode(querystring["returnurl"]);
if (!returnurl.StartsWith("/"))
{
// urls which are not relative are vulnerable to open redirects or XSS
returnurl = "";
querystring["returnurl"] = "";
}
} }
// reload the client application from the server if there is a forced reload // reload the client application from the server if there is a forced reload