Merge pull request #3546 from sbwalker/dev

security improvement - ensure returnurl is a relativre path
2023-12-12 15:55:03 -05:00 · 2023-12-12 15:55:03 -05:00 · 53032140e7
commit 53032140e7
parent 43eae40404 3c7633564f
1 changed files with 7 additions and 0 deletions
--- a/Oqtane.Client/UI/SiteRouter.razor
+++ b/Oqtane.Client/UI/SiteRouter.razor
@ -105,11 +105,18 @@
        Route route = new Route(_absoluteUri, SiteState.Alias.Path);
        int moduleid = (int.TryParse(route.ModuleId, out moduleid)) ? moduleid : -1;
        var action = (!string.IsNullOrEmpty(route.Action)) ? route.Action : Constants.DefaultAction; 
+
        var querystring = Utilities.ParseQueryString(route.Query);
        var returnurl = "";
        if (querystring.ContainsKey("returnurl"))
        {
            returnurl = WebUtility.UrlDecode(querystring["returnurl"]);
+            if (!returnurl.StartsWith("/"))
+            {
+                // urls which are not relative are vulnerable to open redirects or XSS
+                returnurl = "";
+                querystring["returnurl"] = "";
+            }
        }

        // reload the client application from the server if there is a forced reload