Merge pull request BlogEngine#208 from irbishop/CVE-2019-10721

Restrict returnUrl to local pages
Wanrick · Apr 23, 2019 · a4e5c3d · a4e5c3d
2 parents 3a293d6 + e841a60
commit a4e5c3d
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/BlogEngine/BlogEngine.Core/Services/Security/Security.cs b/BlogEngine/BlogEngine.Core/Services/Security/Security.cs
@@ -185,10 +185,7 @@ public static bool AuthenticateUser(string username, string password, bool remem
                     string returnUrl = context.Request.QueryString["returnUrl"];
 
                     // ignore Return URLs not beginning with a forward slash, such as remote sites.
-                    if (string.IsNullOrWhiteSpace(returnUrl) || !returnUrl.StartsWith("/"))
-                        returnUrl = null;
-
-                    if (!string.IsNullOrWhiteSpace(returnUrl))
+                    if (Security.IsLocalUrl(returnUrl))
                     {
                         context.Response.Redirect(returnUrl);
                     }
@@ -204,6 +201,19 @@ public static bool AuthenticateUser(string username, string password, bool remem
             return false;
         }
 
+        private static bool IsLocalUrl(string url)
+        {
+            if (string.IsNullOrWhiteSpace(url))
+            {
+                return false;
+            }
+            else
+            {
+                return ((url[0] == '/' && (url.Length == 1 || (url[1] != '/' && url[1] != '\\'))) || // "/" or "/foo" but not "//" or "/\" 
+						(url.Length > 1 && url[0] == '~' && url[1] == '/')); // "~/" or "~/foo"
+            }
+        }
+
         private const string AUTH_TKT_USERDATA_DELIMITER = "-|-";
 
         private static string SecurityValidationKey