Check ReturnUrl is valid before redirecting
Posted
by Josh
on Stack Overflow
See other posts from Stack Overflow
or by Josh
Published on 2010-02-19T23:40:49Z
Indexed on
2010/04/06
6:03 UTC
Read the original article
Hit count: 618
asp.net-membership
|ASP.NET
I'm using ASP.NET Membership and Form Authentication and before redirecting to the returnURL I wanted to validate it. For those unfamiliar with the workflow, basically if you request a page that requires that you are authenticated, you are redirected to a login page. In the URL string you'll see a parameter called returnURL, e.g. http://example.com/login.aspx?ReturnUrl=%2fprotected%2fdefault.aspx
Whether you use this in a redirect such as Response.Redirect(returnURL) or indirectly through the FormsAuthentication.RedirectFromLoginPage method, it passes without validating returnURL. FormsAuthentication.RedirectFromLoginPage does have a security check that it is isn't leaving the domain, but that still doesn't stop someone from putting enough random characters to cause an error.
I tried using System.IO.File.Exists(Server.MapPath(returnURL))
but given enough illegal characters it cause Server.MapPath to error.
Note: URLEncoding doesn't work because we are not cleaning a parameter, but the primary URL.
Any other suggestions for validating or cleaning the returnURL value?
© Stack Overflow or respective owner