Skip to content
Browse files

check to avoid tricky redirects

  • Loading branch information...
1 parent 4a9d409 commit b6f157e3ab4e9a4716f24c515f370f8a56d4f1c6 @friism friism committed
Showing with 9 additions and 3 deletions.
  1. +9 −3 AuthenticationExample.Web/Controllers/SessionController.cs
View
12 AuthenticationExample.Web/Controllers/SessionController.cs
@@ -1,4 +1,5 @@
-using System.Linq;
+using System;
+using System.Linq;
using System.Web.Mvc;
using AppHarbor.Web.Security;
using AuthenticationExample.Web.Model;
@@ -48,9 +49,14 @@ public ActionResult Create(SessionViewModel sessionViewModel)
if (ModelState.IsValid)
{
_authenticator.SetCookie(user.Username);
- if (!string.IsNullOrEmpty(sessionViewModel.ReturnUrl))
+ var returnUrl = sessionViewModel.ReturnUrl;
+ if (!string.IsNullOrEmpty(returnUrl))
{
- return Redirect(sessionViewModel.ReturnUrl);
+ var returnUri = new Uri(returnUrl);
+ if (!returnUri.IsAbsoluteUri || returnUri.Host == Request.Url.Host)
+ {
+ return Redirect(sessionViewModel.ReturnUrl);
+ }
}
return RedirectToAction("Index", "Home");

0 comments on commit b6f157e

Please sign in to comment.
Something went wrong with that request. Please try again.