Improving IsLocalUrl

2025-07-15 10:34:34 +08:00 · 2017-01-24 08:50:12 -08:00 · 2017-01-24 08:50:12 -08:00 · 68c10bce60
commit 68c10bce60
parent 8bd74c947e
2 changed files with 25 additions and 1 deletions
--- a/src/Orchard.Tests/Utility/Extensions/HttpRequestExtensionsTests.cs
+++ b/src/Orchard.Tests/Utility/Extensions/HttpRequestExtensionsTests.cs
@ -6,7 +6,7 @@ using Orchard.Utility.Extensions;
 namespace Orchard.Tests.Utility.Extensions {
    [TestFixture]
    public class HttpRequestExtensionsTests {
-    
+
        [Test]
        public void IsLocalUrlShouldReturnFalseWhenUrlIsNullOrEmpty() {
            var request = new StubHttpRequest();
@ -21,6 +21,7 @@ namespace Orchard.Tests.Utility.Extensions {
            var request = new StubHttpRequest();

            Assert.That(request.IsLocalUrl("//"), Is.False);
+            Assert.That(request.IsLocalUrl("  //"), Is.False);
        }

        [Test]
@ -28,6 +29,7 @@ namespace Orchard.Tests.Utility.Extensions {
            var request = new StubHttpRequest();

            Assert.That(request.IsLocalUrl("/\\"), Is.False);
+            Assert.That(request.IsLocalUrl(" /\\"), Is.False);
        }

        [Test]
@ -35,6 +37,7 @@ namespace Orchard.Tests.Utility.Extensions {
            var request = new StubHttpRequest();

            Assert.That(request.IsLocalUrl("/"), Is.True);
+            Assert.That(request.IsLocalUrl("\t/"), Is.True);
            Assert.That(request.IsLocalUrl("/контакты"), Is.True);
            Assert.That(request.IsLocalUrl("/  "), Is.True);
            Assert.That(request.IsLocalUrl("/abc-def"), Is.True);
@ -48,6 +51,19 @@ namespace Orchard.Tests.Utility.Extensions {
            Assert.That(request.IsLocalUrl("http://localhost"), Is.True);
        }

+        [Test]
+        public void IsLocalUrlShouldReturnFalseForNonHttpSchemes() {
+            var request = new StubHttpRequest();
+            request.Headers.Add("Host", "localhost");
+
+            Assert.That(request.IsLocalUrl("http://localhost"), Is.True);
+            Assert.That(request.IsLocalUrl("https://localhost"), Is.True);
+            Assert.That(request.IsLocalUrl("httpx://localhost"), Is.True);
+            Assert.That(request.IsLocalUrl("foo://localhost"), Is.True);
+            Assert.That(request.IsLocalUrl("data://localhost"), Is.True);
+            Assert.That(request.IsLocalUrl("data://localhost"), Is.True);
+        }
+
        [Test]
        public void IsLocalUrlShouldReturnFalseWhenAuthoritiesDiffer() {
            var request = new StubHttpRequest();
--- a/src/Orchard/Utility/Extensions/HttpRequestExtensions.cs
+++ b/src/Orchard/Utility/Extensions/HttpRequestExtensions.cs
@ -72,6 +72,8 @@ namespace Orchard.Utility.Extensions {
                return false;
            }

+            url = url.Trim();
+
            if (url.StartsWith("~/")) {
                return true;
            }
@ -88,6 +90,12 @@ namespace Orchard.Utility.Extensions {
            // at this point, check for an fully qualified url
            try {
                var uri = new Uri(url);
+
+                if (!uri.Scheme.Equals(Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase)
+                    && !uri.Scheme.Equals(Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase)) {
+                    return false;
+                }
+
                if (uri.Authority.Equals(request.Headers["Host"], StringComparison.OrdinalIgnoreCase)) {
                    return true;
                }