From 68c10bce609f4ec6860c0a541824cc4c0d6d50e7 Mon Sep 17 00:00:00 2001 From: Sebastien Ros Date: Tue, 24 Jan 2017 08:50:12 -0800 Subject: [PATCH] Improving IsLocalUrl --- .../Extensions/HttpRequestExtensionsTests.cs | 18 +++++++++++++++++- .../Extensions/HttpRequestExtensions.cs | 8 ++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/src/Orchard.Tests/Utility/Extensions/HttpRequestExtensionsTests.cs b/src/Orchard.Tests/Utility/Extensions/HttpRequestExtensionsTests.cs index e3fc3934a..f3b934bd0 100644 --- a/src/Orchard.Tests/Utility/Extensions/HttpRequestExtensionsTests.cs +++ b/src/Orchard.Tests/Utility/Extensions/HttpRequestExtensionsTests.cs @@ -6,7 +6,7 @@ using Orchard.Utility.Extensions; namespace Orchard.Tests.Utility.Extensions { [TestFixture] public class HttpRequestExtensionsTests { - + [Test] public void IsLocalUrlShouldReturnFalseWhenUrlIsNullOrEmpty() { var request = new StubHttpRequest(); @@ -21,6 +21,7 @@ namespace Orchard.Tests.Utility.Extensions { var request = new StubHttpRequest(); Assert.That(request.IsLocalUrl("//"), Is.False); + Assert.That(request.IsLocalUrl(" //"), Is.False); } [Test] @@ -28,6 +29,7 @@ namespace Orchard.Tests.Utility.Extensions { var request = new StubHttpRequest(); Assert.That(request.IsLocalUrl("/\\"), Is.False); + Assert.That(request.IsLocalUrl(" /\\"), Is.False); } [Test] @@ -35,6 +37,7 @@ namespace Orchard.Tests.Utility.Extensions { var request = new StubHttpRequest(); Assert.That(request.IsLocalUrl("/"), Is.True); + Assert.That(request.IsLocalUrl("\t/"), Is.True); Assert.That(request.IsLocalUrl("/контакты"), Is.True); Assert.That(request.IsLocalUrl("/ "), Is.True); Assert.That(request.IsLocalUrl("/abc-def"), Is.True); @@ -48,6 +51,19 @@ namespace Orchard.Tests.Utility.Extensions { Assert.That(request.IsLocalUrl("http://localhost"), Is.True); } + [Test] + public void IsLocalUrlShouldReturnFalseForNonHttpSchemes() { + var request = new StubHttpRequest(); + request.Headers.Add("Host", "localhost"); + + Assert.That(request.IsLocalUrl("http://localhost"), Is.True); + Assert.That(request.IsLocalUrl("https://localhost"), Is.True); + Assert.That(request.IsLocalUrl("httpx://localhost"), Is.True); + Assert.That(request.IsLocalUrl("foo://localhost"), Is.True); + Assert.That(request.IsLocalUrl("data://localhost"), Is.True); + Assert.That(request.IsLocalUrl("data://localhost"), Is.True); + } + [Test] public void IsLocalUrlShouldReturnFalseWhenAuthoritiesDiffer() { var request = new StubHttpRequest(); diff --git a/src/Orchard/Utility/Extensions/HttpRequestExtensions.cs b/src/Orchard/Utility/Extensions/HttpRequestExtensions.cs index 589ecc302..b550c5023 100644 --- a/src/Orchard/Utility/Extensions/HttpRequestExtensions.cs +++ b/src/Orchard/Utility/Extensions/HttpRequestExtensions.cs @@ -72,6 +72,8 @@ namespace Orchard.Utility.Extensions { return false; } + url = url.Trim(); + if (url.StartsWith("~/")) { return true; } @@ -88,6 +90,12 @@ namespace Orchard.Utility.Extensions { // at this point, check for an fully qualified url try { var uri = new Uri(url); + + if (!uri.Scheme.Equals(Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase) + && !uri.Scheme.Equals(Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase)) { + return false; + } + if (uri.Authority.Equals(request.Headers["Host"], StringComparison.OrdinalIgnoreCase)) { return true; }