Merge remote-tracking branch 'refs/remotes/origin/release/10.8' into v10/dev

# Conflicts: # version.json
2024-05-21 08:44:27 +02:00
parent 119fde2033 c17d4e1a60
commit 0ee0db8071
4 changed files with 111 additions and 3 deletions
--- a/src/Umbraco.Core/Routing/WebPath.cs
+++ b/src/Umbraco.Core/Routing/WebPath.cs
@@ -50,4 +50,28 @@ public class WebPath

        return sb.ToString();
    }
+
+
+    /// <summary>
+    /// Determines whether the provided web path is well-formed according to the specified UriKind.
+    /// </summary>
+    /// <param name="webPath">The web path to check. This can be null.</param>
+    /// <param name="uriKind">The kind of Uri (Absolute, Relative, or RelativeOrAbsolute).</param>
+    /// <returns>
+    /// true if <paramref name="webPath"/> is well-formed; otherwise, false.
+    /// </returns>
+    public static bool IsWellFormedWebPath(string? webPath, UriKind uriKind)
+    {
+        if (string.IsNullOrWhiteSpace(webPath))
+        {
+            return false;
+        }
+
+        if (webPath.StartsWith("//"))
+        {
+            return uriKind is not UriKind.Relative;
+        }
+
+        return Uri.IsWellFormedUriString(webPath, uriKind);
+    }
 }
--- a/src/Umbraco.Web.BackOffice/Controllers/ImagesController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/ImagesController.cs
@@ -7,6 +7,7 @@ using Umbraco.Cms.Core.Configuration.Models;
 using Umbraco.Cms.Core.IO;
 using Umbraco.Cms.Core.Media;
 using Umbraco.Cms.Core.Models;
+using Umbraco.Cms.Core.Routing;
 using Umbraco.Cms.Web.Common.Attributes;
 using Umbraco.Cms.Web.Common.DependencyInjection;
 using Umbraco.Extensions;
@@ -123,7 +124,7 @@ public class ImagesController : UmbracoAuthorizedApiController

    private bool IsAllowed(string encodedImagePath)
    {
-        if(Uri.IsWellFormedUriString(encodedImagePath, UriKind.Relative))
+        if(WebPath.IsWellFormedWebPath(encodedImagePath, UriKind.Relative))
        {
            return true;
        }
--- a/src/Umbraco.Web.BackOffice/Controllers/PreviewController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/PreviewController.cs
@@ -11,6 +11,7 @@ using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Models.Membership;
 using Umbraco.Cms.Core.Models.PublishedContent;
 using Umbraco.Cms.Core.PublishedCache;
+using Umbraco.Cms.Core.Routing;
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Core.Web;
@@ -152,8 +153,7 @@ public class PreviewController : Controller
        // Expire Client-side cookie that determines whether the user has accepted to be in Preview Mode when visiting the website.
        _cookieManager.ExpireCookie(Constants.Web.AcceptPreviewCookieName);

-        if (Uri.IsWellFormedUriString(redir, UriKind.Relative)
-            && redir.StartsWith("//") == false
+        if (WebPath.IsWellFormedWebPath(redir, UriKind.Relative)
            && Uri.TryCreate(redir, UriKind.Relative, out Uri? url))
        {
            return Redirect(url.ToString());