Fixes: U4-5380 Booting.aspx security issue

2014-08-21 14:39:06 -06:00
parent 3a4d0a02eb
commit 3f4fa8b8ed
1 changed files with 14 additions and 1 deletions
--- a/src/umbraco.cms/helpers/url.cs
+++ b/src/umbraco.cms/helpers/url.cs
@@ -50,7 +50,13 @@ namespace umbraco.cms.helpers
                    if (Uri.TryCreate(callerUrl, UriKind.RelativeOrAbsolute, out localUri))
                    {
                        // check for local urls
-                        if (!requestUri.IsAbsoluteUri || requestUri.Host == localUri.Host)
+
+                        //Cannot start with // since that is not a local url
+                        if (!requestUri.OriginalString.StartsWith("//")
+                            //cannot be non-absolute and also contain the char : since that will indicate a protocol
+                            && (!requestUri.IsAbsoluteUri && !requestUri.OriginalString.Contains(":"))
+                            //needs to be non-absolute or the hosts must match the current request
+                            && (!requestUri.IsAbsoluteUri || requestUri.Host == localUri.Host))
                        {
                            return true;
                        }
@@ -61,6 +67,13 @@ namespace umbraco.cms.helpers
                        throw new ArgumentException("CallerUrl is in a wrong format that couldn't be parsed as a valid URI. If you don't want to evaluate for local urls, but just proxy urls then leave callerUrl empty", "callerUrl");
                    }
                }
+
+                //we cannot continue if the url is not absolute
+                if (!requestUri.IsAbsoluteUri)
+                {
+                    return false;
+                }
+
                // check for valid proxy urls
                var feedProxyXml = XmlHelper.OpenAsXmlDocument(IOHelper.MapPath(SystemFiles.FeedProxyConfig));
                if (feedProxyXml != null &&