From 3f4fa8b8ed9dad0a105a0fe3d051a45d3cfa83b8 Mon Sep 17 00:00:00 2001 From: Shannon Date: Thu, 21 Aug 2014 14:39:06 -0600 Subject: [PATCH] Fixes: U4-5380 Booting.aspx security issue --- src/umbraco.cms/helpers/url.cs | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/umbraco.cms/helpers/url.cs b/src/umbraco.cms/helpers/url.cs index 0e344412f7..6518715be3 100644 --- a/src/umbraco.cms/helpers/url.cs +++ b/src/umbraco.cms/helpers/url.cs @@ -50,7 +50,13 @@ namespace umbraco.cms.helpers if (Uri.TryCreate(callerUrl, UriKind.RelativeOrAbsolute, out localUri)) { // check for local urls - if (!requestUri.IsAbsoluteUri || requestUri.Host == localUri.Host) + + //Cannot start with // since that is not a local url + if (!requestUri.OriginalString.StartsWith("//") + //cannot be non-absolute and also contain the char : since that will indicate a protocol + && (!requestUri.IsAbsoluteUri && !requestUri.OriginalString.Contains(":")) + //needs to be non-absolute or the hosts must match the current request + && (!requestUri.IsAbsoluteUri || requestUri.Host == localUri.Host)) { return true; } @@ -61,6 +67,13 @@ namespace umbraco.cms.helpers throw new ArgumentException("CallerUrl is in a wrong format that couldn't be parsed as a valid URI. If you don't want to evaluate for local urls, but just proxy urls then leave callerUrl empty", "callerUrl"); } } + + //we cannot continue if the url is not absolute + if (!requestUri.IsAbsoluteUri) + { + return false; + } + // check for valid proxy urls var feedProxyXml = XmlHelper.OpenAsXmlDocument(IOHelper.MapPath(SystemFiles.FeedProxyConfig)); if (feedProxyXml != null &&