Fixes U4-1485 Booting.aspx has potential Open Redirect flaw

2013-01-17 08:38:09 -01:00
parent 816afe5abc
commit 5f1e327e4a
2 changed files with 76 additions and 26 deletions
--- a/src/Umbraco.Web.UI/config/splashes/booting.aspx
+++ b/src/Umbraco.Web.UI/config/splashes/booting.aspx
@@ -1,15 +1,23 @@
 <%@ Page Language="C#" AutoEventWireup="true" Inherits="System.Web.UI.Page" %>

+<%
+    // NH: Adds this inline check to avoid a simple codebehind file in the legacy project!
+    if (!umbraco.cms.helpers.url.ValidateProxyUrl(Request["url"], Request.Url.AbsoluteUri))
+    {
+        throw new ArgumentException("Can't redirect to the requested url - it's not local or an approved proxy url",
+                                    "url");
+    }
+%>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" >
+<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
    <title>The website is restarting</title>
-    <META HTTP-EQUIV=REFRESH CONTENT="10; URL=<%=Request["url"] %>">
+    <meta http-equiv="REFRESH" content="10; URL=<%=Request["url"] %>">
 </head>
 <body>
    <h1>The website is restarting</h1>
    <p>Please wait for 10s while we prepare to serve the page you have requested...</p>
-    
+
    <p style="border-top: 1px solid #ccc; padding-top: 10px;">
        <small>You can modify the design of this page by editing /config/splashes/booting.aspx</small>
    </p>
--- a/src/umbraco.cms/helpers/url.cs
+++ b/src/umbraco.cms/helpers/url.cs
@@ -1,30 +1,31 @@
 using System;
 using System.Xml;
 using System.Text.RegularExpressions;
+using umbraco.IO;

 namespace umbraco.cms.helpers
 {
-	/// <summary>
-	/// Summary description for url.
-	/// </summary>
-	public class url
-	{
-		public url()
-		{
-			//
-			// TODO: Add constructor logic here
-			//
-		}
+    /// <summary>
+    /// Summary description for url.
+    /// </summary>
+    public class url
+    {
+        public url()
+        {
+            //
+            // TODO: Add constructor logic here
+            //
+        }

-		public static string FormatUrl(string url) 
-		{
-			string _newUrl = url;
-			XmlNode replaceChars = UmbracoSettings.UrlReplaceCharacters;
-			foreach (XmlNode n in replaceChars.SelectNodes("char")) 
-			{
-				if (n.Attributes.GetNamedItem("org") != null && n.Attributes.GetNamedItem("org").Value != "")
-					_newUrl = _newUrl.Replace(n.Attributes.GetNamedItem("org").Value,xmlHelper.GetNodeValue(n)); 
-			}
+        public static string FormatUrl(string url)
+        {
+            string _newUrl = url;
+            XmlNode replaceChars = UmbracoSettings.UrlReplaceCharacters;
+            foreach (XmlNode n in replaceChars.SelectNodes("char"))
+            {
+                if (n.Attributes.GetNamedItem("org") != null && n.Attributes.GetNamedItem("org").Value != "")
+                    _newUrl = _newUrl.Replace(n.Attributes.GetNamedItem("org").Value, xmlHelper.GetNodeValue(n));
+            }

            // check for double dashes
            if (UmbracoSettings.RemoveDoubleDashesFromUrlReplacing)
@@ -32,8 +33,49 @@ namespace umbraco.cms.helpers
                _newUrl = Regex.Replace(_newUrl, @"[-]{2,}", "-");
            }

-			return _newUrl;
-		}
+            return _newUrl;
+        }

-	}
+        /// <summary>
+        /// Utility method for checking for valid proxy urls or redirect urls to prevent Open Redirect security issues
+        /// </summary>
+        /// <param name="url">The url to validate</param>
+        /// <param name="callerUrl">The url of the current local domain (to ensure we can validate if the requested url is local without dependency on the request)</param>
+        /// <returns>True if it's an allowed url</returns>
+        public static bool ValidateProxyUrl(string url, string callerUrl)
+        {
+            Uri requestUri;
+            Uri localUri;
+            if (Uri.TryCreate(url, UriKind.RelativeOrAbsolute, out requestUri))
+            {
+                if (!String.IsNullOrEmpty(callerUrl))
+                {
+                    if (Uri.TryCreate(callerUrl, UriKind.RelativeOrAbsolute, out localUri))
+                    {
+                        // check for local urls
+                        if (!requestUri.IsAbsoluteUri || requestUri.Host == localUri.Host)
+                        {
+                            return true;
+                        }
+                    }
+                    else
+                    {
+                        throw new ArgumentException("CallerUrl is in a wrong format that couldn't be parsed as a valid URI. If you don't want to evaluate for local urls, but just proxy urls then leave callerUrl empty", "callerUrl");
+                    }
+                }
+                // check for valid proxy urls
+                var feedProxyXml = xmlHelper.OpenAsXmlDocument(IOHelper.MapPath(SystemFiles.FeedProxyConfig));
+                if (feedProxyXml != null &&
+                    feedProxyXml.SelectSingleNode(string.Concat("//allow[@host = '", requestUri.Host, "']")) != null)
+                {
+                    return true;
+                }
+            } else
+            {
+                throw new ArgumentException("url is in a wrong format that couldn't be parsed as a valid URI", "url");
+                
+            }
+            return false;
+        }
+    }
 }