From 71d990504ee583204b76f45e7bf6d336b5e04882 Mon Sep 17 00:00:00 2001
From: Johan Runsten <jrunestone@users.noreply.github.com>
Date: Sat, 29 Jul 2023 17:47:43 +0200
Subject: [PATCH] Fix incorrect redirectUrl check with external authentication
 (#14198) (#14423)

* Fix check local redirect url

* Removed line break

* Small adjustment

---------

Co-authored-by: Laura Neto <12862535+lauraneto@users.noreply.github.com>
---
 .../Controllers/BackOfficeController.cs                       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs b/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs
index bd63b51711..9cabd97dd6 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs
@@ -329,7 +329,9 @@ public class BackOfficeController : UmbracoController
     [AllowAnonymous]
     public ActionResult ExternalLogin(string provider, string? redirectUrl = null)
     {
-        if (redirectUrl == null || Uri.TryCreate(redirectUrl, UriKind.Absolute, out _))
+        // Only relative urls are accepted as redirect url
+        // We can't simply use Uri.TryCreate with kind Absolute, as in Linux any relative url would be seen as an absolute file uri
+        if (redirectUrl == null || !Uri.TryCreate(redirectUrl, UriKind.RelativeOrAbsolute, out Uri? redirectUri) || redirectUri.IsAbsoluteUri)
         {
             redirectUrl = Url.Action(nameof(Default), this.GetControllerName());
         }