From c905fdd9b57002fd5565940bfc3a639ae1c97b0e Mon Sep 17 00:00:00 2001 From: Martin Bentancour Date: Mon, 28 Feb 2022 23:59:18 +0100 Subject: [PATCH] Validate that imageUrl param is a relative path (#11606) * Validate that imageUrl param is a relative path To prevent open redirects, the imagePath should point to a relative path (i.e. not point to a different domain). * LocalRedirectResult instead of RedirectResult Uri.Relative does not prevent paths like //google.com/test.jpg Checking for both relative and local seems to cover all the cases. --- .../Controllers/ImagesController.cs | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/src/Umbraco.Web.BackOffice/Controllers/ImagesController.cs b/src/Umbraco.Web.BackOffice/Controllers/ImagesController.cs index 564d0dcdd9..a10d524c03 100644 --- a/src/Umbraco.Web.BackOffice/Controllers/ImagesController.cs +++ b/src/Umbraco.Web.BackOffice/Controllers/ImagesController.cs @@ -54,12 +54,20 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers public IActionResult GetResized(string imagePath, int width) { var ext = Path.GetExtension(imagePath); - + + // check if imagePath is local to prevent open redirect + if (!Uri.IsWellFormedUriString(imagePath, UriKind.Relative)) + { + return Unauthorized(); + } + // we need to check if it is an image by extension if (_imageUrlGenerator.IsSupportedImageFormat(ext) == false) + { return NotFound(); - - //redirect to ImageProcessor thumbnail with rnd generated from last modified time of original media file + } + + // redirect to ImageProcessor thumbnail with rnd generated from last modified time of original media file DateTimeOffset? imageLastModified = null; try { @@ -80,8 +88,14 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers ImageCropMode = ImageCropMode.Max, CacheBusterValue = rnd }); - - return new RedirectResult(imageUrl, false); + if (Url.IsLocalUrl(imageUrl)) + { + return new LocalRedirectResult(imageUrl, false); + } + else + { + return Unauthorized(); + } } ///