yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updates login controller to not accept non local urls

Browse Source
This commit is contained in:
Niels Hartvig
2016-12-19 10:44:22 +01:00
parent a058f26462
commit da27108d0d
1 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/Umbraco.Web/Controllers/UmbLoginController.cs
View File

@@ -11,11 +11,11 @@ namespace Umbraco.Web.Controllers
public class UmbLoginController : SurfaceController
{
[HttpPost]
public ActionResult HandleLogin([Bind(Prefix="loginModel")]LoginModel model)
public ActionResult HandleLogin([Bind(Prefix = "loginModel")]LoginModel model)
{
if (ModelState.IsValid == false)
{
return CurrentUmbracoPage();
return CurrentUmbracoPage();
}
if (Members.Login(model.Username, model.Password) == false)
@@ -30,11 +30,20 @@ namespace Umbraco.Web.Controllers
//if there is a specified path to redirect to then use it
if (model.RedirectUrl.IsNullOrWhiteSpace() == false)
{
return Redirect(model.RedirectUrl);
// validate the redirect url
if (Url.IsLocalUrl(model.RedirectUrl))
{
return Redirect(model.RedirectUrl);
}
else
{
// if it's not a local url we'll redirect to the root of the current site
return Redirect(base.CurrentPage.Site().Url);
}
}
//redirect to current page by default
return RedirectToCurrentUmbracoPage();
//return RedirectToCurrentUmbracoUrl();
}