From da27108d0d82655d7ec3757859e76690986bceae Mon Sep 17 00:00:00 2001 From: Niels Hartvig Date: Mon, 19 Dec 2016 10:44:22 +0100 Subject: [PATCH] Updates login controller to not accept non local urls --- .../Controllers/UmbLoginController.cs | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/Umbraco.Web/Controllers/UmbLoginController.cs b/src/Umbraco.Web/Controllers/UmbLoginController.cs index e86e48a18b..d446df5683 100644 --- a/src/Umbraco.Web/Controllers/UmbLoginController.cs +++ b/src/Umbraco.Web/Controllers/UmbLoginController.cs @@ -11,11 +11,11 @@ namespace Umbraco.Web.Controllers public class UmbLoginController : SurfaceController { [HttpPost] - public ActionResult HandleLogin([Bind(Prefix="loginModel")]LoginModel model) + public ActionResult HandleLogin([Bind(Prefix = "loginModel")]LoginModel model) { if (ModelState.IsValid == false) { - return CurrentUmbracoPage(); + return CurrentUmbracoPage(); } if (Members.Login(model.Username, model.Password) == false) @@ -30,11 +30,20 @@ namespace Umbraco.Web.Controllers //if there is a specified path to redirect to then use it if (model.RedirectUrl.IsNullOrWhiteSpace() == false) { - return Redirect(model.RedirectUrl); + // validate the redirect url + if (Url.IsLocalUrl(model.RedirectUrl)) + { + return Redirect(model.RedirectUrl); + } + else + { + // if it's not a local url we'll redirect to the root of the current site + return Redirect(base.CurrentPage.Site().Url); + } } //redirect to current page by default - + return RedirectToCurrentUmbracoPage(); //return RedirectToCurrentUmbracoUrl(); }