tsai
/
squidex
mirror of https://github.com/Squidex/squidex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix/redirect fix (#506) 

* Redirect fix, Closes #505
pull/507/head
Sebastian Stehle 6 years ago
committed by GitHub
parent
3ecc89681a
commit
af2e412e3c
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 60 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 53
      backend/src/Squidex.Web/UrlsOptions.cs
  2. 15
      backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs

53
backend/src/Squidex.Web/UrlsOptions.cs
View File

@ -5,17 +5,66 @@
// All rights reserved. Licensed under the MIT license. // All rights reserved. Licensed under the MIT license.
// ========================================================================== // ==========================================================================
using System;
using System.Collections.Generic;
using System.Linq;
using Squidex.Infrastructure; using Squidex.Infrastructure;
namespace Squidex.Web namespace Squidex.Web
{ {
public sealed class UrlsOptions public sealed class UrlsOptions
{ {
private readonly HashSet<string> allTrustedHosts = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
private string baseUrl;
private string[] trustedHosts;
public bool EnableXForwardedHost { get; set; }
public bool EnforceHTTPS { get; set; } public bool EnforceHTTPS { get; set; }
public string BaseUrl { get; set; } public string BaseUrl
{
get
{
return baseUrl;
}
set
{
if (Uri.TryCreate(value, UriKind.Absolute, out var uri))
{
allTrustedHosts.Add(uri.Host);
}
baseUrl = value;
}
}
public bool EnableXForwardedHost { get; set; } public string[] TrustedHosts
{
get
{
return trustedHosts;
}
set
{
foreach (var host in trustedHosts?.Where(x => !string.IsNullOrWhiteSpace(x)).OrEmpty()!)
{
allTrustedHosts.Add(host);
}
trustedHosts = value;
}
}
public bool IsAllowedHost(string? url)
{
return Uri.TryCreate(url, UriKind.RelativeOrAbsolute, out var uri) && IsAllowedHost(uri);
}
public bool IsAllowedHost(Uri uri)
{
return !uri.IsAbsoluteUri || allTrustedHosts.Contains(uri.Host);
}
public string BuildUrl(string path, bool trailingSlash = true) public string BuildUrl(string path, bool trailingSlash = true)
{ {

15
backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
View File

@ -37,6 +37,7 @@ namespace Squidex.Areas.IdentityServer.Controllers.Account
private readonly UserManager<IdentityUser> userManager; private readonly UserManager<IdentityUser> userManager;
private readonly IUserFactory userFactory; private readonly IUserFactory userFactory;
private readonly IUserEvents userEvents; private readonly IUserEvents userEvents;
private readonly UrlsOptions urlsOptions;
private readonly MyIdentityOptions identityOptions; private readonly MyIdentityOptions identityOptions;
private readonly ISemanticLog log; private readonly ISemanticLog log;
private readonly IIdentityServerInteractionService interactions; private readonly IIdentityServerInteractionService interactions;
@ -46,17 +47,19 @@ namespace Squidex.Areas.IdentityServer.Controllers.Account
UserManager<IdentityUser> userManager, UserManager<IdentityUser> userManager,
IUserFactory userFactory, IUserFactory userFactory,
IUserEvents userEvents, IUserEvents userEvents,
IOptions<UrlsOptions> urlsOptions,
IOptions<MyIdentityOptions> identityOptions, IOptions<MyIdentityOptions> identityOptions,
ISemanticLog log, ISemanticLog log,
IIdentityServerInteractionService interactions) IIdentityServerInteractionService interactions)
{ {
this.log = log;
this.userEvents = userEvents;
this.userManager = userManager;
this.userFactory = userFactory;
this.interactions = interactions;
this.identityOptions = identityOptions.Value; this.identityOptions = identityOptions.Value;
this.interactions = interactions;
this.signInManager = signInManager; this.signInManager = signInManager;
this.urlsOptions = urlsOptions.Value;
this.userEvents = userEvents;
this.userFactory = userFactory;
this.userManager = userManager;
this.log = log;
} }
[HttpGet] [HttpGet]
@ -404,7 +407,7 @@ namespace Squidex.Areas.IdentityServer.Controllers.Account
private IActionResult RedirectToReturnUrl(string? returnUrl) private IActionResult RedirectToReturnUrl(string? returnUrl)
{ {
if (!string.IsNullOrWhiteSpace(returnUrl)) if (urlsOptions.IsAllowedHost(returnUrl) || interactions.IsValidReturnUrl(returnUrl))
{ {
return Redirect(returnUrl); return Redirect(returnUrl);
} }

Write Preview
Loading…
Cancel
Save