internal static bool IsSafeUrl(string urlString, HttpRequest httpRequest)
{
if (string.IsNullOrEmpty(urlString))
{
return(false);
}
Uri uri;
if (null == (uri = Utilities.TryParseUri(urlString)))
{
return(false);
}
string scheme = uri.Scheme;
if (string.IsNullOrEmpty(scheme))
{
return(false);
}
if (!Uri.CheckSchemeName(scheme) || !TextConvertersInternalHelpers.IsUrlSchemaSafe(scheme))
{
return(false);
}
if (Redir.IsHttpOrHttps(scheme))
{
string text = httpRequest.ServerVariables["HTTP_HOST"];
return(!string.IsNullOrEmpty(text) && Redir.CheckHostNameWithHttpHost(urlString, uri, text));
}
return(true);
}
private static string BuildRedirUrl(string redirUrl, UserContext userContext, string unencodedUrl, bool clientIsSMime)
{
StringBuilder stringBuilder = new StringBuilder(125);
stringBuilder.Append(redirUrl);
stringBuilder.Append(Redir.BuildSecUrl(unencodedUrl, userContext));
if (clientIsSMime)
{
stringBuilder.Append("&smime=");
}
return(stringBuilder.ToString());
}
protected void ProcessHtmlUrlTag(HtmlTagContextAttribute filterAttribute, HtmlTagContext context, HtmlWriter writer)
{
OwaSafeHtmlOutboundCallbacks.TypeOfUrl typeOfUrl = this.GetTypeOfUrl(filterAttribute.Value, filterAttribute.Id);
string text;
if (typeOfUrl == OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Unknown || typeOfUrl == OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Local)
{
if (this.baseRef == null && this.isConversationsOrUnknownType && !this.triedLoadingBaseHref)
{
OwaLightweightHtmlCallback owaLightweightHtmlCallback = new OwaLightweightHtmlCallback();
using (Item item = Utilities.GetItem <Item>(this.owaContext.UserContext, this.itemId, new PropertyDefinition[0]))
{
BodyReadConfiguration bodyReadConfiguration = new BodyReadConfiguration(BodyFormat.TextHtml, "utf-8");
bodyReadConfiguration.SetHtmlOptions(HtmlStreamingFlags.FilterHtml, owaLightweightHtmlCallback);
Body body = item.Body;
if (this.owaContext.UserContext.IsIrmEnabled)
{
Utilities.IrmDecryptIfRestricted(item, this.owaContext.UserContext, true);
if (Utilities.IsIrmRestrictedAndDecrypted(item))
{
body = ((RightsManagedMessageItem)item).ProtectedBody;
}
}
using (TextReader textReader = body.OpenTextReader(bodyReadConfiguration))
{
int num = 5000;
char[] buffer = new char[num];
textReader.Read(buffer, 0, num);
}
}
this.baseRef = owaLightweightHtmlCallback.BaseRef;
this.triedLoadingBaseHref = true;
}
text = this.GetAbsoluteUrl(filterAttribute.Value, filterAttribute.Id);
typeOfUrl = this.GetTypeOfUrl(text, filterAttribute.Id);
}
else
{
text = filterAttribute.Value;
}
switch (typeOfUrl)
{
case OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Local:
if (this.owaContext.UserContext.BrowserType != BrowserType.Safari && !this.owaContext.UserContext.IsBasicExperience && !this.isConversations)
{
writer.WriteAttribute(filterAttribute.Id, OwaSafeHtmlCallbackBase.JSLocalLink + OwaSafeHtmlCallbackBase.JSMethodPrefix + filterAttribute.Value.Substring(1) + OwaSafeHtmlCallbackBase.JSMethodSuffix);
return;
}
filterAttribute.Write();
return;
case OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Trusted:
filterAttribute.Write();
this.hasFoundNonLocalUrlInCurrentPass = true;
return;
case OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Redirection:
filterAttribute.WriteName();
writer.WriteAttributeValue(Redir.BuildRedirUrl(this.owaContext.UserContext, text));
this.hasFoundNonLocalUrlInCurrentPass = true;
return;
case OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Unknown:
writer.WriteAttribute(filterAttribute.Id, OwaSafeHtmlOutboundCallbacks.BlockedUrlPageValue);
this.hasFoundNonLocalUrlInCurrentPass = true;
return;
default:
return;
}
}
protected virtual void ProcessUnfragFormTagContext(HtmlTagContext context, HtmlWriter writer)
{
if (this.allowForms)
{
context.WriteTag();
foreach (HtmlTagContextAttribute htmlTagContextAttribute in context.Attributes)
{
if ((htmlTagContextAttribute.Id == HtmlAttributeId.Src || htmlTagContextAttribute.Id == HtmlAttributeId.Action) && (!this.IsSafeUrl(htmlTagContextAttribute.Value, htmlTagContextAttribute.Id) || !Redir.IsSafeUrl(htmlTagContextAttribute.Value, this.owaContext.HttpContext.Request)))
{
writer.WriteAttribute(htmlTagContextAttribute.Id, OwaSafeHtmlOutboundCallbacks.BlockedUrlPageValue);
}
else if (htmlTagContextAttribute.Id != HtmlAttributeId.Target)
{
htmlTagContextAttribute.Write();
}
}
this.WriteSafeTargetBlank(writer);
return;
}
this.hasBlockedForms = true;
}
private static string BuildRedirUrl(string redirUrl, UserContext userContext, string unencodedUrl)
{
return(Redir.BuildRedirUrl(redirUrl, userContext, unencodedUrl, false));
}
internal static string BuildExplicitRedirUrl(OwaContext owaContext, string unencodedUrl)
{
return(Redir.BuildRedirUrl(OwaUrl.RedirectionPage.GetExplicitUrl(owaContext) + "?", owaContext.UserContext, unencodedUrl));
}
internal static string BuildRedirUrlForSMime(UserContext userContext, string unencodedUrl)
{
return(Redir.BuildRedirUrl("redir.aspx?", userContext, unencodedUrl, true));
}
private string TryNavigateToInternalWssUnc(string uriParam, out ErrorInformation errorInformation)
{
errorInformation = null;
if (base.UserContext.IsBasicExperience)
{
return(null);
}
Uri uri = Utilities.TryParseUri(uriParam);
if (uri == null || string.IsNullOrEmpty(uri.Scheme) || string.IsNullOrEmpty(uri.Host))
{
return(null);
}
if (!DocumentLibraryUtilities.IsTrustedProtocol(uri.Scheme))
{
return(null);
}
if (!DocumentLibraryUtilities.IsInternalUri(uri.Host, base.UserContext))
{
return(null);
}
if (DocumentLibraryUtilities.IsBlockedHostName(uri.Host, base.UserContext))
{
return(null);
}
if (!DocumentLibraryUtilities.IsDocumentsAccessEnabled(base.UserContext))
{
return(null);
}
bool flag = DocumentLibraryUtilities.IsNavigationToWSSAllowed(base.UserContext);
bool flag2 = DocumentLibraryUtilities.IsNavigationToUNCAllowed(base.UserContext);
bool flag3 = Redir.IsHttpOrHttps(uri.Scheme);
bool flag4 = string.Equals(uri.Scheme, Uri.UriSchemeFile, StringComparison.OrdinalIgnoreCase);
if ((flag3 && !flag) || (flag4 && !flag2))
{
return(null);
}
ClassifyResult documentLibraryObjectId = DocumentLibraryUtilities.GetDocumentLibraryObjectId(uri, base.UserContext);
if (documentLibraryObjectId == null || documentLibraryObjectId.Error != ClassificationError.None)
{
return(null);
}
DocumentLibraryObjectId objectId = documentLibraryObjectId.ObjectId;
if (objectId == null)
{
return(null);
}
if (objectId.UriFlags == UriFlags.Other)
{
return(null);
}
UriFlags uriFlags = objectId.UriFlags;
bool flag5 = (uriFlags & UriFlags.SharepointDocument) == UriFlags.SharepointDocument;
bool flag6 = (uriFlags & UriFlags.UncDocument) == UriFlags.UncDocument;
if ((uriFlags & UriFlags.DocumentLibrary) == UriFlags.DocumentLibrary || (uriFlags & UriFlags.Folder) == UriFlags.Folder || uriFlags == UriFlags.Sharepoint || uriFlags == UriFlags.Unc)
{
return(string.Concat(new string[]
{
OwaUrl.ApplicationRoot.GetExplicitUrl(base.OwaContext),
"?ae=Folder&t=IPF.DocumentLibrary&id=",
Utilities.UrlEncode(objectId.ToBase64String()),
"&URL=",
Utilities.UrlEncode(uriParam)
}));
}
if (flag5)
{
if (!base.UserContext.IsBasicExperience && DocumentLibraryUtilities.IsWebReadyDocument(objectId, base.UserContext))
{
this.openWebReadyForm = true;
return("WebReadyView.aspx?t=wss&id=" + Utilities.UrlEncode(objectId.ToBase64String()) + "&URL=" + Utilities.UrlEncode(uriParam));
}
return(string.Concat(new string[]
{
"ev.owa?ns=SharepointDocument&ev=GetDoc&id=",
Utilities.UrlEncode(objectId.ToBase64String()),
"&URL=",
Utilities.UrlEncode(uriParam),
Utilities.GetCanaryRequestParameter()
}));
}
else
{
if (!flag6)
{
return(null);
}
if (!base.UserContext.IsBasicExperience && DocumentLibraryUtilities.IsWebReadyDocument(objectId, base.UserContext))
{
this.openWebReadyForm = true;
return("WebReadyView.aspx?t=unc&id=" + Utilities.UrlEncode(objectId.ToBase64String()) + "&URL=" + Utilities.UrlEncode(uriParam));
}
return(string.Concat(new string[]
{
"ev.owa?ns=UncDocument&ev=GetDoc&id=",
Utilities.UrlEncode(objectId.ToBase64String()),
"&URL=",
Utilities.UrlEncode(uriParam),
Utilities.GetCanaryRequestParameter()
}));
}
}
protected override void OnLoad(EventArgs e)
{
if (Redir.IsUrlRefererFBALogonPage(base.Request.UrlReferrer))
{
Utilities.EndResponse(this.Context, HttpStatusCode.Forbidden);
}
string queryStringParameter;
bool signedUrl = Redir.GetSignedUrl(base.Request, base.UserContext.Key.Canary.UserContextIdGuid, base.UserContext.Key.Canary.LogonUniqueKey, out queryStringParameter);
if (!signedUrl)
{
queryStringParameter = Utilities.GetQueryStringParameter(base.Request, "URL");
}
string queryStringParameter2 = Utilities.GetQueryStringParameter(base.Request, "TranslatedURL", false);
bool flag = !string.IsNullOrEmpty(queryStringParameter2);
bool flag2 = string.IsNullOrEmpty(Utilities.GetQueryStringParameter(base.Request, "NoDocLnkCls", false));
if (Redir.IsSafeUrl(queryStringParameter, base.Request))
{
ErrorInformation errorInformation = null;
Uri uri;
if (null == (uri = Utilities.TryParseUri(queryStringParameter)))
{
Utilities.EndResponse(this.Context, HttpStatusCode.Forbidden);
}
string scheme = uri.Scheme;
if (CultureInfo.InvariantCulture.CompareInfo.Compare(scheme, "mailto", CompareOptions.IgnoreCase) == 0)
{
StringBuilder stringBuilder = new StringBuilder(512);
stringBuilder.Append(OwaUrl.ApplicationRoot.GetExplicitUrl(base.OwaContext));
stringBuilder.Append("?ae=Item&a=New&t=");
string value = "IPM.Note";
if (base.UserContext.IsSmsEnabled)
{
int length = "mailto:".Length;
if (queryStringParameter.Length > length)
{
string inputString = queryStringParameter.Substring(length);
Participant participant;
ProxyAddress proxyAddress;
if (Participant.TryParse(inputString, out participant) && ImceaAddress.IsImceaAddress(participant.EmailAddress) && SmtpProxyAddress.TryDeencapsulate(participant.EmailAddress, out proxyAddress) && Utilities.IsMobileRoutingType(proxyAddress.PrefixString))
{
value = "IPM.Note.Mobile.SMS";
}
}
}
stringBuilder.Append(value);
stringBuilder.Append('&');
stringBuilder.Append("email");
stringBuilder.Append('=');
stringBuilder.Append(Utilities.UrlEncode(queryStringParameter));
this.safeUrl = stringBuilder.ToString();
this.isNewMailLinkCreated = true;
return;
}
if (flag2)
{
this.safeUrl = this.TryNavigateToInternalWssUnc(queryStringParameter, out errorInformation);
}
if (this.safeUrl == null)
{
if (flag && Redir.IsSafeUrl(queryStringParameter2, base.Request))
{
this.safeUrl = queryStringParameter2;
}
else
{
if (errorInformation != null)
{
Utilities.TransferToErrorPage(base.OwaContext, errorInformation);
return;
}
this.safeUrl = queryStringParameter;
}
}
}
else if (flag && Redir.IsSafeUrl(queryStringParameter2, base.Request))
{
this.safeUrl = queryStringParameter2;
}
else
{
Utilities.EndResponse(this.Context, HttpStatusCode.Forbidden);
}
if (!signedUrl)
{
throw new OwaInvalidCanary14Exception(null, "Invalid canary in redir.aspx query.");
}
}