public void ValidateRedirect(int statusCode, string locationHeader, Uri requestAuthority,
IRedirectValidationConfiguration config)
{
if (!config.Enabled)
{
return;
}
//Not a redirect
if (!IsRedirectStatusCode(statusCode))
{
return;
}
//No location header
if (String.IsNullOrEmpty(locationHeader))
{
return;
}
Uri locationUri;
if (!Uri.TryCreate(locationHeader, UriKind.RelativeOrAbsolute, out locationUri))
{
throw new Exception("Unable to parse location header value as URI. Value was: " + locationHeader);
}
//Relative Uri
if (!locationUri.IsAbsoluteUri)
{
return;
}
// Same origin TODO look into URL encoding
if (locationUri.GetComponents(UriComponents.SchemeAndServer, UriFormat.SafeUnescaped).Equals(requestAuthority.GetComponents(UriComponents.SchemeAndServer, UriFormat.SafeUnescaped)))
{
return;
}
//Same host https
if (config.SameHostRedirectConfiguration.Enabled && locationUri.Scheme.Equals("https") && requestAuthority.Host.Equals(locationUri.Host))
{
var sameHostConfig = config.SameHostRedirectConfiguration;
if (sameHostConfig.Ports.Length == 0 && locationUri.IsDefaultPort)
{
return;
}
if (sameHostConfig.Ports.Contains(locationUri.Port))
{
return;
}
throw new RedirectValidationException("A potentially dangerous redirect was detected. Allow same host redirects to this port number in configuration if the redirect was intended. Offending redirect: " + locationHeader);
}
// Allowed Uri
if (config.AllowedUris.Any(locationUri.AbsoluteUri.StartsWith))
{
return;
}
throw new RedirectValidationException(
"A potentially dangerous redirect was detected. Add the destination to the whitelist in configuration if the redirect was intended. Offending redirect: " +
locationHeader);
}
public void ValidateRedirect(int statusCode, string locationHeader, Uri requestAuthority,
IRedirectValidationConfiguration config)
{
if (!config.Enabled)
{
return;
}
//Not a redirect
if (!IsRedirectStatusCode(statusCode))
{
return;
}
//No location header
if (String.IsNullOrEmpty(locationHeader))
{
return;
}
Uri locationUri;
if (!Uri.TryCreate(locationHeader, UriKind.RelativeOrAbsolute, out locationUri))
{
throw new Exception("Unable to parse location header value as URI. Value was: " + locationHeader);
}
//Relative Uri
if (!locationUri.IsAbsoluteUri)
{
return;
}
// Same origin
if (locationUri.GetLeftPart(UriPartial.Authority).Equals(requestAuthority.GetLeftPart(UriPartial.Authority)))
{
return;
}
//Same host https
if (config.SameHostRedirectConfiguration.Enabled && locationUri.Scheme.Equals("https") && requestAuthority.Host.Equals(locationUri.Host))
{
var sameHostConfig = config.SameHostRedirectConfiguration;
if (sameHostConfig.Ports.Length == 0 && locationUri.IsDefaultPort)
{
return;
}
if (sameHostConfig.Ports.Contains(locationUri.Port))
{
return;
}
throw new RedirectValidationException("A potentially dangerous redirect was detected. Allow same host redirects to this port number in configuration if the redirect was intended. Offending redirect: " + locationHeader);
}
// Allowed Uri
if (config.AllowedUris.Any(locationUri.AbsoluteUri.StartsWith))
{
return;
}
throw new RedirectValidationException(
"A potentially dangerous redirect was detected. Add the destination to the whitelist in configuration if the redirect was intended. Offending redirect: " +
locationHeader);
}
