internal static bool IsSafeUrl(string urlString, HttpRequest httpRequest) { if (string.IsNullOrEmpty(urlString)) { return(false); } Uri uri; if (null == (uri = Utilities.TryParseUri(urlString))) { return(false); } string scheme = uri.Scheme; if (string.IsNullOrEmpty(scheme)) { return(false); } if (!Uri.CheckSchemeName(scheme) || !TextConvertersInternalHelpers.IsUrlSchemaSafe(scheme)) { return(false); } if (Redir.IsHttpOrHttps(scheme)) { string text = httpRequest.ServerVariables["HTTP_HOST"]; return(!string.IsNullOrEmpty(text) && Redir.CheckHostNameWithHttpHost(urlString, uri, text)); } return(true); }
private static string BuildRedirUrl(string redirUrl, UserContext userContext, string unencodedUrl, bool clientIsSMime) { StringBuilder stringBuilder = new StringBuilder(125); stringBuilder.Append(redirUrl); stringBuilder.Append(Redir.BuildSecUrl(unencodedUrl, userContext)); if (clientIsSMime) { stringBuilder.Append("&smime="); } return(stringBuilder.ToString()); }
protected void ProcessHtmlUrlTag(HtmlTagContextAttribute filterAttribute, HtmlTagContext context, HtmlWriter writer) { OwaSafeHtmlOutboundCallbacks.TypeOfUrl typeOfUrl = this.GetTypeOfUrl(filterAttribute.Value, filterAttribute.Id); string text; if (typeOfUrl == OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Unknown || typeOfUrl == OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Local) { if (this.baseRef == null && this.isConversationsOrUnknownType && !this.triedLoadingBaseHref) { OwaLightweightHtmlCallback owaLightweightHtmlCallback = new OwaLightweightHtmlCallback(); using (Item item = Utilities.GetItem <Item>(this.owaContext.UserContext, this.itemId, new PropertyDefinition[0])) { BodyReadConfiguration bodyReadConfiguration = new BodyReadConfiguration(BodyFormat.TextHtml, "utf-8"); bodyReadConfiguration.SetHtmlOptions(HtmlStreamingFlags.FilterHtml, owaLightweightHtmlCallback); Body body = item.Body; if (this.owaContext.UserContext.IsIrmEnabled) { Utilities.IrmDecryptIfRestricted(item, this.owaContext.UserContext, true); if (Utilities.IsIrmRestrictedAndDecrypted(item)) { body = ((RightsManagedMessageItem)item).ProtectedBody; } } using (TextReader textReader = body.OpenTextReader(bodyReadConfiguration)) { int num = 5000; char[] buffer = new char[num]; textReader.Read(buffer, 0, num); } } this.baseRef = owaLightweightHtmlCallback.BaseRef; this.triedLoadingBaseHref = true; } text = this.GetAbsoluteUrl(filterAttribute.Value, filterAttribute.Id); typeOfUrl = this.GetTypeOfUrl(text, filterAttribute.Id); } else { text = filterAttribute.Value; } switch (typeOfUrl) { case OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Local: if (this.owaContext.UserContext.BrowserType != BrowserType.Safari && !this.owaContext.UserContext.IsBasicExperience && !this.isConversations) { writer.WriteAttribute(filterAttribute.Id, OwaSafeHtmlCallbackBase.JSLocalLink + OwaSafeHtmlCallbackBase.JSMethodPrefix + filterAttribute.Value.Substring(1) + OwaSafeHtmlCallbackBase.JSMethodSuffix); return; } filterAttribute.Write(); return; case OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Trusted: filterAttribute.Write(); this.hasFoundNonLocalUrlInCurrentPass = true; return; case OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Redirection: filterAttribute.WriteName(); writer.WriteAttributeValue(Redir.BuildRedirUrl(this.owaContext.UserContext, text)); this.hasFoundNonLocalUrlInCurrentPass = true; return; case OwaSafeHtmlOutboundCallbacks.TypeOfUrl.Unknown: writer.WriteAttribute(filterAttribute.Id, OwaSafeHtmlOutboundCallbacks.BlockedUrlPageValue); this.hasFoundNonLocalUrlInCurrentPass = true; return; default: return; } }
protected virtual void ProcessUnfragFormTagContext(HtmlTagContext context, HtmlWriter writer) { if (this.allowForms) { context.WriteTag(); foreach (HtmlTagContextAttribute htmlTagContextAttribute in context.Attributes) { if ((htmlTagContextAttribute.Id == HtmlAttributeId.Src || htmlTagContextAttribute.Id == HtmlAttributeId.Action) && (!this.IsSafeUrl(htmlTagContextAttribute.Value, htmlTagContextAttribute.Id) || !Redir.IsSafeUrl(htmlTagContextAttribute.Value, this.owaContext.HttpContext.Request))) { writer.WriteAttribute(htmlTagContextAttribute.Id, OwaSafeHtmlOutboundCallbacks.BlockedUrlPageValue); } else if (htmlTagContextAttribute.Id != HtmlAttributeId.Target) { htmlTagContextAttribute.Write(); } } this.WriteSafeTargetBlank(writer); return; } this.hasBlockedForms = true; }
private static string BuildRedirUrl(string redirUrl, UserContext userContext, string unencodedUrl) { return(Redir.BuildRedirUrl(redirUrl, userContext, unencodedUrl, false)); }
internal static string BuildExplicitRedirUrl(OwaContext owaContext, string unencodedUrl) { return(Redir.BuildRedirUrl(OwaUrl.RedirectionPage.GetExplicitUrl(owaContext) + "?", owaContext.UserContext, unencodedUrl)); }
internal static string BuildRedirUrlForSMime(UserContext userContext, string unencodedUrl) { return(Redir.BuildRedirUrl("redir.aspx?", userContext, unencodedUrl, true)); }
private string TryNavigateToInternalWssUnc(string uriParam, out ErrorInformation errorInformation) { errorInformation = null; if (base.UserContext.IsBasicExperience) { return(null); } Uri uri = Utilities.TryParseUri(uriParam); if (uri == null || string.IsNullOrEmpty(uri.Scheme) || string.IsNullOrEmpty(uri.Host)) { return(null); } if (!DocumentLibraryUtilities.IsTrustedProtocol(uri.Scheme)) { return(null); } if (!DocumentLibraryUtilities.IsInternalUri(uri.Host, base.UserContext)) { return(null); } if (DocumentLibraryUtilities.IsBlockedHostName(uri.Host, base.UserContext)) { return(null); } if (!DocumentLibraryUtilities.IsDocumentsAccessEnabled(base.UserContext)) { return(null); } bool flag = DocumentLibraryUtilities.IsNavigationToWSSAllowed(base.UserContext); bool flag2 = DocumentLibraryUtilities.IsNavigationToUNCAllowed(base.UserContext); bool flag3 = Redir.IsHttpOrHttps(uri.Scheme); bool flag4 = string.Equals(uri.Scheme, Uri.UriSchemeFile, StringComparison.OrdinalIgnoreCase); if ((flag3 && !flag) || (flag4 && !flag2)) { return(null); } ClassifyResult documentLibraryObjectId = DocumentLibraryUtilities.GetDocumentLibraryObjectId(uri, base.UserContext); if (documentLibraryObjectId == null || documentLibraryObjectId.Error != ClassificationError.None) { return(null); } DocumentLibraryObjectId objectId = documentLibraryObjectId.ObjectId; if (objectId == null) { return(null); } if (objectId.UriFlags == UriFlags.Other) { return(null); } UriFlags uriFlags = objectId.UriFlags; bool flag5 = (uriFlags & UriFlags.SharepointDocument) == UriFlags.SharepointDocument; bool flag6 = (uriFlags & UriFlags.UncDocument) == UriFlags.UncDocument; if ((uriFlags & UriFlags.DocumentLibrary) == UriFlags.DocumentLibrary || (uriFlags & UriFlags.Folder) == UriFlags.Folder || uriFlags == UriFlags.Sharepoint || uriFlags == UriFlags.Unc) { return(string.Concat(new string[] { OwaUrl.ApplicationRoot.GetExplicitUrl(base.OwaContext), "?ae=Folder&t=IPF.DocumentLibrary&id=", Utilities.UrlEncode(objectId.ToBase64String()), "&URL=", Utilities.UrlEncode(uriParam) })); } if (flag5) { if (!base.UserContext.IsBasicExperience && DocumentLibraryUtilities.IsWebReadyDocument(objectId, base.UserContext)) { this.openWebReadyForm = true; return("WebReadyView.aspx?t=wss&id=" + Utilities.UrlEncode(objectId.ToBase64String()) + "&URL=" + Utilities.UrlEncode(uriParam)); } return(string.Concat(new string[] { "ev.owa?ns=SharepointDocument&ev=GetDoc&id=", Utilities.UrlEncode(objectId.ToBase64String()), "&URL=", Utilities.UrlEncode(uriParam), Utilities.GetCanaryRequestParameter() })); } else { if (!flag6) { return(null); } if (!base.UserContext.IsBasicExperience && DocumentLibraryUtilities.IsWebReadyDocument(objectId, base.UserContext)) { this.openWebReadyForm = true; return("WebReadyView.aspx?t=unc&id=" + Utilities.UrlEncode(objectId.ToBase64String()) + "&URL=" + Utilities.UrlEncode(uriParam)); } return(string.Concat(new string[] { "ev.owa?ns=UncDocument&ev=GetDoc&id=", Utilities.UrlEncode(objectId.ToBase64String()), "&URL=", Utilities.UrlEncode(uriParam), Utilities.GetCanaryRequestParameter() })); } }
protected override void OnLoad(EventArgs e) { if (Redir.IsUrlRefererFBALogonPage(base.Request.UrlReferrer)) { Utilities.EndResponse(this.Context, HttpStatusCode.Forbidden); } string queryStringParameter; bool signedUrl = Redir.GetSignedUrl(base.Request, base.UserContext.Key.Canary.UserContextIdGuid, base.UserContext.Key.Canary.LogonUniqueKey, out queryStringParameter); if (!signedUrl) { queryStringParameter = Utilities.GetQueryStringParameter(base.Request, "URL"); } string queryStringParameter2 = Utilities.GetQueryStringParameter(base.Request, "TranslatedURL", false); bool flag = !string.IsNullOrEmpty(queryStringParameter2); bool flag2 = string.IsNullOrEmpty(Utilities.GetQueryStringParameter(base.Request, "NoDocLnkCls", false)); if (Redir.IsSafeUrl(queryStringParameter, base.Request)) { ErrorInformation errorInformation = null; Uri uri; if (null == (uri = Utilities.TryParseUri(queryStringParameter))) { Utilities.EndResponse(this.Context, HttpStatusCode.Forbidden); } string scheme = uri.Scheme; if (CultureInfo.InvariantCulture.CompareInfo.Compare(scheme, "mailto", CompareOptions.IgnoreCase) == 0) { StringBuilder stringBuilder = new StringBuilder(512); stringBuilder.Append(OwaUrl.ApplicationRoot.GetExplicitUrl(base.OwaContext)); stringBuilder.Append("?ae=Item&a=New&t="); string value = "IPM.Note"; if (base.UserContext.IsSmsEnabled) { int length = "mailto:".Length; if (queryStringParameter.Length > length) { string inputString = queryStringParameter.Substring(length); Participant participant; ProxyAddress proxyAddress; if (Participant.TryParse(inputString, out participant) && ImceaAddress.IsImceaAddress(participant.EmailAddress) && SmtpProxyAddress.TryDeencapsulate(participant.EmailAddress, out proxyAddress) && Utilities.IsMobileRoutingType(proxyAddress.PrefixString)) { value = "IPM.Note.Mobile.SMS"; } } } stringBuilder.Append(value); stringBuilder.Append('&'); stringBuilder.Append("email"); stringBuilder.Append('='); stringBuilder.Append(Utilities.UrlEncode(queryStringParameter)); this.safeUrl = stringBuilder.ToString(); this.isNewMailLinkCreated = true; return; } if (flag2) { this.safeUrl = this.TryNavigateToInternalWssUnc(queryStringParameter, out errorInformation); } if (this.safeUrl == null) { if (flag && Redir.IsSafeUrl(queryStringParameter2, base.Request)) { this.safeUrl = queryStringParameter2; } else { if (errorInformation != null) { Utilities.TransferToErrorPage(base.OwaContext, errorInformation); return; } this.safeUrl = queryStringParameter; } } } else if (flag && Redir.IsSafeUrl(queryStringParameter2, base.Request)) { this.safeUrl = queryStringParameter2; } else { Utilities.EndResponse(this.Context, HttpStatusCode.Forbidden); } if (!signedUrl) { throw new OwaInvalidCanary14Exception(null, "Invalid canary in redir.aspx query."); } }