Reject control characters in IsLocalUrl check (#25378)

Fixes https://github.com/dotnet/aspnetcore/issues/18109
2020-09-02 23:37:46 -07:00 · 2020-09-02 23:37:46 -07:00 · 12c016567c
parent 8991f17c2e
commit 12c016567c
2 changed files with 56 additions and 4 deletions
--- a/src/Mvc/Mvc.Core/src/Routing/UrlHelperBase.cs
+++ b/src/Mvc/Mvc.Core/src/Routing/UrlHelperBase.cs
@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

 using System;
@ -60,7 +60,7 @@ namespace Microsoft.AspNetCore.Mvc.Routing
                // url doesn't start with "//" or "/\"
                if (url[1] != '/' && url[1] != '\\')
                {
-                    return true;
+                    return !HasControlCharacter(url.AsSpan(1));
                }

                return false;
@ -78,15 +78,30 @@ namespace Microsoft.AspNetCore.Mvc.Routing
                // url doesn't start with "~//" or "~/\"
                if (url[2] != '/' && url[2] != '\\')
                {
-                    return true;
+                    return !HasControlCharacter(url.AsSpan(2));
                }

                return false;
            }

            return false;
+
+            static bool HasControlCharacter(ReadOnlySpan<char> readOnlySpan)
+            {
+                // URLs may not contain ASCII control characters.
+                for (var i = 0; i < readOnlySpan.Length; i++)
+                {
+                    if (char.IsControl(readOnlySpan[i]))
+                    {
+                        return true;
+                    }
+                }
+
+                return false;
+            }
        }

+
        /// <inheritdoc />
        public virtual string Content(string contentPath)
        {
--- a/src/Mvc/Mvc.Core/test/Routing/UrlHelperTestBase.cs
+++ b/src/Mvc/Mvc.Core/test/Routing/UrlHelperTestBase.cs
@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

 using System;
@ -288,6 +288,43 @@ namespace Microsoft.AspNetCore.Mvc.Routing
            Assert.False(result);
        }

+        [Theory]
+        [InlineData("\n")]
+        [InlineData("\\n")]
+        [InlineData("/\n")]
+        [InlineData("~\n")]
+        [InlineData("~/\n")]
+        public void IsLocalUrl_RejectsUrlWithNewLineAtStart(string url)
+        {
+            // Arrange
+            var helper = CreateUrlHelper(appRoot: string.Empty, host: "www.mysite.com", protocol: null);
+
+            // Act
+            var result = helper.IsLocalUrl(url);
+
+            // Assert
+            Assert.False(result);
+        }
+
+        [Theory]
+        [InlineData("/\r\nsomepath")]
+        [InlineData("~/\r\nsomepath")]
+        [InlineData("/some\npath")]
+        [InlineData("~/some\npath")]
+        [InlineData("\\path\b")]
+        [InlineData("~\\path\b")]
+        public void IsLocalUrl_RejectsUrlWithControlCharacters(string url)
+        {
+            // Arrange
+            var helper = CreateUrlHelper(appRoot: string.Empty, host: "www.mysite.com", protocol: null);
+
+            // Act
+            var result = helper.IsLocalUrl(url);
+
+            // Assert
+            Assert.False(result);
+        }
+
        [Fact]
        public void RouteUrlWithDictionary()
        {