From 4600451dc673574a7705cd5110ed375a83155b1d Mon Sep 17 00:00:00 2001 From: Troy Dai Date: Thu, 11 Aug 2016 08:48:47 -0700 Subject: [PATCH] Allow absolute uri in authentication properties for cookie auth redirect --- .../CookieAuthenticationHandler.cs | 2 +- .../Cookies/CookieMiddlewareTests.cs | 32 ++++++++++++++++--- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs b/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs index e9eff38ac4..ff77815ce4 100644 --- a/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs +++ b/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs @@ -320,7 +320,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies // 1. properties.RedirectUri // 2. query parameter ReturnUrlParameter var redirectUri = properties.RedirectUri; - if (string.IsNullOrEmpty(redirectUri) || !IsHostRelative(redirectUri)) + if (string.IsNullOrEmpty(redirectUri)) { redirectUri = Request.Query[Options.ReturnUrlParameter]; if (string.IsNullOrEmpty(redirectUri) || !IsHostRelative(redirectUri)) diff --git a/test/Microsoft.AspNetCore.Authentication.Test/Cookies/CookieMiddlewareTests.cs b/test/Microsoft.AspNetCore.Authentication.Test/Cookies/CookieMiddlewareTests.cs index 9fc36e6d9c..4a4d19a021 100644 --- a/test/Microsoft.AspNetCore.Authentication.Test/Cookies/CookieMiddlewareTests.cs +++ b/test/Microsoft.AspNetCore.Authentication.Test/Cookies/CookieMiddlewareTests.cs @@ -1051,8 +1051,10 @@ namespace Microsoft.AspNetCore.Authentication.Cookies Assert.Equal("?ReturnUrl=%2F", location.Query); } - [Fact] - public async Task RedirectUriIsHoneredAfterSignin() + [Theory] + [InlineData("/redirect_test")] + [InlineData("http://example.com/redirect_to")] + public async Task RedirectUriIsHoneredAfterSignin(string redirectUrl) { var options = new CookieAuthenticationOptions { @@ -1065,13 +1067,13 @@ namespace Microsoft.AspNetCore.Authentication.Cookies await context.Authentication.SignInAsync( CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(new ClaimsIdentity(new GenericIdentity("Alice", CookieAuthenticationDefaults.AuthenticationScheme))), - new AuthenticationProperties { RedirectUri = "/redirect_test" }); + new AuthenticationProperties { RedirectUri = redirectUrl }); }); var transaction = await SendAsync(server, "http://example.com/testpath"); Assert.NotEmpty(transaction.SetCookie); Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode); - Assert.Equal("/redirect_test", transaction.Response.Headers.Location.ToString()); + Assert.Equal(redirectUrl, transaction.Response.Headers.Location.ToString()); } [Fact] @@ -1097,6 +1099,28 @@ namespace Microsoft.AspNetCore.Authentication.Cookies Assert.Equal("/ret_path_2", transaction.Response.Headers.Location.ToString()); } + [Fact] + public async Task AbsoluteRedirectUriIsRejected() + { + var options = new CookieAuthenticationOptions + { + LoginPath = "/testpath", + ReturnUrlParameter = "return", + CookieName = "TestCookie" + }; + + var server = CreateServer(options, async context => + { + await context.Authentication.SignInAsync( + CookieAuthenticationDefaults.AuthenticationScheme, + new ClaimsPrincipal(new ClaimsIdentity(new GenericIdentity("Alice", CookieAuthenticationDefaults.AuthenticationScheme)))); + }); + var transaction = await SendAsync(server, "http://example.com/testpath?return=http%3A%2F%2Fexample.com%2Fredirect_to"); + + Assert.NotEmpty(transaction.SetCookie); + Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode); + } + [Fact] public async Task EnsurePrecedenceOfRedirectUriAfterSignin() {