I use ASP.NET membership and form authentication, and before redirecting to returnURL, I wanted to test it. For those unfamiliar with the workflow, basically, if you request a page that requires authentication, you are redirected to the login page. In the URL bar, you will see the returnURL parameter, for example.
http://example.com/login.aspx?ReturnUrl=%2fprotected%2fdefault.aspx
Whether you use this in a redirect such as Response.Redirect (returnURL) or indirectly through the FormsAuthentication.RedirectFromLoginPage method, it passes without checking for returnURL. FormsAuthentication.RedirectFromLoginPage has a security check that it does not leave the domain, but this still does not stop someone from putting enough random characters to cause an error.
I tried to use System.IO.File.Exists(Server.MapPath(returnURL)), but if there are enough illegal characters, it causes a Server.MapPath error.
Note: URLEncoding does not work because we do not clear the parameter, but the main URL.
Any other recommendations for checking or clearing the returnURL value?
source
share