tags:

views:

132

answers:

2
Q: 

Parsing urls in .Net (ASP.Net MVC) to figure out what host they are for

I'm trying to add validation to our redirects to prevent us allowing redirections out of the domain. The urls I need to pass aren't trusted since they could come from the user via the url so I'm wondering what's a good way to parse the url to figure out the host?

I knocked up an initial implementation using Uri.Parse but that doesn't like relative paths. Most of the legitimate redirects will be just that, and should fairly obviously be allowed.

Here's a snippet of what I've done in my action filter,

        bool validRedirection = true;
        RedirectResult redirect = filterContext.Result as RedirectResult;
        if (redirect != null)
        {
            validRedirection = false;
            try
            {
                Uri redirectUri = new Uri(redirect.Url);
                Uri sourceUri = filterContext.RequestContext.HttpContext.Request.Url;
                if (redirectUri.Host == sourceUri.Host)
                    validRedirection = true;

The problem is that if I have /Home/About as the redirect.Url then the Uri throws a UriFormatException. It would also throw one of those exceptions for http:///www.dilbert.com too (because of the three slashses) but I don't want to let that through.

Is there a more suitable class or an easy way to determine if I have a relative url? I'm half inclined to use a regex to check for https?:// on the front but given all the ways that hackers seem to be able to subvert url's I'm worried I'll miss a hole.

+2  A: 

A simple solution would be to check to see if redirect.Url starts with / and not even bother with parsing the URI if it does.

Try something like this:

Boolean isValidRedirect()
{
    RedirectResult redirect = filterContext.Result as RedirectResult;

    if (redirect == null)
        return false;

    if (redirect.Url.StartsWith("/"))
        return true;

    Uri redirectUri = new Uri(redirect.Url);
    Uri sourceUri = filterContext.RequestContext.HttpContext.Request.Url;

    return redirectUri.Host == sourceUri.Host;
}
Andrew Hare  2009-11-21 17:30:57
A: 

I think that if the URL is relative, you can safely assmue that the domains are the same, so check for a leading forward slash, and if it's there, return true before even trying to construct the URI.

Josh Pearce  2009-11-21 17:32:57

related questions

Create query parameters in javascript
ASP.NET MVC: Making routes/URLs IIS6 and IIS7-friendly
Relative urls for Javascript files
How to play a sound in Actionscript 3 that is not in the same directory as the SWF?
Sending values through links (html)
PHP: GET-data automatically being declared as variables
How can I set a timeout against a BufferedReader based upon a URLConnection in Java?
Getting a full list of the URLS in a rails application
Is it the filename or the whole URL used as a key in browser caches?
How do I register a custom URL protocol in Windows?
getting java exception: java.net.MalformedURLException: no protocol
Why do some websites add "Slugs" to the end of URLs?
Friendly URLs for ASP.NET
How to generate urls in django
square brackets in URLs
Does new URL(...).openConnection() necessarily imply a POST?
How do I generate a friendly URL in Symfony PHP?
Getting parts of a URL (Regex)
.NET - Get protocol, host, and port
how to get locale information on a GWT application
How do I convert a file path to a URL in ASP.NET
Can I generate ASP.NET MVC routes from a Sitemap?
URL without ID
ASP.NET URL Rewriting
Modify Address Bar URL in AJAX App to Match Current State