tags:

views:

308

answers:

1
Q: 

Check ReturnUrl is valid before redirecting

I'm using ASP.NET Membership and Form Authentication and before redirecting to the returnURL I wanted to validate it. For those unfamiliar with the workflow, basically if you request a page that requires that you are authenticated, you are redirected to a login page. In the URL string you'll see a parameter called returnURL, e.g. http://example.com/login.aspx?ReturnUrl=%2fprotected%2fdefault.aspx

Whether you use this in a redirect such as Response.Redirect(returnURL) or indirectly through the FormsAuthentication.RedirectFromLoginPage method, it passes without validating returnURL. FormsAuthentication.RedirectFromLoginPage does have a security check that it is isn't leaving the domain, but that still doesn't stop someone from putting enough random characters to cause an error.

I tried using System.IO.File.Exists(Server.MapPath(returnURL)) but given enough illegal characters it cause Server.MapPath to error.

Note: URLEncoding doesn't work because we are not cleaning a parameter, but the primary URL.

Any other suggestions for validating or cleaning the returnURL value?

A: 

This post explains the anatomy of the ReturnURL http://blogs.msdn.com/vijaysk/archive/2008/01/24/anatomy-of-forms-authentication-return-url.aspx

As you rightly state, the domain is checked, so along with encrypting your authentication cookie, and ensuring you use https I think the only thing you can do to to stop an invalid ReturnURL is to just ignore it, and redirect all logins to the home page or top level of you site letting users then navigate back via the menu. A good example of this is when you log into hotmail.

hearn  2010-02-20 13:11:26
Good article about returnURL, but I'm looking for recommendations of validating it.
Josh  2010-02-20 14:48:42
hmm. Maybe just create a RegEx expression for a whitelist of allowed chars and run the returnURL value through that? Here's a post to a similar issue for allowed HTML chars: http://stackoverflow.com/questions/307013/how-do-i-filter-all-html-tags-except-a-certain-whitelist
hearn  2010-02-22 17:50:31
I'm looking to see if anyone good working example of a URL cleaner, RegEx would likely be right approach.
Josh  2010-02-23 21:17:23
Im not a RegEx master, but this looks like it might to the trick: http://stackoverflow.com/questions/161738/what-is-the-best-regular-expression-to-check-if-a-string-is-a-valid-url
hearn  2010-02-24 17:16:05

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps