curiouswebster
asked on
Does this C# block return URL hacking?
Does this C# block return URL hacking?
I find it confusing, at best.
How can it be a local URL if it starts with a "/"?
Thanks
if (Url.IsLocalUrl(redirectToAfterLoggingIn) && redirectToAfterLoggingIn.Length > 1 &&
(redirectToAfterLoggingIn.StartsWith("/") && !redirectToAfterLoggingIn.StartsWith("//")) &&
!redirectToAfterLoggingIn.StartsWith("/\\"))
return Redirect(redirectToAfterLoggingIn);
I find it confusing, at best.
How can it be a local URL if it starts with a "/"?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
You are welcome.
ASKER
/?returnurl=http://reallybadsite.com
I am trying to assess the danger of calling the Redirect function, as written.
Should I create a different version of my whitelist check which could attempt to extract a URL to verify, from that partial domain?