Merge pull request #1486 from dnnsoftware/bug/DNN-5873

DNN-5873: check the http protocol without query string.
dnnsoftware · Jun 17, 2016 · 7266610 · 7266610
2 parents a33a716 + 9b331ee
commit 7266610
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/DNN Platform/Library/Common/Utilities/UrlUtils.cs b/DNN Platform/Library/Common/Utilities/UrlUtils.cs
@@ -324,7 +324,12 @@ public static string ValidReturnUrl(string url)
             }
 
             //redirect url should never contain a protocol ( if it does, it is likely a cross-site request forgery attempt )
-            if (url.Contains("://"))
+            var urlWithNoQuery = url;
+            if (urlWithNoQuery.Contains("?"))
+            {
+                urlWithNoQuery = urlWithNoQuery.Substring(0, urlWithNoQuery.IndexOf("?", StringComparison.InvariantCultureIgnoreCase));
+            }
+            if (urlWithNoQuery.Contains("://"))
             {
                 var portalSettings = PortalSettings.Current;
                 if (portalSettings == null ||