Restrict returnUrl on Login to local pages

Author: irbishop

BlogEngine/BlogEngine.Core/Services/Security/Security.cs

@@ -185,10 +185,7 @@ public static bool AuthenticateUser(string username, string password, bool remem
 stringreturnUrl=context.Request.QueryString["returnUrl"];
 
 // ignore Return URLs not beginning with a forward slash, such as remote sites.
-if(string.IsNullOrWhiteSpace(returnUrl)||!returnUrl.StartsWith("/"))
-returnUrl=null;
-
-if(!string.IsNullOrWhiteSpace(returnUrl))
+if(Security.IsLocalUrl(returnUrl))
 {
 context.Response.Redirect(returnUrl);
 }
@@ -204,6 +201,19 @@ public static bool AuthenticateUser(string username, string password, bool remem
 returnfalse;
 }
 
+privatestaticboolIsLocalUrl(stringurl)
+{
+if(string.IsNullOrWhiteSpace(url))
+{
+returnfalse;
+}
+else
+{
+return((url[0]=='/'&&(url.Length==1||(url[1]!='/'&&url[1]!='\\')))||// "/" or "/foo" but not "//" or "/\" 
+(url.Length>1&&url[0]=='~'&&url[1]=='/'));// "~/" or "~/foo"
+}
+}
+
 privateconststringAUTH_TKT_USERDATA_DELIMITER="-|-";
 
 privatestaticstringSecurityValidationKey