Sync IsLocalUrl with Microsoft.AspNetCore.Mvc.Routing.UrlHelperBase

DuendeSoftware · Jun 12, 2024 · 97b298f · 97b298f
1 parent 8be6dee
commit 97b298f
Showing 1 changed file with 18 additions and 2 deletions.
diff --git a/src/IdentityServer/Extensions/StringsExtensions.cs b/src/IdentityServer/Extensions/StringsExtensions.cs
@@ -146,6 +146,8 @@ public static string CleanUrlPath(this string url)
  [DebuggerStepThrough]
  public static bool IsLocalUrl(this string url)
  {
+ // This implementation is a copy of a https:/dotnet/aspnetcore/blob/3f1acb59718cadf111a0a796681e3d3509bb3381/src/Mvc/Mvc.Core/src/Routing/UrlHelperBase.cs#L315
+ // We originally copied that code to avoid a dependency, but we could potentially remove this entirely by switching to the Microsoft.NET.Sdk.Web sdk.
  if (string.IsNullOrEmpty(url))
  {
  return false;
@@ -163,7 +165,7 @@ public static bool IsLocalUrl(this string url)
  // url doesn't start with "//" or "/\"
  if (url[1] != '/' && url[1] != '\\')
  {
- return true;
+ return !HasControlCharacter(url.AsSpan(1));
  }
 
  return false;
@@ -181,13 +183,27 @@ public static bool IsLocalUrl(this string url)
  // url doesn't start with "~//" or "~/\"
  if (url[2] != '/' && url[2] != '\\')
  {
- return true;
+ return !HasControlCharacter(url.AsSpan(2));
  }
 
  return false;
  }
 
  return false;
+
+ static bool HasControlCharacter(ReadOnlySpan<char> readOnlySpan)
+ {
+ // URLs may not contain ASCII control characters.
+ for (var i = 0; i < readOnlySpan.Length; i++)
+ {
+ if (char.IsControl(readOnlySpan[i]))
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
  }
 
  [DebuggerStepThrough]