Merge pull request #12569 from abpframework/maliming/ReturnUrl

Check the `ReturnUrl` on `Manage` page.
4 years ago · 5e4a977a26
parent 1413061240 21e684733b
commit 5e4a977a26
2 changed files with 11 additions and 2 deletions
--- a/framework/src/Volo.Abp.UI.Navigation/Volo/Abp/Ui/Navigation/Urls/AppUrlProvider.cs
+++ b/framework/src/Volo.Abp.UI.Navigation/Volo/Abp/Ui/Navigation/Urls/AppUrlProvider.cs
@ -45,7 +45,7 @@ public class AppUrlProvider : IAppUrlProvider, ITransientDependency

    public bool IsRedirectAllowedUrl(string url)
    {
-        var allow = Options.RedirectAllowedUrls.Any(url.StartsWith);
+        var allow = Options.RedirectAllowedUrls.Any(x => url.StartsWith(x, StringComparison.CurrentCultureIgnoreCase));
        if (!allow)
        {
            Logger.LogError($"Invalid RedirectUrl: {url}, Use {nameof(AppUrlProvider)} to configure it!");
--- a/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Manage.cshtml.cs
+++ b/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Manage.cshtml.cs
@ -1,5 +1,7 @@
-using System.ComponentModel.DataAnnotations;
+using System;
+using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http.Extensions;
 using Volo.Abp.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Options;
@ -32,6 +34,13 @@ public class ManageModel : AccountPageModel
            await contributor.ConfigureAsync(ProfileManagementPageCreationContext);
        }

+        if (!Url.IsLocalUrl(ReturnUrl) &&
+            !ReturnUrl.StartsWith(UriHelper.BuildAbsolute(Request.Scheme, Request.Host, Request.PathBase).RemovePostFix("/")) &&
+            !AppUrlProvider.IsRedirectAllowedUrl(ReturnUrl))
+        {
+            ReturnUrl = null;
+        }
+
        return Page();
    }