Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is Response.Redirect(Request.Url.AbsolutePath) Always "Safe"?

Tags:

url

asp.net

I have the need to redirect back to the current page minus any query arguments.

I just found Request.Url.AbsolutePath, which looks like it provides just the ticket to pass to Response.Redirect().

It seems to work on my dev machine okay. Does anyone know of any potential problems redirecting to the value of this property? It's hard to confirm it's "safe" in all cases.

like image 304
Jonathan Wood Avatar asked Nov 04 '22 17:11

Jonathan Wood


1 Answers

It could be a problem if you "re-written" the URL internally. For example, the user request "/team.aspx" but internally you transfer execution or rewrite the url as "/page.aspx?id=137".

Personally, I prefer to use the Request.RawUrl (which is always local) and you can strip the query-string.

Getting rid of the host part of a request is not an issue because HTTP Redirect can be path on Absolute Paths ("/foo/bar") and the browser will preserve the protocol, port and hostname.

like image 85
Marcelo Calbucci Avatar answered Nov 15 '22 01:11

Marcelo Calbucci