Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does Url.IsLocalUrl return false if the URL contains a fragment?

I'm using Url.IsLocalUrl to check if the return URL passed to my authentication action is local or not. It works fine as long as there is no fragment in the URL. That is, /t/test-team-3/tasks/lists/15 returns true, but /t/test-team-3/tasks#/lists/15 returns false.

What's the reasoning behind this? Is there some obscure security issue that could manifest itself in the fragment, or can I safely ignore the fragment when I'm checking if the URL is local?

like image 664
Ragesh Avatar asked Dec 26 '11 07:12

Ragesh


1 Answers

This method internally calls the Uri.IsWellFormedUriString method. When you call this method on a relative URL containing a fragment it returns false. There is a bug on MS Connect which is closed with the by design reason.

When you use this method on an absolute URL (with a scheme like http/https) the method behaves as expected. I think the reason is that the Uri class is intended to work not only with HTTP URLs. When you don't specify the protocol (relative URL), a generic URL parser is used which doesn't allow fragments.

So I guess you have two possibilities:

  • Strip the fragment before calling the method
  • Call the method on an absolute URL (http://foo.com/t/test-team-3/tasks#/lists/15) because anyway if you are calling this method on a relative URL we can expect that it is a local URL.
like image 140
Darin Dimitrov Avatar answered Oct 13 '22 19:10

Darin Dimitrov