Skip to content

Validate uriAbsolute/baseUriAbsolute #11842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
SteveSandersonMS opened this issue Jul 3, 2019 · 1 comment
Closed

Validate uriAbsolute/baseUriAbsolute #11842

SteveSandersonMS opened this issue Jul 3, 2019 · 1 comment
Labels
area-blazor Includes: Blazor, Razor Components bug This issue describes a behavior which is not expected - a bug.
Milestone
3.1.0

Comments

@SteveSandersonMS
Copy link
Member

SteveSandersonMS commented Jul 3, 2019
edited
Loading

From #11791

Currently, ComponentHub.StartCircuit and RemoteUriHelper.NotifyLocationChanged both just trust the client to supply valid, non-null values for uriAbsolute/baseUriAbsolute.

Although I don't know specifically how this could be exploited by a bad client, we should at least validate in those two places that the values are non-null and parseable URLs, since there's no reason not to.

For ComponentHub.StartCircuit, we could validate that baseUriAbsolute is within the PathBase, and that uriAbsolute is within baseUriAbsolute. However I'm not sure that's worth doing because we don't strictly require that as part of the programming model, and we definitely can't enforce it in NotifyLocationChanged since this is how you navigate to external URLs. So, I'm only proposing we check they are parseable URLs.
@SteveSandersonMS SteveSandersonMS added the area-blazor Includes: Blazor, Razor Components label Jul 3, 2019
@SteveSandersonMS SteveSandersonMS mentioned this issue Jul 3, 2019
Closed
47 tasks
@mkArtakMSFT mkArtakMSFT added the bug This issue describes a behavior which is not expected - a bug. label Jul 3, 2019
@mkArtakMSFT mkArtakMSFT added this to the 3.0.0-preview9 milestone Jul 3, 2019
@mkArtakMSFT mkArtakMSFT modified the milestones: 3.0.0-preview9, 3.1.0 Jul 17, 2019
@mkArtakMSFT
Copy link
Member

This is already done.

@ghost ghost locked as resolved and limited conversation to collaborators Dec 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-blazor Includes: Blazor, Razor Components bug This issue describes a behavior which is not expected - a bug.
Projects
None yet
Milestone
3.1.0
Development

No branches or pull requests
2 participants
@SteveSandersonMS @mkArtakMSFT