Hi David,

I don't recall recent changes to that part of the code, but I agree relative urls should be supported, so I consider this a bug.

Rather than the change you proposed, I changed my copy like this:

string redirectUrl = Page.ResolveUrl(SecurityHelper.RemoveMarkup(Page.Server.UrlDecode(returnUrlParam)));
if (redirectUrl.StartsWith("/")) { redirectUrl = SiteRoot + redirectUrl; }

This should also make it possible to support relative urls that are relative to folder based child sites.

So the rule will be that a relative url must start with /

The reason we can't just allow any string is for security purposes.

For example suppose a hacker wanted to lure you to a malware sites to try and infect your machine. They could make a tweet like register at mojoportal.com now to get a free ipad and then some shrunk/obfuscated url that points to http://www.mojoportal.com/Secure/Register.aspx?returnUrl=http://malware.com

The user would land at the mojoPortal register page and might not notice the return url param, and after registering would be redirected to the external site. Or the return url might look less suspicious/more tempting if it were returnUrl=http://ipadoffer.somedomain.com

So we need to make sure the redirect url is either relative or starts with the site root.

Best,

Joe

Hi Jacques,

Really this should not be needed there because Default.aspx.cs is only for CMS pages in the menu and there really should not be extra query string params expected there. We have friendly urls like home.aspx that map to real urls like /Default.aspx?pageid=x, we should not then use home.aspx?someparam=foo

Custom modules should not be passing extra query string params to cms page urls, they can pass extra params to supporting pages of the feature like you see in the forums pages for example but a cms page may have any number of modules on it so any specific module should not pass params in the query string. What if 2 modules do that and use the same param names?

You should link to custom supporting page(s) instead of adding query string params to cms page urls, then in your custom page you can redirect with

if (!Request.IsAuthenticated)
 {
            SiteUtils.RedirectToLoginPage(this);
           return;
 }

and this will have the query string params.

I will accommodate you with this change so you can make it work with a config setting that changes the current behavior, but I do not want to encourage the use of query string params in cms page urls so the default will be false.

private bool RedirectIfNeeded()
        {
            if (
                (!isAdmin)
                && (!isSiteEditor)
                && (!WebUser.IsInRoles(CurrentPage.AuthorizedRoles))
                )
            {
                if (!Request.IsAuthenticated)
                {
                    if (WebConfigSettings.UseRawUrlForCmsPageLoginRedirects)
                    {
                        SiteUtils.RedirectToLoginPage(this);
                    }
                    else
                    {
                        SiteUtils.RedirectToLoginPage(this, SiteUtils.GetCurrentPageUrl());
                    }
                    return true;

                }
                else
                {
                    SiteUtils.RedirectToAccessDeniedPage(this);
                    return true;
                }
            }

            return false;

        }

Best,

Joe

ps this should have been a new thread instead of a reply on this thread, your question is about login redirect not registration redirect that the thread originally was about.