[release/10.0] Reject ASCII control characters in cookie auth return URLs#67155
Open
github-actions[bot] wants to merge 2 commits into
Open
[release/10.0] Reject ASCII control characters in cookie auth return URLs#67155github-actions[bot] wants to merge 2 commits into
github-actions[bot] wants to merge 2 commits into
Conversation
CookieAuthenticationHandler.IsHostRelative now mirrors the control-character guard from SharedUrlHelper.IsLocalUrl and UrlHelperBase.CheckIsLocalUrl, blocking U+0000-U+001F and U+007F in ReturnUrl query values to prevent Location header injection through the LoginPath / LogoutPath redirect flow. Adds 35 new theory rows in CookieTests covering control-character rejection, benign honor cases, and broader non-host-relative rejection (protocol-relative, "/\", "~/", absolute, relative, scheme confusion, whitespace). Fixes #66806
- Link SharedUrlHelper.cs into Cookies project and forward CookieAuthenticationHandler.IsHostRelative - Forward UrlHelperBase.CheckIsLocalUrl to SharedUrlHelper.IsLocalUrl - Add SECURITY note on SharedUrlHelper.IsLocalUrl flagging it as an open-redirect guard
Contributor
|
Hi @github-actions[bot]. Please make sure you've updated the PR description to use the Shiproom Template. Also, make sure this PR is not marked as a draft and is ready-to-merge. To learn more about how to prepare a servicing PR click here. |
github-actions
Bot
added
the
area-auth
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #66876 to release/10.0
/cc @rokonec
Reject ASCII control characters in cookie auth return URLs
Share
SharedUrlHelper.IsLocalUrlso cookie auth rejects control chars inReturnUrl.Description
CookieAuthenticationHandler.IsHostRelativewas missing the ASCII control-character guard thatSharedUrlHelper.IsLocalUrland MVC'sUrlHelperBase.CheckIsLocalUrlalready enforce. AReturnUrlquery value containing\r,\n,\t,\0, or\u007Fflowed verbatim into theLocationresponse header on the cookie authLoginPath/LogoutPathredirect flow, enabling header-splitting / response-injection.This change consolidates the three near-identical copies of the local-URL predicate onto the single
SharedUrlHelper.IsLocalUrlimplementation (net +11 / −104 across four files):src/Shared/ResultsHelpers/SharedUrlHelper.cs—// SECURITY:comment marking it the single source of truth (no IL change).src/Mvc/Mvc.Core/src/Routing/UrlHelperBase.cs—CheckIsLocalUrlcollapsed to a forwarder (behavior-preserving refactor).src/Security/Authentication/Cookies/src/Microsoft.AspNetCore.Authentication.Cookies.csproj— links the sharedSharedUrlHelper.cs.src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs—IsHostRelativebecomes non-empty + starts with/+SharedUrlHelper.IsLocalUrl(path); the explicit/check keeps rejecting~/application-relative paths.Fixes #66806
Customer Impact
A cookie-authentication app that redirects to a user-supplied
ReturnUrl(the defaultLoginPath/LogoutPathflow) is vulnerable to HTTP response header injection / response splitting. An attacker can craft aReturnUrlcontaining CR/LF or other ASCII control characters (\r,\n,\t,\0,\u007F) that is written verbatim into theLocationresponse header. The fix rejects these control characters, closing the gap and aligning cookie auth with the guard already enforced by MVC URL helpers andResults.LocalRedirect.Regression?
Long-standing gap in
CookieAuthenticationHandler.IsHostRelative; the control-character guard was never present in the cookie auth path. Not a regression from a specific release.Risk
Small, contained change that routes three copies of the same predicate through the already-shipping, already-tested
SharedUrlHelper.IsLocalUrl. TheMicrosoft.AspNetCore.Mvc.Coreedit is a behavior-preserving refactor (forwarder). The cookie authpath[0] == '/'guard preserves existing rejection of~/application-relative paths. No public API change. Covered by 35 new test rows plus the existing MVC / Results suites.Verification
35 new
[Theory]rows insrc/Security/Authentication/test/CookieTests.cscover control-character rejection, benign return URLs still honored, and the non-host-relative branches. All affected projects build clean; the cookie auth fixture passes (117 passed / 0 failed / 1 pre-existing unrelated skip).Packaging changes reviewed?
No packaging changes: no new package, no dependency or public-API change. The cookie auth
.csprojonly adds a shared-source<Compile>link.