From 4e03ed1ea4a474a848c74ea44f308fe22e0afce1 Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Thu, 16 Feb 2023 16:36:26 +0100
Subject: [PATCH] Fix open redirect

---
 AfRApay.Web/Pages/EditUser.cshtml.cs   | 2 +-
 AfRApay.Web/Pages/ErrorRedirect.cshtml | 3 ++-
 AfRApay.Web/Pages/Index.cshtml.cs      | 4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/AfRApay.Web/Pages/EditUser.cshtml.cs b/AfRApay.Web/Pages/EditUser.cshtml.cs
index ca02a1f..5e9e010 100644
--- a/AfRApay.Web/Pages/EditUser.cshtml.cs
+++ b/AfRApay.Web/Pages/EditUser.cshtml.cs
@@ -63,7 +63,7 @@ public class EditUserModel : PageModel {
 		if (Request.Form["action"] == "save" && Request.Form.ContainsKey("nickname") && !string.IsNullOrWhiteSpace(Request.Form["nickname"])) {
 			var nick = Request.Form["nickname"].ToString();
 			if (db.Users.Any(p => p.Nickname == nick && p.Id != userId)) {
-				Response.Redirect($"/ErrorRedirect?redir=/EditUser/{userId}&message=" + WebUtility.UrlEncode("User with nick already exists."));
+				Response.Redirect($"/ErrorRedirect?redir=EditUser/{userId}&message=" + WebUtility.UrlEncode("User with nick already exists."));
 				return;
 			}
 
diff --git a/AfRApay.Web/Pages/ErrorRedirect.cshtml b/AfRApay.Web/Pages/ErrorRedirect.cshtml
index bcbf63e..7a348d8 100644
--- a/AfRApay.Web/Pages/ErrorRedirect.cshtml
+++ b/AfRApay.Web/Pages/ErrorRedirect.cshtml
@@ -1,10 +1,11 @@
 @page
 @{
 	ViewData["Title"] = "Error";
+	var target = "/" + Request.Query["redir"];
 }
 
 @section Header {
-	<meta http-equiv="refresh" content="5;@(Request.Query.ContainsKey("redir") ? Request.Query["redir"] : "/")"/>
+	<meta http-equiv="refresh" content="5;@target"/>
 }
 <div class="alert alert-danger" role="alert">
 	@Request.Query["message"]
diff --git a/AfRApay.Web/Pages/Index.cshtml.cs b/AfRApay.Web/Pages/Index.cshtml.cs
index cf1b071..a753a75 100644
--- a/AfRApay.Web/Pages/Index.cshtml.cs
+++ b/AfRApay.Web/Pages/Index.cshtml.cs
@@ -32,7 +32,7 @@ public class IndexModel : PageModel {
 			if (Request.Form.ContainsKey("nickname") && !string.IsNullOrWhiteSpace(Request.Form["nickname"])) {
 				var nick = Request.Form["nickname"];
 				if (db.Users.Any(p => p.Nickname == nick.ToString())) {
-					Response.Redirect("/ErrorRedirect?redir=/%23add_user&message=" + WebUtility.UrlEncode("User with nick already exists."));
+					Response.Redirect("/ErrorRedirect?redir=%23add_user&message=" + WebUtility.UrlEncode("User with nick already exists."));
 					return;
 				}
 
@@ -43,7 +43,7 @@ public class IndexModel : PageModel {
 				return;
 			}
 
-			Response.Redirect("/ErrorRedirect?redir=/%23add_user&message=" + WebUtility.UrlEncode("Nickname must not be empty."));
+			Response.Redirect("/ErrorRedirect?redir=%23add_user&message=" + WebUtility.UrlEncode("Nickname must not be empty."));
 		}
 		else {
 			Response.Redirect("/");