From a185dcfb97d82aed082fea430d72098c13b934fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20V=C3=ADcha?= <j.vicha@quadient.com>
Date: Thu, 1 Aug 2024 11:42:27 +0200
Subject: [PATCH] Fixed IsLocalUrl

---
 .../src/Extensions/StringsExtensions.cs        | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/IdentityServer4/src/Extensions/StringsExtensions.cs b/src/IdentityServer4/src/Extensions/StringsExtensions.cs
index 36c8ffee60..0120c40823 100644
--- a/src/IdentityServer4/src/Extensions/StringsExtensions.cs
+++ b/src/IdentityServer4/src/Extensions/StringsExtensions.cs
@@ -163,7 +163,7 @@ public static bool IsLocalUrl(this string url)
                 // url doesn't start with "//" or "/\"
                 if (url[1] != '/' && url[1] != '\\')
                 {
-                    return true;
+                    return !HasControlCharacter(url.AsSpan(1));
                 }
 
                 return false;
@@ -181,13 +181,27 @@ public static bool IsLocalUrl(this string url)
                 // url doesn't start with "~//" or "~/\"
                 if (url[2] != '/' && url[2] != '\\')
                 {
-                    return true;
+                    return !HasControlCharacter(url.AsSpan(2));;
                 }
 
                 return false;
             }
 
             return false;
+            
+            static bool HasControlCharacter(ReadOnlySpan<char> readOnlySpan)
+            {
+                // URLs may not contain ASCII control characters.
+                for (var i = 0; i < readOnlySpan.Length; i++)
+                {
+                    if (char.IsControl(readOnlySpan[i]))
+                    {
+                        return true;
+                    }
+                }
+
+                return false;
+            }
         }
 
         [DebuggerStepThrough]