Add URL scheme validation for HTTP redirects in SocketsHttpHandler (#121263)

Copilot · MihaZupan · web-flow · commit 16940c37bf1d · 2025-11-03T19:24:11.000+01:00
Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: MihaZupan &lt;25307628+MihaZupan@users.noreply.github.com&gt;
diff --git a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.AutoRedirect.cs b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.AutoRedirect.cs
@@ -269,5 +269,42 @@ await LoopbackServer.CreateServerAsync(async (origServer, origUrl) =>
                 });
             }
         }
+
+        [Theory]
+        [InlineData("ftp://ftp.example.com/file.txt")]
+        [InlineData("file:///etc/passwd")]
+        [InlineData("gopher://gopher.example.com")]
+        [InlineData("telnet://telnet.example.com")]
+        public async Task GetAsync_AllowAutoRedirectTrue_UnsupportedRedirectScheme_ReturnsOriginalResponse(string redirectLocation)
+        {
+            HttpClientHandler handler = CreateHttpClientHandler();
+            handler.AllowAutoRedirect = true;
+            using (HttpClient client = CreateHttpClient(handler))
+            {
+                await LoopbackServer.CreateServerAsync(async (server, url) =>
+                {
+                    Task<HttpResponseMessage> getTask = client.GetAsync(url);
+                    Task<List<string>> serverTask = server.AcceptConnectionSendResponseAndCloseAsync(HttpStatusCode.Found, $"Location: {redirectLocation}\r\n");
+
+                    if (IsWinHttpHandler)
+                    {
+                        // WinHttpHandler throws HttpRequestException for unsupported redirect schemes
+                        await Assert.ThrowsAsync<HttpRequestException>(async () => await getTask);
+                        await serverTask;
+                    }
+                    else
+                    {
+                        // SocketsHttpHandler refuses to follow the redirect and returns the original response
+                        await TestHelper.WhenAllCompletedOrAnyFailed(getTask, serverTask);
+
+                        using (HttpResponseMessage response = await getTask)
+                        {
+                            Assert.Equal(302, (int)response.StatusCode);
+                            Assert.Equal(url, response.RequestMessage.RequestUri);
+                        }
+                    }
+                });
+            }
+        }
     }
 }
diff --git a/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/RedirectHandler.cs b/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/RedirectHandler.cs
@@ -141,6 +141,17 @@ internal override async ValueTask<HttpResponseMessage> SendAsync(HttpRequestMess
                 return null;
             }
 
+            // Disallow automatic redirection to unsupported schemes
+            if (!HttpUtilities.IsSupportedScheme(location.Scheme))
+            {
+                if (NetEventSource.Log.IsEnabled())
+                {
+                    TraceError($"Redirect from '{requestUri}' to '{location}' blocked due to unsupported scheme '{location.Scheme}'.", response.RequestMessage!.GetHashCode());
+                }
+
+                return null;
+            }
+
             return location;
         }
 
