Check form and querystring when validating ufprt in ValidateUmbracoFormRouteStringAttribute (#11957)

* Check form and querystring when validating ufprt

Checks to see if the request has form data before validating the `ufprt` parameter, and if it doesn't assumes it must be on the querystring

* Create GetUfprt extension method

* Use GetUfprt extension

* Update UmbracoRouteValueTransformer to use GetUfrpt()

* Added missing using statement

* Check for StringValues.Empty

Author: mattbrailsford

src/Umbraco.Web.Common/Extensions/HttpRequestExtensions.cs

@@ -6,6 +6,7 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Extensions;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Primitives;
 using Umbraco.Cms.Core.Configuration.Models;
 using Umbraco.Cms.Core.Routing;
 
@@ -136,5 +137,25 @@ public static Uri GetApplicationUri(this HttpRequest request, WebRoutingSettings
 
             return new Uri(routingSettings.UmbracoApplicationUrl);
         }
+
+        /// <summary>
+        /// Gets the Umbraco `ufprt` encrypted string from the current request
+        /// </summary>
+        /// <param name="request">The current request</param>
+        /// <returns>The extracted `ufprt` token.</returns>
+        public static string GetUfprt(this HttpRequest request)
+        {
+            if (request.HasFormContentType && request.Form.TryGetValue("ufprt", out StringValues formVal) && formVal != StringValues.Empty)
+            {
+                return formVal.ToString();
+            }
+
+            if (request.Query.TryGetValue("ufprt", out StringValues queryVal) && queryVal != StringValues.Empty)
+            {
+                return queryVal.ToString();
+            }
+
+            return null;
+        }
     }
 }

src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs

@@ -42,7 +42,7 @@ public void OnAuthorization(AuthorizationFilterContext context)
             {
                 if (context == null) throw new ArgumentNullException(nameof(context));
 
-                var ufprt = context.HttpContext.Request.Form["ufprt"];
+                var ufprt = context.HttpContext.Request.GetUfprt();
 
                 if (context.ActionDescriptor is ControllerActionDescriptor controllerActionDescriptor)
                 {

src/Umbraco.Web.Website/Routing/UmbracoRouteValueTransformer.cs

@@ -201,33 +201,33 @@ private PostedDataProxyInfo GetFormInfo(HttpContext httpContext, RouteValueDicti
                 throw new ArgumentNullException(nameof(httpContext));
             }
 
-            // if it is a POST/GET then a value must be in the request
-            if ((!httpContext.Request.HasFormContentType || !httpContext.Request.Form.TryGetValue("ufprt", out StringValues encodedVal))
-                && !httpContext.Request.Query.TryGetValue("ufprt", out encodedVal))
+            // if it is a POST/GET then a `ufprt` value must be in the request
+            var ufprt = httpContext.Request.GetUfprt();
+            if (string.IsNullOrWhiteSpace(ufprt))
             {
                 return null;
             }
 
             if (!EncryptionHelper.DecryptAndValidateEncryptedRouteString(
                 _dataProtectionProvider,
-                encodedVal,
-                out IDictionary<string, string> decodedParts))
+                ufprt,
+                out IDictionary<string, string> decodedUfprt))
             {
                 return null;
             }
 
             // Get all route values that are not the default ones and add them separately so they eventually get to action parameters
-            foreach (KeyValuePair<string, string> item in decodedParts.Where(x => ReservedAdditionalKeys.AllKeys.Contains(x.Key) == false))
+            foreach (KeyValuePair<string, string> item in decodedUfprt.Where(x => ReservedAdditionalKeys.AllKeys.Contains(x.Key) == false))
             {
                 values[item.Key] = item.Value;
             }
 
             // return the proxy info without the surface id... could be a local controller.
             return new PostedDataProxyInfo
             {
-                ControllerName = WebUtility.UrlDecode(decodedParts.First(x => x.Key == ReservedAdditionalKeys.Controller).Value),
-                ActionName = WebUtility.UrlDecode(decodedParts.First(x => x.Key == ReservedAdditionalKeys.Action).Value),
-                Area = WebUtility.UrlDecode(decodedParts.First(x => x.Key == ReservedAdditionalKeys.Area).Value),
+                ControllerName = WebUtility.UrlDecode(decodedUfprt.First(x => x.Key == ReservedAdditionalKeys.Controller).Value),
+                ActionName = WebUtility.UrlDecode(decodedUfprt.First(x => x.Key == ReservedAdditionalKeys.Action).Value),
+                Area = WebUtility.UrlDecode(decodedUfprt.First(x => x.Key == ReservedAdditionalKeys.Area).Value),
             };
         }