Add URL scheme validation for HTTP redirects in SocketsHttpHandler

[Copilot]

Add URL Scheme Validation on Redirects

This PR adds missing URL scheme validation when following HTTP redirects in SocketsHttpHandler.

Problem:

• SocketsHttpHandler validates URL schemes before sending the initial request
• However, it does NOT validate schemes when following redirects
• This could allow redirects to unsupported schemes like "ftp://" or "file://"

Solution:
Add the same IsSupportedScheme validation in RedirectHandler.GetUriForRedirect() after the existing https->http downgrade check. When a redirect to an unsupported scheme is detected:

• SocketsHttpHandler: Returns the original 3xx response without following the redirect
• WinHttpHandler: Throws HttpRequestException with inner WinHttpException (error 12156)

Changes:

• RedirectHandler.cs: Added scheme validation check (11 lines)
• HttpClientHandlerTest.AutoRedirect.cs: Added test verifying both handler behaviors (35 lines)

Testing:

• ✅ New test passes: 8 tests (2 handler implementations × 4 schemes)
• ✅ Existing redirect tests pass: 133 tests
• ✅ Code review: No issues found
• ✅ Security scan: No issues found

Checklist:

• Understand the issue and explore codebase
• Establish baseline build
• Add scheme validation in RedirectHandler.GetUriForRedirect()
• Add test case for redirect to unsupported scheme
• Update test to handle WinHttpHandler exception behavior
• Build and test the changes
• Run code review
• Run security scan
• Final verification

Original prompt

---

This section details on the original issue you should resolve

<issue_title>SocketsHttpHandler is missing unknown request url scheme validation on redirects</issue_title>
<issue_description>We're validating that we're not following a redirect from https to http.

runtime/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/RedirectHandler.cs

Lines 133 to 134 in 5ebfca2

	// Disallow automatic redirection from secure to non-secure schemes
	if (HttpUtilities.IsSupportedSecureScheme(requestUri.Scheme) && !HttpUtilities.IsSupportedSecureScheme(location.Scheme))

We should also check that the new request url scheme is valid at all, as we do before sending the initial request

runtime/src/libraries/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/SocketsHttpHandler.cs

Lines 680 to 683 in 5ebfca2

	if (!HttpUtilities.IsSupportedScheme(requestUri.Scheme))
	{
	return new NotSupportedException(SR.Format(SR.net_http_unsupported_requesturi_scheme, requestUri.Scheme));
	}

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes SocketsHttpHandler is missing unknown request url scheme validation on redirects #116857

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull Request Overview

This PR adds a security enhancement to block automatic HTTP redirects to unsupported URI schemes (ftp, file, gopher, telnet, etc.). The changes prevent potential security issues where a malicious server could redirect an HTTP/HTTPS request to a different protocol scheme.

• Adds a check in RedirectHandler.GetUriForRedirect to validate the redirect location scheme
• Returns the original redirect response (302, 307, etc.) instead of following unsafe redirects
• Includes comprehensive test coverage for multiple unsupported schemes

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
RedirectHandler.cs	Adds unsupported scheme validation before processing redirects
HttpClientHandlerTest.AutoRedirect.cs	Adds test cases validating that redirects to ftp, file, gopher, and telnet schemes are blocked

[wfurt]

LGTM

[MihaZupan]

/ba-g android timing out