-
Bug
-
Resolution: Fixed
-
Medium
-
6.0.8
-
None
-
6
-
4.3
-
In jira-components/jira-api/src/main/java/com/atlassian/jira/web/action/JiraWebActionSupport.java the following code is found:
/**
* Redirects to the value of {@code getReturnUrl()}, falling back to {@code defaultUrl} if the {@code returnUrl} is
* not set. This method clears the {@code returnUrl}. If there are errors, this method returns "ERROR".
* <p/>
* If the URL starts with '/' it is interpreted as context-relative.
* <h3>Off-site redirects</h3>
* Starting from JIRA 6.0, this method will not redirect to a URL that is considered "unsafe" as per
* {@link RedirectSanitiser#makeSafeRedirectUrl(String)}. Use {@link #getRedirect(String, boolean)} to allow unsafe
* redirects for URLs that do not contain possibly malicious user input.
*
* @param defaultUrl default URL to redirect to
* @return URL to redirect to
* @see #getRedirect(String, boolean)
*/
public String getRedirect(final String defaultUrl)
{
if (getRedirectSanitiser().makeSafeRedirectUrl(defaultUrl) == null)
{
log.warn(String.format("Redirecting to unsafe location '%s' using getRedirect(String)."
+ " This will not work in JIRA 6.0: use getRedirect(String,boolean) instead.", defaultUrl));
}
// we need allow unsafe redirects for backward compatibility in 5.1.x. we can flip this to false in 6.0.
return getRedirect(defaultUrl, true);
}
However, as the method still returns the unsafe:
return getRedirect(defaultUrl, true);
and not the safe:
return getRedirect(defaultUrl, false);
as the documentation states it will. The "true" should be changed to "false".
- causes
-
-
- Closed
-