Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-34751

getRedirect in JiraWebActionSupport redirects to unsafe URLs by default

    XMLWordPrintable

    Details

      Description

      In jira-components/jira-api/src/main/java/com/atlassian/jira/web/action/JiraWebActionSupport.java the following code is found:

          /**
           * Redirects to the value of {@code getReturnUrl()}, falling back to {@code defaultUrl} if the {@code returnUrl} is
           * not set. This method clears the {@code returnUrl}. If there are errors, this method returns "ERROR".
           * <p/>
           * If the URL starts with '/' it is interpreted as context-relative.
           * <h3>Off-site redirects</h3>
           * Starting from JIRA 6.0, this method will not redirect to a URL that is considered "unsafe" as per
           * {@link RedirectSanitiser#makeSafeRedirectUrl(String)}. Use {@link #getRedirect(String, boolean)} to allow unsafe
           * redirects for URLs that do not contain possibly malicious user input.
           *
           * @param defaultUrl default URL to redirect to
           * @return URL to redirect to
           * @see #getRedirect(String, boolean)
           */
          public String getRedirect(final String defaultUrl)
          {
              if (getRedirectSanitiser().makeSafeRedirectUrl(defaultUrl) == null)
              {
                  log.warn(String.format("Redirecting to unsafe location '%s' using getRedirect(String)."
                          + " This will not work in JIRA 6.0: use getRedirect(String,boolean) instead.", defaultUrl));
              }
      
              // we need allow unsafe redirects for backward compatibility in 5.1.x. we can flip this to false in 6.0.
              return getRedirect(defaultUrl, true);
          }
      

      However, as the method still returns the unsafe:

              return getRedirect(defaultUrl, true);
      

      and not the safe:

              return getRedirect(defaultUrl, false);
      

      as the documentation states it will. The "true" should be changed to "false".

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ohernandez@atlassian.com Oswaldo Hernandez (Inactive)
              Reporter:
              djohnson@atlassian.com Dougall Johnson
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: