getRedirect in JiraWebActionSupport redirects to unsafe URLs by default

2013-09-11T08:30:07
ID ATLASSIAN:JRASERVER-34751
Type atlassian
Reporter djohnson@atlassian.com
Modified 2018-10-16T00:47:53

Description

In jira-components/jira-api/src/main/java/com/atlassian/jira/web/action/JiraWebActionSupport.java the following code is found:

{code:java} / * Redirects to the value of {@code getReturnUrl()}, falling back to {@code defaultUrl} if the {@code returnUrl} is * not set. This method clears the {@code returnUrl}. If there are errors, this method returns "ERROR". * <p/> * If the URL starts with '/' it is interpreted as context-relative. * <h3>Off-site redirects</h3> * Starting from JIRA 6.0, this method will not redirect to a URL that is considered "unsafe" as per * {@link RedirectSanitiser#makeSafeRedirectUrl(String)}. Use {@link #getRedirect(String, boolean)} to allow unsafe * redirects for URLs that do not contain possibly malicious user input. * @param defaultUrl default URL to redirect to * @return URL to redirect to * @see #getRedirect(String, boolean) / public String getRedirect(final String defaultUrl) { if (getRedirectSanitiser().makeSafeRedirectUrl(defaultUrl) == null) { log.warn(String.format("Redirecting to unsafe location '%s' using getRedirect(String)." + " This will not work in JIRA 6.0: use getRedirect(String,boolean) instead.", defaultUrl)); }

    // we need allow unsafe redirects for backward compatibility in 5.1.x. we can flip this to false in 6.0.
    return getRedirect(defaultUrl, true);
}

{code}

However, as the method still returns the unsafe:

{code:java} return getRedirect(defaultUrl, true); {code}

and not the safe:

{code:java} return getRedirect(defaultUrl, false); {code}

as the documentation states it will. The "true" should be changed to "false".