@Override protected String determineTargetUrl(HttpServletRequest request) { String targetUrl = request.getParameter("from"); request.getSession().setAttribute("from", targetUrl); if (targetUrl == null) return getDefaultTargetUrl(); if (!Util.isSafeToRedirectTo(targetUrl)) return "."; // avoid open redirect // URL returned from determineTargetUrl() is resolved against the context path, // whereas the "from" URL is resolved against the top of the website, so adjust this. if(targetUrl.startsWith(request.getContextPath())) return targetUrl.substring(request.getContextPath().length()); // not sure when this happens, but apparently this happens in some case. // see #1274 return targetUrl; }
if(pattern==null) pattern = req.getParameter("path"); // compatibility with Hudson<1.129 if(pattern!=null && Util.isSafeToRedirectTo(pattern)) {// avoid open redirect rsp.sendRedirect2(pattern); return;
if (item!=null) { String url = formData.optString("redirectTo"); if (url==null || !Util.isSafeToRedirectTo(url)) // avoid open redirect url = req.getContextPath()+'/'+item.getUrl(); rsp.sendRedirect(formData.optInt("statusCode",SC_CREATED), url);
@Override protected String determineTargetUrl(HttpServletRequest request) { String targetUrl = request.getParameter("from"); request.getSession().setAttribute("from", targetUrl); if (targetUrl == null) return getDefaultTargetUrl(); if (!Util.isSafeToRedirectTo(targetUrl)) return "."; // avoid open redirect // URL returned from determineTargetUrl() is resolved against the context path, // whereas the "from" URL is resolved against the top of the website, so adjust this. if(targetUrl.startsWith(request.getContextPath())) return targetUrl.substring(request.getContextPath().length()); // not sure when this happens, but apparently this happens in some case. // see #1274 return targetUrl; }
if(pattern==null) pattern = req.getParameter("path"); // compatibility with Hudson<1.129 if(pattern!=null && Util.isSafeToRedirectTo(pattern)) {// avoid open redirect rsp.sendRedirect2(pattern); return;
if (item!=null) { String url = formData.optString("redirectTo"); if (url==null || !Util.isSafeToRedirectTo(url)) // avoid open redirect url = req.getContextPath()+'/'+item.getUrl(); rsp.sendRedirect(formData.optInt("statusCode",SC_CREATED), url);