[SECURITY-276] Better method name, add tests

e6efae7d · Daniel Beck · 2ed0c046 · e6efae7d · e6efae7d · e6efae7d
5 changed file
--- a/core/src/main/java/hudson/Util.java
+++ b/core/src/main/java/hudson/Util.java
@@ -1471,10 +1471,10 @@ public class Util {
    }

    /**
-     * Return true iff the parameter denotes an absolute URI, or a scheme-relative URI.
+     * Return true iff the parameter does not denote an absolute URI and not a scheme-relative URI.
     */
-    public static boolean isAbsoluteOrSchemeRelativeUri(@Nonnull String uri) {
-        return isAbsoluteUri(uri) || uri.startsWith("//");
+    public static boolean isSafeToRedirectTo(@Nonnull String uri) {
+        return !isAbsoluteUri(uri) && !uri.startsWith("//");
    }

    /**

--- a/core/src/main/java/hudson/model/DirectoryBrowserSupport.java
+++ b/core/src/main/java/hudson/model/DirectoryBrowserSupport.java
@@ -158,7 +158,7 @@ public final class DirectoryBrowserSupport implements HttpResponse {
        String pattern = req.getParameter("pattern");
        if(pattern==null)
            pattern = req.getParameter("path"); // compatibility with Hudson<1.129
-        if(pattern!=null && !Util.isAbsoluteOrSchemeRelativeUri(pattern)) {// avoid open redirect
+        if(pattern!=null && Util.isSafeToRedirectTo(pattern)) {// avoid open redirect
            rsp.sendRedirect2(pattern);
            return;
        }

--- a/core/src/main/java/hudson/model/ParametersDefinitionProperty.java
+++ b/core/src/main/java/hudson/model/ParametersDefinitionProperty.java
@@ -158,7 +158,7 @@ public class ParametersDefinitionProperty extends JobProperty<Job<?, ?>>
                getJob(), delay.getTime(), new ParametersAction(values), new CauseAction(new Cause.UserIdCause()));
        if (item!=null) {
            String url = formData.optString("redirectTo");
-            if (url==null || Util.isAbsoluteOrSchemeRelativeUri(url))   // avoid open redirect
+            if (url==null || !Util.isSafeToRedirectTo(url))   // avoid open redirect
                url = req.getContextPath()+'/'+item.getUrl();
            rsp.sendRedirect(formData.optInt("statusCode",SC_CREATED), url);
        } else

--- a/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
+++ b/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
@@ -53,7 +53,7 @@ public class AuthenticationProcessingFilter2 extends AuthenticationProcessingFil
        if (targetUrl == null)
            return getDefaultTargetUrl();

-        if (Util.isAbsoluteOrSchemeRelativeUri(targetUrl))
+        if (!Util.isSafeToRedirectTo(targetUrl))
            return "."; // avoid open redirect

        // URL returned from determineTargetUrl() is resolved against the context path,

--- a/core/src/test/java/hudson/UtilTest.java
+++ b/core/src/test/java/hudson/UtilTest.java
@@ -344,6 +344,20 @@ public class UtilTest {
        assertFalse(Util.isAbsoluteUri("foo/bar"));
    }

+    @Test
+    @Issue("SECURITY-276")
+    public void testIsSafeToRedirectTo() {
+        assertFalse(Util.isSafeToRedirectTo("http://foobar/"));
+        assertFalse(Util.isSafeToRedirectTo("mailto:kk@kohsuke.org"));
+        assertFalse(Util.isSafeToRedirectTo("d123://test/"));
+        assertFalse(Util.isSafeToRedirectTo("//google.com"));
+
+        assertTrue(Util.isSafeToRedirectTo("foo/bar/abc:def"));
+        assertTrue(Util.isSafeToRedirectTo("foo?abc:def"));
+        assertTrue(Util.isSafeToRedirectTo("foo#abc:def"));
+        assertTrue(Util.isSafeToRedirectTo("foo/bar"));
+    }
+
    @Test
    public void loadProperties() throws IOException {