com.atlassian.jira.web.action
Class RedirectSanitiserImpl
java.lang.Object
com.atlassian.jira.web.action.RedirectSanitiserImpl
- All Implemented Interfaces:
- RedirectSanitiser
public class RedirectSanitiserImpl
- extends Object
- implements RedirectSanitiser
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
RedirectSanitiserImpl
public RedirectSanitiserImpl(VelocityRequestContextFactory velocityRequestContextFactory)
canRedirectTo
public boolean canRedirectTo(@Nullable
String redirectUri)
- Description copied from interface:
RedirectSanitiser
- Returns a boolean indicating whether redirecting to the given URI is allowed or not.
This method returns false if the
redirectUri
is an absolute URI and it points to a domain that is not
this JIRA instance's domain, and true otherwise.
If the uri is in the form //xxx then it is not allowed as per JRA-27405.
- Specified by:
canRedirectTo
in interface RedirectSanitiser
- Parameters:
redirectUri
- a String containing a URI
- Returns:
- a boolean indicating whether redirecting to the given URI should be allowed or not
makeSafeRedirectUrl
@Nullable
public String makeSafeRedirectUrl(@Nullable
String redirectUrl)
- Description copied from interface:
RedirectSanitiser
- Constructs a safe redirect URL out of user-provided input. This means checking that the URL has an HTTP or
HTTPS scheme, and that it does not redirect to a different domain (i.e. not JIRA). If the
redirectUrl
does not meet these conditions, this method returns null.
This is used to prevent Open redirect attacks, which
facilitate phishing attacks against JIRA users.
- Specified by:
makeSafeRedirectUrl
in interface RedirectSanitiser
- Parameters:
redirectUrl
- a String containing the redirect URL
- Returns:
- a safe redirect URL, or null
getCanonicalBaseURL
protected String getCanonicalBaseURL()
- Returns the canonical base URL for JIRA.
- Returns:
- a String containing the canonical base URL
Copyright © 2002-2014 Atlassian. All Rights Reserved.