@@ -79,6 +79,7 @@ of this software and associated documentation files (the "Software"), to deal
7979import org .kohsuke .stapler .HttpRedirect ;
8080import org .kohsuke .stapler .HttpResponse ;
8181import org .kohsuke .stapler .HttpResponses ;
82+ import org .kohsuke .stapler .QueryParameter ;
8283import org .kohsuke .stapler .StaplerRequest ;
8384import org .springframework .dao .DataAccessException ;
8485import org .springframework .dao .DataRetrievalFailureException ;
@@ -93,6 +94,7 @@ of this software and associated documentation files (the "Software"), to deal
9394import java .util .logging .Logger ;
9495import javax .annotation .Nonnull ;
9596import javax .annotation .Nullable ;
97+ import javax .servlet .http .HttpSession ;
9698
9799/**
98100 *
@@ -333,9 +335,18 @@ public String getOauthScopes() {
333335 return oauthScopes ;
334336 }
335337
336- public HttpResponse doCommenceLogin (StaplerRequest request , @ Header ("Referer" ) final String referer )
338+ public HttpResponse doCommenceLogin (StaplerRequest request , @ QueryParameter String from , @ Header ("Referer" ) final String referer )
337339 throws IOException {
338- request .getSession ().setAttribute (REFERER_ATTRIBUTE ,referer );
340+ String redirectOnFinish ;
341+ if (from != null && Util .isSafeToRedirectTo (from )) {
342+ redirectOnFinish = from ;
343+ } else if (referer != null && (referer .startsWith (Jenkins .getInstance ().getRootUrl ()) || Util .isSafeToRedirectTo (referer ))) {
344+ redirectOnFinish = referer ;
345+ } else {
346+ redirectOnFinish = Jenkins .getInstance ().getRootUrl ();
347+ }
348+
349+ request .getSession ().setAttribute (REFERER_ATTRIBUTE , redirectOnFinish );
339350
340351 Set <String > scopes = new HashSet <>();
341352 for (GitHubOAuthScope s : getJenkins ().getExtensionList (GitHubOAuthScope .class )) {
@@ -361,6 +372,7 @@ public HttpResponse doCommenceLogin(StaplerRequest request, @Header("Referer") f
361372 public HttpResponse doFinishLogin (StaplerRequest request )
362373 throws IOException {
363374 String code = request .getParameter ("code" );
375+ String referer = (String )request .getSession ().getAttribute (REFERER_ATTRIBUTE );
364376
365377 if (code == null || code .trim ().length () == 0 ) {
366378 Log .info ("doFinishLogin: missing code." );
@@ -372,6 +384,14 @@ public HttpResponse doFinishLogin(StaplerRequest request)
372384 if (accessToken != null && accessToken .trim ().length () > 0 ) {
373385 // only set the access token if it exists.
374386 GithubAuthenticationToken auth = new GithubAuthenticationToken (accessToken , getGithubApiUri ());
387+
388+ HttpSession session = request .getSession (false );
389+ if (session != null ){
390+ // avoid session fixation
391+ session .invalidate ();
392+ }
393+ request .getSession (true );
394+
375395 SecurityContextHolder .getContext ().setAuthentication (auth );
376396
377397 GHMyself self = auth .getMyself ();
@@ -409,7 +429,6 @@ public HttpResponse doFinishLogin(StaplerRequest request)
409429 Log .info ("Github did not return an access token." );
410430 }
411431
412- String referer = (String )request .getSession ().getAttribute (REFERER_ATTRIBUTE );
413432 if (referer !=null ) return HttpResponses .redirectTo (referer );
414433 return HttpResponses .redirectToContextRoot (); // referer should be always there, but be defensive
415434 }
0 commit comments