Fix newView link to use context-relative URL instead of rootURL#26383
Closed
sahilleth wants to merge 2 commits intojenkinsci:masterfrom
Closed
Fix newView link to use context-relative URL instead of rootURL#26383sahilleth wants to merge 2 commits intojenkinsci:masterfrom
sahilleth wants to merge 2 commits intojenkinsci:masterfrom
Conversation
comment-ops-bot
bot
added
the
bug
Author
|
CI is green after updating href handling. Please let me know if further adjustments are needed. |
added 2 commits
February 28, 2026 23:31
Fixes JENKINS-51291 / jenkinsci#22743 When Jenkins is behind a reverse proxy (e.g. nginx), the Jenkins Root URL may be configured to the internal server URL for agent connectivity. The 'New View' link in the view tab bar was using rootURL, causing it to navigate to the internal URL instead of the proxy URL. Use request.contextPath + owner.url instead of rootURL so the link resolves relative to the current origin (proxy URL), while still correctly targeting the owning ViewGroup's newView action for both root, folders, and My Views. This also fixes SECURITY-1471 by removing rootURL from the link, preventing javascript: injection via Root URL.
ViewTest.privateView fails on Windows JDK 25 when tab hrefs use rootURL because the active-tab URL match can differ. Use request.contextPath for tab links to ensure consistency with the request URL. Also fixes the same proxy issue for view tab links as for the newView button.
Member
No: jenkins/core/src/main/java/hudson/Functions.java Lines 299 to 306 in 057aa6a This PR does nothing. |
daniel-beck
added
the
spam
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #22743
What was done
The "New View" link in the view tab bar used
${rootURL}which produces an absolute URL. When Jenkins is behind a reverse proxy (e.g. nginx) with Root URL set to the internal server for agent connectivity, clicking "New View" redirected users to the internal URL instead of staying on the proxy URL.Fix: Use
${request.contextPath}/${currentView.owner.url}newViewinstead of${rootURL}/${currentView.owner.url}newView. This produces a path-absolute URL (e.g./jenkins/newViewor/jenkins/job/foo/newView) that the browser resolves against the current origin (the proxy URL), while still correctly targeting the owning ViewGroup's newView for root, folders, and My Views.This also addresses SECURITY-1471 by removing rootURL from the link, preventing javascript: injection via Root URL configuration.
Testing done
DefaultViewsTabBar/viewTabs.jelly,DefaultMyViewsTabBar/myViewTabs.jellyJenkinsLocationConfigurationTest#cannotInjectJavaScriptUsingRootUrl_inNewViewLinkvalidates that the newView link does not use rootURL for XSS; this change strengthens that by not using rootURL at allProposed changelog entries
Proposed changelog category
/label bug
Submitter checklist