Merge pull request concourse#5350 from concourse/5.2.x-open-redirect

5.2.x open redirect

release-notes/v5.2.8.md

@@ -1,4 +1,7 @@
-
 #### <sub><sup><a name="v528-note-1" href="#528-note-1">:link:</a></sup></sub> fix
 
 * Fix an edge case of [CVE-2018-15798](https://www.cvedetails.com/cve/CVE-2018-15798/) where redirect URI during login flow could be embedded with a malicious host.
+
+#### <sub><sup><a name="v528-note-2" href="v528-note-2">:link:</a></sup></sub> fix
+
+* Added a flag, `--disable-list-all-jobs`. When this flag is passed, the /api/v1/jobs endpoint (which is known to have [performance issues](https://github.com/concourse/concourse/issues/5341)) will always return an empty JSON array instead of making complex and expensive database operations. The most significant end-user impact of this change should be that the dashboard will no longer display pipeline previews. #5340

skymarshal/skyserver/skyserver.go

@@ -247,7 +247,7 @@ func (s *SkyServer) Redirect(w http.ResponseWriter, r *http.Request, token *oaut
 		return
 	}
 
-	err = s.config.TokenMiddleware.SetToken(w, token.TokenType + " " + token.AccessToken, token.Expiry)
+	err = s.config.TokenMiddleware.SetToken(w, token.TokenType+" "+token.AccessToken, token.Expiry)
 	if err != nil {
 		logger.Error("invalid-token", err)
 		w.WriteHeader(http.StatusInternalServerError)
@@ -257,7 +257,7 @@ func (s *SkyServer) Redirect(w http.ResponseWriter, r *http.Request, token *oaut
 	params := redirectURL.Query()
 	params.Set("csrf_token", csrfToken)
 
-	http.Redirect(w, r, redirectURL.Path+"?"+params.Encode(), http.StatusTemporaryRedirect)
+	http.Redirect(w, r, redirectURL.EscapedPath()+"?"+params.Encode(), http.StatusTemporaryRedirect)
 }
 
 func (s *SkyServer) Token(w http.ResponseWriter, r *http.Request) {