[SECURITY-429] Fixing by blacklisting SignedObject.

jenkinsci · Apr 13, 2017 · 36b8285 · 36b8285
1 parent f237601
commit 36b8285
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/core/src/main/java/jenkins/model/Jenkins.java b/core/src/main/java/jenkins/model/Jenkins.java
@@ -295,8 +295,10 @@
 
 import static hudson.Util.*;
 import static hudson.init.InitMilestone.*;
+import hudson.remoting.ClassFilter;
 import hudson.util.LogTaskListener;
 import static java.util.logging.Level.*;
+import java.util.regex.Pattern;
 import static javax.servlet.http.HttpServletResponse.*;
 import org.kohsuke.stapler.WebMethod;
 
@@ -812,6 +814,8 @@ protected Jenkins(File root, ServletContext context, PluginManager pluginManager
 
             adjuncts = new AdjunctManager(servletContext, pluginManager.uberClassLoader,"adjuncts/"+SESSION_HASH, TimeUnit2.DAYS.toMillis(365));
 
+            ClassFilter.appendDefaultFilter(Pattern.compile("java[.]security[.]SignedObject")); // TODO move to standard blacklist
+
             // initialization consists of ...
             executeReactor( is,
                     pluginManager.initTasks(is),    // loading and preparing plugins

diff --git a/pom.xml b/pom.xml
@@ -179,7 +179,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.jenkins-ci.main</groupId>
         <artifactId>remoting</artifactId>
-        <version>2.53.5</version>
+        <version>2.53.6-20170306.191805-1</version> <!-- TODO -->
       </dependency>
 
       <dependency>

diff --git a/test/src/test/java/jenkins/security/Security218CliTest.java b/test/src/test/java/jenkins/security/Security218CliTest.java
@@ -32,7 +32,6 @@
 import java.io.PrintStream;
 import jenkins.security.security218.Payload;
 import org.jenkinsci.remoting.RoleChecker;
-import org.junit.Ignore;
 import org.junit.Test;
 import static org.junit.Assert.*;
 import org.junit.Rule;
@@ -170,7 +169,6 @@ public void ldap() throws Exception {
         probe(Payload.Ldap, PayloadCaller.EXIT_CODE_REJECTED);
     }
 
-    @Ignore("TODO fails unless ^java[.]security[.]SignedObject is blacklisted")
     @PresetData(PresetData.DataSet.ANONYMOUS_READONLY)
     @Test
     @Issue("SECURITY-429")