From 36b8285a41eb28333549e8d851f81fd80a184076 Mon Sep 17 00:00:00 2001
From: Jesse Glick <jglick@cloudbees.com>
Date: Mon, 6 Mar 2017 14:24:52 -0500
Subject: [PATCH] [SECURITY-429] Fixing by blacklisting SignedObject.

---
 core/src/main/java/jenkins/model/Jenkins.java               | 4 ++++
 pom.xml                                                     | 2 +-
 test/src/test/java/jenkins/security/Security218CliTest.java | 2 --
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/core/src/main/java/jenkins/model/Jenkins.java b/core/src/main/java/jenkins/model/Jenkins.java
index 4a433ce90d71..f923c37fc314 100644
--- a/core/src/main/java/jenkins/model/Jenkins.java
+++ b/core/src/main/java/jenkins/model/Jenkins.java
@@ -295,8 +295,10 @@
 
 import static hudson.Util.*;
 import static hudson.init.InitMilestone.*;
+import hudson.remoting.ClassFilter;
 import hudson.util.LogTaskListener;
 import static java.util.logging.Level.*;
+import java.util.regex.Pattern;
 import static javax.servlet.http.HttpServletResponse.*;
 import org.kohsuke.stapler.WebMethod;
 
@@ -812,6 +814,8 @@ protected Jenkins(File root, ServletContext context, PluginManager pluginManager
 
             adjuncts = new AdjunctManager(servletContext, pluginManager.uberClassLoader,"adjuncts/"+SESSION_HASH, TimeUnit2.DAYS.toMillis(365));
 
+            ClassFilter.appendDefaultFilter(Pattern.compile("java[.]security[.]SignedObject")); // TODO move to standard blacklist
+
             // initialization consists of ...
             executeReactor( is,
                     pluginManager.initTasks(is),    // loading and preparing plugins
diff --git a/pom.xml b/pom.xml
index cd1d6a4e5a5b..df95fa5f5971 100644
--- a/pom.xml
+++ b/pom.xml
@@ -179,7 +179,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.jenkins-ci.main</groupId>
         <artifactId>remoting</artifactId>
-        <version>2.53.5</version>
+        <version>2.53.6-20170306.191805-1</version> <!-- TODO -->
       </dependency>
 
       <dependency>
diff --git a/test/src/test/java/jenkins/security/Security218CliTest.java b/test/src/test/java/jenkins/security/Security218CliTest.java
index 811db6de7900..4e1530c5a24f 100644
--- a/test/src/test/java/jenkins/security/Security218CliTest.java
+++ b/test/src/test/java/jenkins/security/Security218CliTest.java
@@ -32,7 +32,6 @@
 import java.io.PrintStream;
 import jenkins.security.security218.Payload;
 import org.jenkinsci.remoting.RoleChecker;
-import org.junit.Ignore;
 import org.junit.Test;
 import static org.junit.Assert.*;
 import org.junit.Rule;
@@ -170,7 +169,6 @@ public void ldap() throws Exception {
         probe(Payload.Ldap, PayloadCaller.EXIT_CODE_REJECTED);
     }
 
-    @Ignore("TODO fails unless ^java[.]security[.]SignedObject is blacklisted")
     @PresetData(PresetData.DataSet.ANONYMOUS_READONLY)
     @Test
     @Issue("SECURITY-429")