diff --git a/core/src/main/java/hudson/util/XStream2.java b/core/src/main/java/hudson/util/XStream2.java index 48d967880b76..140eb77b9e1e 100644 --- a/core/src/main/java/hudson/util/XStream2.java +++ b/core/src/main/java/hudson/util/XStream2.java @@ -145,6 +145,9 @@ private void init() { // list up types that should be marshalled out like a value, without referential integrity tracking. addImmutableType(Result.class); + // http://www.openwall.com/lists/oss-security/2017/04/03/4 + denyTypes(new Class[] { void.class, Void.class }); + registerConverter(new RobustCollectionConverter(getMapper(),getReflectionProvider()),10); registerConverter(new RobustMapConverter(getMapper()), 10); registerConverter(new ImmutableMapConverter(getMapper(),getReflectionProvider()),10); diff --git a/core/src/main/java/jenkins/install/SetupWizard.java b/core/src/main/java/jenkins/install/SetupWizard.java index 7429955b0124..74ef40624e3b 100644 --- a/core/src/main/java/jenkins/install/SetupWizard.java +++ b/core/src/main/java/jenkins/install/SetupWizard.java @@ -458,7 +458,6 @@ public FilePath getInitialAdminPasswordFile() { /** * Remove the setupWizard filter, ensure all updates are written to disk, etc */ - @RequirePOST public HttpResponse doCompleteInstall() throws IOException, ServletException { completeSetup(); return HttpResponses.okJSON(); diff --git a/core/src/test/java/hudson/util/XStream2Test.java b/core/src/test/java/hudson/util/XStream2Test.java index aeb781f6725f..08170e24d4ad 100644 --- a/core/src/test/java/hudson/util/XStream2Test.java +++ b/core/src/test/java/hudson/util/XStream2Test.java @@ -28,6 +28,7 @@ import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import com.thoughtworks.xstream.XStreamException; +import com.thoughtworks.xstream.security.ForbiddenClassException; import hudson.XmlFile; import hudson.model.Result; import hudson.model.Run; @@ -296,4 +297,15 @@ public void trimVersion() { assertEquals("3.2.1", XStream2.trimVersion("3.2.1")); assertEquals("3.2-SNAPSHOT", XStream2.trimVersion("3.2-SNAPSHOT (private-09/23/2012 12:26-jhacker)")); } + + @Issue("SECURITY-503") + @Test + public void crashXstream() throws Exception { + try { + new XStream2().fromXML(""); + fail("expected to throw ForbiddenClassException, but why are we still alive?"); + } catch (ForbiddenClassException ex) { + // pass + } + } } diff --git a/war/src/main/js/api/pluginManager.js b/war/src/main/js/api/pluginManager.js index f1cf8ac0f3dc..04d754f0e7d0 100644 --- a/war/src/main/js/api/pluginManager.js +++ b/war/src/main/js/api/pluginManager.js @@ -177,7 +177,7 @@ exports.incompleteInstallStatus = function(handler, correlationId) { * Call this to complete the installation without installing anything */ exports.completeInstall = function(handler) { - jenkins.post('/setupWizard/completeInstall', {}, function() { + jenkins.get('/setupWizard/completeInstall', function() { handler.call({ isError: false }); }, { timeout: pluginManagerErrorTimeoutMillis,