Merge branch 'security-stable-2.46' into security-master

jenkinsci · Apr 16, 2017 · f7075e6 · f7075e6
2 parents 745dacc + 59ec129
commit f7075e6
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 2 deletions.
diff --git a/core/src/main/java/hudson/util/XStream2.java b/core/src/main/java/hudson/util/XStream2.java
@@ -145,6 +145,9 @@ private void init() {
         // list up types that should be marshalled out like a value, without referential integrity tracking.
         addImmutableType(Result.class);
 
+        // http://www.openwall.com/lists/oss-security/2017/04/03/4
+        denyTypes(new Class[] { void.class, Void.class });
+
         registerConverter(new RobustCollectionConverter(getMapper(),getReflectionProvider()),10);
         registerConverter(new RobustMapConverter(getMapper()), 10);
         registerConverter(new ImmutableMapConverter(getMapper(),getReflectionProvider()),10);

diff --git a/core/src/main/java/jenkins/install/SetupWizard.java b/core/src/main/java/jenkins/install/SetupWizard.java
@@ -458,7 +458,6 @@ public FilePath getInitialAdminPasswordFile() {
     /**
      * Remove the setupWizard filter, ensure all updates are written to disk, etc
      */
-    @RequirePOST
     public HttpResponse doCompleteInstall() throws IOException, ServletException {
         completeSetup();
         return HttpResponses.okJSON();

diff --git a/core/src/test/java/hudson/util/XStream2Test.java b/core/src/test/java/hudson/util/XStream2Test.java
@@ -28,6 +28,7 @@
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.thoughtworks.xstream.XStreamException;
+import com.thoughtworks.xstream.security.ForbiddenClassException;
 import hudson.XmlFile;
 import hudson.model.Result;
 import hudson.model.Run;
@@ -296,4 +297,15 @@ public void trimVersion() {
         assertEquals("3.2.1", XStream2.trimVersion("3.2.1"));
         assertEquals("3.2-SNAPSHOT", XStream2.trimVersion("3.2-SNAPSHOT (private-09/23/2012 12:26-jhacker)"));
     }
+
+    @Issue("SECURITY-503")
+    @Test
+    public void crashXstream() throws Exception {
+        try {
+            new XStream2().fromXML("<void/>");
+            fail("expected to throw ForbiddenClassException, but why are we still alive?");
+        } catch (ForbiddenClassException ex) {
+            // pass
+        }
+    }
 }
diff --git a/war/src/main/js/api/pluginManager.js b/war/src/main/js/api/pluginManager.js
@@ -177,7 +177,7 @@ exports.incompleteInstallStatus = function(handler, correlationId) {
  * Call this to complete the installation without installing anything
  */
 exports.completeInstall = function(handler) {
-	jenkins.post('/setupWizard/completeInstall', {}, function() {
+	jenkins.get('/setupWizard/completeInstall', function() {
 		handler.call({ isError: false });
 	}, {
 		timeout: pluginManagerErrorTimeoutMillis,