merged the RC branch

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@18981 71c3de6d-444a-0410-be80-ed276b4c234a

merged the RC branch
git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@18981 71c3de6d-444a-0410-be80-ed276b4c234a
079e6dbb · kohsuke · d2abcd62 · 079e6dbb · 079e6dbb · 079e6dbb
15 changed file
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -4,7 +4,7 @@
  <parent>
    <artifactId>pom</artifactId>
    <groupId>org.jvnet.hudson.main</groupId>
-    <version>1.310-SNAPSHOT</version>
+    <version>1.311-SNAPSHOT</version>
  </parent>
  <artifactId>cli</artifactId>
  <name>Hudson CLI</name>

--- a/core/pom.xml
+++ b/core/pom.xml
@@ -27,7 +27,7 @@ THE SOFTWARE.
  <parent>
    <groupId>org.jvnet.hudson.main</groupId>
    <artifactId>pom</artifactId>
-    <version>1.310-SNAPSHOT</version>
+    <version>1.311-SNAPSHOT</version>
    <relativePath>../pom.xml</relativePath>
  </parent>


--- a/core/src/main/java/hudson/security/csrf/CrumbIssuer.java
+++ b/core/src/main/java/hudson/security/csrf/CrumbIssuer.java
@@ -66,7 +66,7 @@ public abstract class CrumbIssuer implements Describable<CrumbIssuer>, Extension
        if (crumb == null) {
            crumb = issueCrumb(request, getDescriptor().getCrumbSalt());
            if (request != null) {
-                if ((crumb != null) && !crumb.isEmpty()) {
+                if ((crumb != null) && crumb.length()>0) {
                    request.setAttribute(CRUMB_ATTRIBUTE, crumb);
                } else {
                    request.removeAttribute(CRUMB_ATTRIBUTE);

--- a/core/src/main/resources/hudson/security/csrf/CrumbIssuer/config.jelly
+++ b/core/src/main/resources/hudson/security/csrf/CrumbIssuer/config.jelly
+<!--
+The MIT License
+
+Copyright (c) 2008-2009, Yahoo! Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+    <f:entry title="${%Salt}" help="/help/security/csrf/salt.html">
+        <f:textbox name="csrf_crumbSalt" value="${descriptor.crumbSalt}" />
+    </f:entry>
+    <f:entry title="${%Request Field}" help="/help/security/csrf/field.html">
+        <f:textbox name="csrf_crumbField" value="${descriptor.crumbRequestField}" />
+    </f:entry>
+    
+    <j:if test="${!empty(descriptor.subConfigPage)}">
+        <st:include from="${descriptor}" page="${descriptor.subConfigPage}" optional="true" />
+    </j:if>
+</j:jelly>
\ No newline at end of file
--- a/core/src/main/resources/lib/form/crumb.jelly
+++ b/core/src/main/resources/lib/form/crumb.jelly
+<!--
+ Copyright (c) 2008-2009 Yahoo! Inc. 
+ All rights reserved. 
+ The copyrights to the contents of this file are licensed under the MIT License (http://www.opensource.org/licenses/mit-license.php)
+-->
+
+<j:jelly xmlns:j="jelly:core" xmlns:s="jelly:stapler" xmlns:d="jelly:define" xmlns:f="/lib/form">
+  <j:if test="${app.useCrumbs}">
+  	<input type="hidden" name="${h.getCrumbRequestField()}" value="${h.getCrumb(request)}" />
+  </j:if>
+</j:jelly>
\ No newline at end of file
--- a/debian/changelog
+++ b/debian/changelog
+hudson (1.310) unstable; urgency=low
+
+  * See http://hudson.dev.java.net/changelog.html for more details.
+
+ -- Kohsuke Kawaguchi <kk@kohsuke.org>  Mon, 15 Jun 2009 09:16:45 -0700
+
 hudson (1.309) unstable; urgency=low

  * See http://hudson.dev.java.net/changelog.html for more details.

--- a/maven-agent/pom.xml
+++ b/maven-agent/pom.xml
@@ -27,7 +27,7 @@ THE SOFTWARE.
  <parent>
    <groupId>org.jvnet.hudson.main</groupId>
    <artifactId>pom</artifactId>
-    <version>1.310-SNAPSHOT</version>
+    <version>1.311-SNAPSHOT</version>
    <relativePath>../pom.xml</relativePath>
  </parent>
  

--- a/maven-interceptor/pom.xml
+++ b/maven-interceptor/pom.xml
@@ -27,7 +27,7 @@ THE SOFTWARE.
  <parent>
    <groupId>org.jvnet.hudson.main</groupId>
    <artifactId>pom</artifactId>
-    <version>1.310-SNAPSHOT</version>
+    <version>1.311-SNAPSHOT</version>
    <relativePath>../pom.xml</relativePath>
  </parent>
  

--- a/maven-plugin/pom.xml
+++ b/maven-plugin/pom.xml
@@ -27,7 +27,7 @@ THE SOFTWARE.
  <parent>
    <groupId>org.jvnet.hudson.main</groupId>
    <artifactId>pom</artifactId>
-    <version>1.310-SNAPSHOT</version>
+    <version>1.311-SNAPSHOT</version>
  </parent>

  <artifactId>maven-plugin</artifactId>

--- a/pom.xml
+++ b/pom.xml
@@ -33,7 +33,7 @@ THE SOFTWARE.
  
  <groupId>org.jvnet.hudson.main</groupId>
  <artifactId>pom</artifactId>
-  <version>1.310-SNAPSHOT</version>
+  <version>1.311-SNAPSHOT</version>
  <packaging>pom</packaging>
  
  <name>Hudson main module</name>

--- a/remoting/pom.xml
+++ b/remoting/pom.xml
@@ -27,7 +27,7 @@ THE SOFTWARE.
  <parent>
    <groupId>org.jvnet.hudson.main</groupId>
    <artifactId>pom</artifactId>
-    <version>1.310-SNAPSHOT</version>
+    <version>1.311-SNAPSHOT</version>
    <relativePath>../pom.xml</relativePath>
  </parent>
  

--- a/test/pom.xml
+++ b/test/pom.xml
@@ -27,7 +27,7 @@ THE SOFTWARE.
  <parent>
    <artifactId>pom</artifactId>
    <groupId>org.jvnet.hudson.main</groupId>
-    <version>1.310-SNAPSHOT</version>
+    <version>1.311-SNAPSHOT</version>
  </parent>
  <modelVersion>4.0.0</modelVersion>
  <groupId>org.jvnet.hudson.main</groupId>

--- a/war/pom.xml
+++ b/war/pom.xml
@@ -27,7 +27,7 @@ THE SOFTWARE.
  <parent>
    <groupId>org.jvnet.hudson.main</groupId>
    <artifactId>pom</artifactId>
-    <version>1.310-SNAPSHOT</version>
+    <version>1.311-SNAPSHOT</version>
    <relativePath>../pom.xml</relativePath>
  </parent>
  
@@ -248,6 +248,7 @@ THE SOFTWARE.
              </execution>
            </executions>
            <configuration>
+              <python>python2.5</python>
              <proto>../ips/proto.py</proto>
            </configuration>
          </plugin>

--- a/war/resources/help/security/csrf/field.html
+++ b/war/resources/help/security/csrf/field.html
+<div>
+  This is name of the request parameter Hudson will look in for a crumb
+  value. 
+</div>
\ No newline at end of file
--- a/war/resources/help/security/csrf/salt.html
+++ b/war/resources/help/security/csrf/salt.html
+<div>
+  The salt value is taken as an input to the crumb generation algorithm. It acts
+  as further randomization to complicate dictionary style attacks against the
+  algorithm. In the context of CSRF exploits against Hudson servers, each Hudson
+  server should use a different salt value. If multiple Hudson servers all use
+  a crumb generation algorithm that gets broken, the salt prevents an attacker
+  from running CSRF exploits against all these servers.
+</div>