[FIXED JENKINS-9521] exploit commons-codec for Base64 encoding rather than...

[FIXED JENKINS-9521] exploit commons-codec for Base64 encoding rather than proprietary sun.misc.BASE64Encoder

[FIXED JENKINS-9521] exploit commons-codec for Base64 encoding rather than...
[FIXED JENKINS-9521] exploit commons-codec for Base64 encoding rather than proprietary sun.misc.BASE64Encoder
3803a3e3 · Jesse Farinacci · 307af575 · 3803a3e3 · 3803a3e3 · 3803a3e3
5 changed file
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -50,6 +50,11 @@
  </build>

  <dependencies>
+    <dependency>
+      <groupId>commons-codec</groupId>
+      <artifactId>commons-codec</artifactId>
+      <version>1.4</version>
+    </dependency>
    <dependency>
      <groupId>${project.groupId}</groupId>
      <artifactId>remoting</artifactId>

--- a/cli/src/main/java/hudson/cli/FullDuplexHttpStream.java
+++ b/cli/src/main/java/hudson/cli/FullDuplexHttpStream.java
@@ -11,7 +11,7 @@ import java.util.UUID;
 import java.util.logging.Level;
 import java.util.logging.Logger;

-import sun.misc.BASE64Encoder;
+import org.apache.commons.codec.binary.Base64;

 /**
 * Creates a capacity-unlimited bi-directional {@link InputStream}/{@link OutputStream} pair over
@@ -38,7 +38,7 @@ public class FullDuplexHttpStream {

        String authorization = null;
        if (target.getUserInfo() != null) {
-        	authorization = new BASE64Encoder().encode(target.getUserInfo().getBytes());
+        	authorization = new String(new Base64().encodeBase64(target.getUserInfo().getBytes()));
        }

        CrumbData crumbData = new CrumbData();

--- a/remoting/pom.xml
+++ b/remoting/pom.xml
@@ -162,8 +162,7 @@ THE SOFTWARE.
    <dependency>
      <groupId>commons-codec</groupId>
      <artifactId>commons-codec</artifactId>
-      <version>1.3</version>
-      <scope>test</scope>
+      <version>1.4</version>
    </dependency>
    <dependency>
      <groupId>commons-io</groupId>

--- a/remoting/src/main/java/hudson/remoting/Engine.java
+++ b/remoting/src/main/java/hudson/remoting/Engine.java
@@ -40,6 +40,8 @@ import java.util.List;
 import java.util.Collections;
 import java.util.logging.Logger;

+import org.apache.commons.codec.binary.Base64;
+
 /**
 * Slave agent engine that proactively connects to Hudson master.
 *
@@ -148,7 +150,7 @@ public class Engine extends Thread {
                    // find out the TCP port
                    HttpURLConnection con = (HttpURLConnection)salURL.openConnection();
                    if (con instanceof HttpURLConnection && credentials != null) {
-                        String encoding = new sun.misc.BASE64Encoder().encode(credentials.getBytes());
+                        String encoding = new String(new Base64().encodeBase64(credentials.getBytes()));
                        con.setRequestProperty("Authorization", "Basic " + encoding);
                    }
                    try {

--- a/remoting/src/main/java/hudson/remoting/Launcher.java
+++ b/remoting/src/main/java/hudson/remoting/Launcher.java
@@ -71,6 +71,8 @@ import java.security.KeyManagementException;
 import java.security.SecureRandom;
 import java.util.Properties;

+import org.apache.commons.codec.binary.Base64;
+
 /**
 * Entry point for running a {@link Channel}. This is the main method of the slave JVM.
 *
@@ -216,7 +218,7 @@ public class Launcher {
                if (con instanceof HttpURLConnection && slaveJnlpCredentials != null) {
                    HttpURLConnection http = (HttpURLConnection) con;
                    String userPassword = slaveJnlpCredentials;
-                    String encoding = new sun.misc.BASE64Encoder().encode(userPassword.getBytes());
+                    String encoding = new String(new Base64().encodeBase64(userPassword.getBytes()));
                    http.setRequestProperty("Authorization", "Basic " + encoding);
                }
                con.connect();