Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
LinuxSuRen
jenkins
提交
68e84726
J
jenkins
项目概览
LinuxSuRen
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
68e84726
编写于
11月 17, 2012
作者:
K
Kohsuke Kawaguchi
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
[FIXED SECURITY-45]
上级
2cb3e838
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
40 addition
and
1 deletion
+40
-1
core/src/main/java/hudson/Util.java
core/src/main/java/hudson/Util.java
+25
-0
core/src/main/java/hudson/model/DirectoryBrowserSupport.java
core/src/main/java/hudson/model/DirectoryBrowserSupport.java
+1
-1
core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
...java/hudson/security/AuthenticationProcessingFilter2.java
+4
-0
core/src/test/java/hudson/UtilTest.java
core/src/test/java/hudson/UtilTest.java
+10
-0
未找到文件。
core/src/main/java/hudson/Util.java
浏览文件 @
68e84726
...
...
@@ -1233,6 +1233,31 @@ public class Util {
return
s
==
null
?
s
:
s
.
intern
();
}
/**
* Return true if the systemId denotes an absolute URI .
*
* The same algorithm can be seen in {@link URI}, but
* implementing this by ourselves allow it to be more lenient about
* escaping of URI.
*/
public
static
boolean
isAbsoluteUri
(
String
uri
)
{
int
idx
=
uri
.
indexOf
(
':'
);
if
(
idx
<
0
)
return
false
;
// no ':'. can't be absolute
// #, ?, and / must not be before ':'
return
idx
<
_indexOf
(
uri
,
'#'
)
&&
idx
<
_indexOf
(
uri
,
'?'
)
&&
idx
<
_indexOf
(
uri
,
'/'
);
}
/**
* Works like {@link String#indexOf(int)} but 'not found' is returned as s.length(), not -1.
* This enables more straight-forward comparison.
*/
private
static
int
_indexOf
(
String
s
,
char
ch
)
{
int
idx
=
s
.
indexOf
(
ch
);
if
(
idx
<
0
)
return
s
.
length
();
return
idx
;
}
/**
* Loads a key/value pair string as {@link Properties}
* @since 1.392
...
...
core/src/main/java/hudson/model/DirectoryBrowserSupport.java
浏览文件 @
68e84726
...
...
@@ -137,7 +137,7 @@ public final class DirectoryBrowserSupport implements HttpResponse {
String
pattern
=
req
.
getParameter
(
"pattern"
);
if
(
pattern
==
null
)
pattern
=
req
.
getParameter
(
"path"
);
// compatibility with Hudson<1.129
if
(
pattern
!=
null
)
{
if
(
pattern
!=
null
&&
!
Util
.
isAbsoluteUri
(
pattern
))
{
// avoid open redirect
rsp
.
sendRedirect2
(
pattern
);
return
;
}
...
...
core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
浏览文件 @
68e84726
...
...
@@ -31,6 +31,7 @@ import java.io.IOException;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletResponse
;
import
hudson.Util
;
import
org.acegisecurity.Authentication
;
import
org.acegisecurity.AuthenticationException
;
import
org.acegisecurity.ui.webapp.AuthenticationProcessingFilter
;
...
...
@@ -51,6 +52,9 @@ public class AuthenticationProcessingFilter2 extends AuthenticationProcessingFil
if
(
targetUrl
==
null
)
return
getDefaultTargetUrl
();
if
(
Util
.
isAbsoluteUri
(
targetUrl
))
return
"."
;
// avoid open redirect
// URL returned from determineTargetUrl() is resolved against the context path,
// whereas the "from" URL is resolved against the top of the website, so adjust this.
if
(
targetUrl
.
startsWith
(
request
.
getContextPath
()))
...
...
core/src/test/java/hudson/UtilTest.java
浏览文件 @
68e84726
...
...
@@ -290,4 +290,14 @@ public class UtilTest {
}
}
}
public
void
testIsAbsoluteUri
()
{
assertTrue
(
Util
.
isAbsoluteUri
(
"http://foobar/"
));
assertTrue
(
Util
.
isAbsoluteUri
(
"mailto:kk@kohsuke.org"
));
assertTrue
(
Util
.
isAbsoluteUri
(
"d123://test/"
));
assertFalse
(
Util
.
isAbsoluteUri
(
"foo/bar/abc:def"
));
assertFalse
(
Util
.
isAbsoluteUri
(
"foo?abc:def"
));
assertFalse
(
Util
.
isAbsoluteUri
(
"foo#abc:def"
));
assertFalse
(
Util
.
isAbsoluteUri
(
"foo/bar"
));
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录