Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
LinuxSuRen
jenkins
提交
71b34101
J
jenkins
项目概览
LinuxSuRen
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
71b34101
编写于
11月 06, 2015
作者:
K
Kohsuke Kawaguchi
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Reworked the fix.
Most of the changes are now in remoting.
上级
8622080c
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
5 addition
and
127 deletion
+5
-127
cli/src/main/java/hudson/cli/Connection.java
cli/src/main/java/hudson/cli/Connection.java
+4
-1
core/src/main/java/jenkins/security/RemotingFilterClassLoader.java
...main/java/jenkins/security/RemotingFilterClassLoader.java
+0
-125
pom.xml
pom.xml
+1
-1
未找到文件。
cli/src/main/java/hudson/cli/Connection.java
浏览文件 @
71b34101
...
...
@@ -23,6 +23,8 @@
*/
package
hudson.cli
;
import
hudson.remoting.ClassFilter
;
import
hudson.remoting.ObjectInputStreamEx
;
import
hudson.remoting.SocketChannelStream
;
import
org.apache.commons.codec.binary.Base64
;
...
...
@@ -107,7 +109,8 @@ public class Connection {
* Receives an object sent by {@link #writeObject(Object)}
*/
public
<
T
>
T
readObject
()
throws
IOException
,
ClassNotFoundException
{
ObjectInputStream
ois
=
new
ObjectInputStream
(
in
);
ObjectInputStream
ois
=
new
ObjectInputStreamEx
(
in
,
ClassFilter
.
DEFAULT
.
decorate
(
getClass
().
getClassLoader
()));
return
(
T
)
ois
.
readObject
();
}
...
...
core/src/main/java/jenkins/security/RemotingFilterClassLoader.java
已删除
100644 → 0
浏览文件 @
8622080c
package
jenkins.security
;
/**
* Prevents problematic classes from getting de-serialized.
*
* @author Kohsuke Kawaguchi
*/
public
class
RemotingFilterClassLoader
extends
ClassLoader
{
private
final
ClassLoader
actual
;
public
RemotingFilterClassLoader
(
ClassLoader
actual
)
{
// intentionally not passing 'actual' as the parent classloader to the super type
// to prevent accidental bypassing of a filter.
this
.
actual
=
actual
;
}
@Override
public
Class
<?>
loadClass
(
String
name
)
throws
ClassNotFoundException
{
if
(
isBlacklisted
(
name
))
throw
new
ClassNotFoundException
(
name
);
Class
<?>
c
=
actual
.
loadClass
(
name
);
if
(
isBlacklisted
(
c
))
throw
new
ClassNotFoundException
(
name
);
return
c
;
}
protected
boolean
isBlacklisted
(
String
name
)
{
// these are coming from libraries, so protecting it by name is better as
// some plugins might be bundling them and choosing to mask ones from core.
if
(
name
.
startsWith
(
"org.codehaus.groovy.runtime."
))
return
true
;
// ConvertedClosure is named in exploit
if
(
name
.
startsWith
(
"org.apache.commons.collections.functors."
))
return
true
;
// InvokerTransformer, InstantiateFactory, InstantiateTransformer are particularly scary
// this package can appear in ordinary xalan.jar or com.sun.org.apache.xalan
// the target is trax.TemplatesImpl
if
(
name
.
contains
(
"org.apache.xalan"
))
return
true
;
return
false
;
}
protected
boolean
isBlacklisted
(
Class
c
)
{
/* Switched to blacklisting by name.
import org.apache.commons.collections.Transformer;
import org.codehaus.groovy.runtime.ConversionHandler;
import javax.xml.transform.Templates;
if (Transformer.class.isAssignableFrom(c))
return true;
if (ConversionHandler.class.isAssignableFrom(c))
return true;
if (Templates.class.isAssignableFrom(c))
return true;
*/
return
false
;
}
}
/*
Publicized attack payload:
ObjectInputStream.readObject()
PriorityQueue.readObject()
Comparator.compare() (Proxy)
ConvertedClosure.invoke()
MethodClosure.call()
...
Method.invoke()
Runtime.exec()
ObjectInputStream.readObject()
AnnotationInvocationHandler.readObject()
Map(Proxy).entrySet()
AnnotationInvocationHandler.invoke()
LazyMap.get()
ChainedTransformer.transform()
ConstantTransformer.transform()
InvokerTransformer.transform()
Method.invoke()
Class.getMethod()
InvokerTransformer.transform()
Method.invoke()
Runtime.getRuntime()
InvokerTransformer.transform()
Method.invoke()
Runtime.exec()
ObjectInputStream.readObject()
PriorityQueue.readObject()
...
TransformingComparator.compare()
InvokerTransformer.transform()
Method.invoke()
Runtime.exec()
ObjectInputStream.readObject()
SerializableTypeWrapper.MethodInvokeTypeProvider.readObject()
SerializableTypeWrapper.TypeProvider(Proxy).getType()
AnnotationInvocationHandler.invoke()
HashMap.get()
ReflectionUtils.findMethod()
SerializableTypeWrapper.TypeProvider(Proxy).getType()
AnnotationInvocationHandler.invoke()
HashMap.get()
ReflectionUtils.invokeMethod()
Method.invoke()
Templates(Proxy).newTransformer()
AutowireUtils.ObjectFactoryDelegatingInvocationHandler.invoke()
ObjectFactory(Proxy).getObject()
AnnotationInvocationHandler.invoke()
HashMap.get()
Method.invoke()
TemplatesImpl.newTransformer()
TemplatesImpl.getTransletInstance()
TemplatesImpl.defineTransletClasses()
TemplatesImpl.TransletClassLoader.defineClass()
Pwner*(Javassist-generated).<static init>
Runtime.exec()
*/
pom.xml
浏览文件 @
71b34101
...
...
@@ -174,7 +174,7 @@ THE SOFTWARE.
<dependency>
<groupId>
org.jenkins-ci.main
</groupId>
<artifactId>
remoting
</artifactId>
<version>
2.
47
</version>
<version>
2.
53-SNAPSHOT
</version>
</dependency>
<dependency>
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录
