- 20 9月, 2014 10 次提交
-
-
由 Kohsuke Kawaguchi 提交于
(cherry picked from commit 5e7b844b) Conflicts: changelog.html
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
Stapler 1.218.1 was apparently never even deployed to the Maven repo, so let us just skip straight to 1.229 which has the fix and which we are using in the merged release branches anyway.
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
(cherry picked from commit 71600d8b)
-
由 Jesse Glick 提交于
Conflicts: maven-plugin/src/main/java/hudson/maven/AbstractMavenBuilder.java maven-plugin/src/main/java/hudson/maven/AbstractMavenProcessFactory.java maven-plugin/src/main/java/hudson/maven/Maven31ProcessFactory.java maven-plugin/src/main/java/hudson/maven/Maven3Builder.java maven-plugin/src/main/java/hudson/maven/Maven3ProcessFactory.java maven-plugin/src/main/java/hudson/maven/MavenBuildProxy.java maven-plugin/src/main/java/hudson/maven/MavenBuilder.java maven-plugin/src/main/java/hudson/maven/MavenProcessFactory.java maven-plugin/src/main/java/hudson/maven/MavenVersionCallable.java maven-plugin/src/main/java/hudson/maven/ProcessCache.java maven-plugin/src/main/java/hudson/maven/RedeployPublisher.java maven-plugin/src/main/java/hudson/maven/SplittableBuildListener.java
-
由 Jesse Glick 提交于
(cherry picked from commit 9b53643c) Conflicts: pom.xml
-
由 Kohsuke Kawaguchi 提交于
See https://github.com/jenkinsci/maven-plugin (cherry picked from commit f98070d3) Conflicts: maven-plugin/pom.xml maven-plugin/src/main/java/hudson/maven/AbstractMavenProcessFactory.java maven-plugin/src/main/java/hudson/maven/MavenModuleSetBuild.java maven-plugin/src/main/java/hudson/maven/MavenProcessFactory.java maven-plugin/src/main/resources/hudson/maven/MavenModuleSet/configure-entries.jelly plugins/pom.xml pom.xml
-
- 19 9月, 2014 12 次提交
-
-
由 Kohsuke Kawaguchi 提交于
-
由 Kohsuke Kawaguchi 提交于
- If a write results in a file creation, do the create check, to align with the POSIX semantics. - Don't make pointless mkdirs check if the directory already exists - read vs readSymlink difference is dangerous because read() can be called for symlinks in other context as well.
-
由 Kohsuke Kawaguchi 提交于
-
由 Kohsuke Kawaguchi 提交于
-
由 Kohsuke Kawaguchi 提交于
If you look at the log graph of this file, you'll see that 535c1115 removed this line for SECURITY-76, but it's still present in 1239ed3b. Most likely because d482fc50 edited a nearby line, and the merge conflict wasn't properly resolved.
-
由 Kohsuke Kawaguchi 提交于
... like pipes. IOSyncer, PingThread.Ping, RPCRequest, SetMaximumBytecodeLevel look all harmless. PreloadJarTask is dubious, but with classloading from slave disabled, it becomes harmless.
-
由 Kohsuke Kawaguchi 提交于
-
由 Kohsuke Kawaguchi 提交于
We often create anonymous Callable types, yet anonymous class cannot be annotated. These convenient base classes make that transition easy
-
由 Kohsuke Kawaguchi 提交于
This callable allows an arbitrary file to be read from the master
-
由 Kohsuke Kawaguchi 提交于
Hide system information and diagnostics of the master from slaves
-
由 Kohsuke Kawaguchi 提交于
[SECURITY-144] Introduced annotation to mark Callables whether they can be safely invoked from slaves
-
由 Kohsuke Kawaguchi 提交于
Provide opportunity to install CallableDecorators before channels are created, to ensure every callable sent gets caught
-
- 08 9月, 2014 2 次提交
-
-
由 Kohsuke Kawaguchi 提交于
-
由 Kohsuke Kawaguchi 提交于
-
- 03 9月, 2014 5 次提交
-
-
由 Kohsuke Kawaguchi 提交于
Added "X-Content-Type-Options: nosniff" for serving user-generated contents to improve security a little bit
-
由 Kohsuke Kawaguchi 提交于
Plugins that depend on LTS shouldn't be using this API.
-
由 Kohsuke Kawaguchi 提交于
CONFIGURE permission shouldn't allow the type of the job to be changed. That's more of CREATE+DELETE. In any case, the code doesn't correctly handling submitting config.xml for a different type.
-
由 Kohsuke Kawaguchi 提交于
After talking to Jesse, he's OK with me bringing it back to public so long as we don't allow other programmatic dependencies to it. The intention of leaving them mutable is to allow admins to play with this in the groovy script during the initialization and at runtime. Groovy currently ignores the private access modifier anyway, but that is considered as a bug in the upstream (https://jira.codehaus.org/browse/GROOVY-3010)
-
由 Kohsuke Kawaguchi 提交于
It may be that the 'newName' exists and just not visible to the user trying to do a rename
-
- 01 9月, 2014 1 次提交
-
-
由 Jesse Glick 提交于
[SECURITY-120] Do not print a warning with stack trace just because we are using a 2.x servlet container.
-
- 31 8月, 2014 1 次提交
-
-
由 Jesse Glick 提交于
-
- 30 8月, 2014 6 次提交
-
-
由 Kohsuke Kawaguchi 提交于
If Jenkins URL is set to https, force the secure flag. Also force the cookie to be HTTP only, which mitigates the damage that XSS can cause. See https://www.owasp.org/index.php/SecureFlag
-
由 Kohsuke Kawaguchi 提交于
Don't let UsernameNotFoundException vs BadCredentialsException difference to be seen by the caller, for that tells whether the user exists or not. But to assist trouble-shooting, do report that error to the server. UUID helps the user finds the information in the log file
-
由 Kohsuke Kawaguchi 提交于
Don't wait for a connection forever, which can cause the thread to hang forever if the upload link never arrives
-
由 Kohsuke Kawaguchi 提交于
ZeroClipboard 1.3.5 is rather incompatible with 1.1.7, and various API changes were needed. - setText() call doesn't work until the DOM is populated, which is at some unknown time AFAICT. installing it via the datarequested event avoids this problem. - constructor now demands the element to attach to, and it's unclear if relative positioning is working or not. - "display: inline-block" is needed for ZeroClipboard to correctly compute the height of the element
-
由 Kohsuke Kawaguchi 提交于
Protect default password value from users who are triggering builds.
-
由 Kohsuke Kawaguchi 提交于
Coerce the parameter value to one of a legal value
-
- 23 8月, 2014 2 次提交
-
-
由 Jesse Glick 提交于
[FIXED SECURITY-155] Do not allow plugin code to be downloaded via doDynamic, only static resources.
-
由 Jesse Glick 提交于
In this case we are probably interested in looking at the output as it arrives in real time. Can always be overridden on the command line if desired. (cherry picked from commit 44a8ec11)
-
- 21 8月, 2014 1 次提交
-
-
由 Jesse Glick 提交于
[FIXED SECURITY-131] Recode restOfPath before constructing URLs from it, so it cannot be used for directory traversal.
-