Bumping up dependencies to 1.3.1, with extra precaution to make
DiskFileItem non-serializable

(cherry picked from commit 261f4053)

(cherry picked from commit facfc178)

[JENKINS-21984] Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future!
(cherry picked from commit 334ce1be)

The jenkins_main_trunk job has been retired, so for now just skip these tests when running on any Jenkins server.
(cherry picked from commit b7d4c6a4)

Conflicts:
	test/src/test/groovy/hudson/cli/BuildCommandTest.groovy

For reasons TBD, sometimes CI tests fail with (1.565.x):
java.lang.InterruptedException: null
	at java.lang.Object.wait(Native Method)
	at java.lang.Object.wait(Object.java:503)
	at org.jvnet.hudson.reactor.Reactor.execute(Reactor.java:267)
	at jenkins.InitReactorRunner.run(InitReactorRunner.java:44)
	at jenkins.model.Jenkins.executeReactor(Jenkins.java:915)
	at jenkins.model.Jenkins.<init>(Jenkins.java:814)
	at hudson.model.Hudson.<init>(Hudson.java:82)
	at org.jvnet.hudson.test.JenkinsRule.newHudson(JenkinsRule.java:539)
	at org.jvnet.hudson.test.JenkinsRule.before(JenkinsRule.java:331)
	at org.jvnet.hudson.test.JenkinsRule$2.evaluate(JenkinsRule.java:479)
(cherry picked from commit 7bbf36b7)

Trying to make SocketTimeoutException’s (as originally noted in 3ec7e562) not turn into test errors. (Works only in JenkinsRule, not HudsonTestCase.) Still have no clue as to cause.

(cherry picked from commit 6fd76ea2)

Conflicts:
	test/src/main/java/org/jvnet/hudson/test/JenkinsRule.java

For example https://jenkins.ci.cloudbees.com/job/core/job/jenkins-core-validated-merge/38/testReport/lib.layout/LayoutTest/rejectedLinks/ failed with:
java.io.IOException: GET http://localhost:52099/jenkins/login failed
	at java.net.SocketInputStream.socketRead0(Native Method)
	at java.net.SocketInputStream.read(SocketInputStream.java:152)
	at java.net.SocketInputStream.read(SocketInputStream.java:122)
	at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
	at java.io.BufferedInputStream.read(BufferedInputStream.java:254)
	at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
	at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
	at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
	at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413)
	at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1973)
	at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
	at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
	at com.gargoylesoftware.htmlunit.HttpWebConnection.getResponse(HttpWebConnection.java:101)
	at com.gargoylesoftware.htmlunit.WebClient.loadWebResponseFromWebConnection(WebClient.java:1456)
	at com.gargoylesoftware.htmlunit.WebClient.loadWebResponse(WebClient.java:1387)
	at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:328)
	at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:389)
	at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:374)
	at org.jvnet.hudson.test.JenkinsRule$WebClient.goTo(JenkinsRule.java:1944)
	at org.jvnet.hudson.test.JenkinsRule$WebClient.goTo(JenkinsRule.java:1926)
	at lib.layout.LayoutTest.rejectedLinks(LayoutTest.java:44)
which makes little sense since the named IOException is actually thrown from HttpWebConnection.java:130.
Perhaps Surefire is not reporting the original cause correctly, conflating the wrapper’s message with the original stack trace.
As a temporary measure, printing the original stack trace to stderr if there is any.
(cherry picked from commit 3ec7e562)

Conflicts:
	test/src/main/java/org/jvnet/hudson/test/JenkinsRule.java

[JENKINS-10615] AbstractProjectTest.testWorkspaceLock frequently fails on jenkins.ci due to InterruptedException in HudsonTestCase.setUp.
Possibly because it is sorted after [JENKINS-15156] testGetBuildAfterGC and the test suite times out.

(cherry picked from commit 85e9e126)

[JENKINS-19192] Using JNR 3.0.1 which includes JNR-FFI 1.0.7; 1.0.6 has the backported fix for Guava #1505, the root cause.
So this upgrade ought to prevent a recurrence of the issue in case some other code refers to JNR from the CLI.
(As yet untested, and we do not especially want to send JNR over the CLI channel anyway for performance reasons.)

(cherry picked from commit 5e7b844b)

Conflicts:
	changelog.html

Stapler 1.218.1 was apparently never even deployed to the Maven repo, so let us just skip straight to 1.229 which has the fix and which we are using in the merged release branches anyway.

(cherry picked from commit 71600d8b)

(cherry picked from commit 9b53643c)

Conflicts:
	pom.xml

See https://github.com/jenkinsci/maven-plugin

(cherry picked from commit f98070d3)

Conflicts:
	maven-plugin/pom.xml
	maven-plugin/src/main/java/hudson/maven/AbstractMavenProcessFactory.java
	maven-plugin/src/main/java/hudson/maven/MavenModuleSetBuild.java
	maven-plugin/src/main/java/hudson/maven/MavenProcessFactory.java
	maven-plugin/src/main/resources/hudson/maven/MavenModuleSet/configure-entries.jelly
	plugins/pom.xml
	pom.xml

Added "X-Content-Type-Options: nosniff" for serving user-generated
contents to improve security a little bit

Plugins that depend on LTS shouldn't be using this API.

CONFIGURE permission shouldn't allow the type of the job to be changed.
That's more of CREATE+DELETE.

In any case, the code doesn't correctly handling submitting config.xml
for a different type.

After talking to Jesse, he's OK with me bringing it back to public so
long as we don't allow other programmatic dependencies to it.

The intention of leaving them mutable is to allow admins to play with
this in the groovy script during the initialization and at runtime.

Groovy currently ignores the private access modifier anyway, but that is
considered as a bug in the upstream
(https://jira.codehaus.org/browse/GROOVY-3010)

It may be that the 'newName' exists and just not visible to the user trying to do a rename

[SECURITY-120] Do not print a warning with stack trace just because we are using a 2.x servlet container.

If Jenkins URL is set to https, force the secure flag. Also force the
cookie to be HTTP only, which mitigates the damage that XSS can cause.

See https://www.owasp.org/index.php/SecureFlag

Don't let UsernameNotFoundException vs BadCredentialsException
difference to be seen by the caller, for that tells whether the user
exists or not.

But to assist trouble-shooting, do report that error to the server. UUID
helps the user finds the information in the log file

Don't wait for a connection forever, which can cause the thread to hang forever if the upload link never arrives

ZeroClipboard 1.3.5 is rather incompatible with 1.1.7, and various API changes were needed.

 - setText() call doesn't work until the DOM is populated, which is at some unknown time AFAICT.
   installing it via the datarequested event avoids this problem.
 - constructor now demands the element to attach to, and it's unclear if relative positioning is working or not.
 - "display: inline-block" is needed for ZeroClipboard to correctly compute the height of the element

Protect default password value from users who are triggering builds.

Coerce the parameter value to one of a legal value

[FIXED SECURITY-155] Do not allow plugin code to be downloaded via doDynamic, only static resources.

In this case we are probably interested in looking at the output as it arrives in real time.
Can always be overridden on the command line if desired.
(cherry picked from commit 44a8ec11)

[FIXED SECURITY-131] Recode restOfPath before constructing URLs from it, so it cannot be used for directory traversal.

Seems to work in 8.0 at least for some functional tests.
Developers can always disable it privately if they run into issues.
(cherry picked from commit 7b420175)

Conflicts:
	pom.xml

Updating branch base to 1.532.

[FIXED SECURITY-109] SECURITY-55 fix to BuildTrigger configuration failed if downstream project was not visible.

[FIXED SECURITY-107] When security-related fields in Jenkins cannot be unmarshaled, it is best to halt startup.