- 05 2月, 2015 2 次提交
-
-
由 Jesse Glick 提交于
-
由 James Nord 提交于
SECURITY-167 defend against XXE attacks in core https://issues.jenkins-ci.org/browse/SECURITY-167
-
- 04 2月, 2015 3 次提交
-
-
由 Ryan Campbell 提交于
These users can still be instantiated, as would happen if there is no security and an anonymous user triggers a build -- the anonymous user would correctly be created and added to the User list. This fix merely prevents the saving of that user, and therefore prevents them from logging in. There may be some plugins which trigger a build as the SYSTEM user, and that is not prohibited here. Also prevent full names of 'anonymous', 'system' or 'uknown'. As discussed on SECURITY-166 this may encumber auditing since full names are used in most places in the UI
-
由 James Nord 提交于
add stack trace so the offending plugin/code can be identified
-
由 James Nord 提交于
-
- 03 2月, 2015 2 次提交
-
-
由 James Nord 提交于
Atempt to set SAX specific properties to defend against XXE attacks.
-
由 James Nord 提交于
Added a new EntityResolver that will throw an exception if any attempts are made to load external entities. Made the transforer use SAX so that we can use out EntityResolover. As we can't defend against calls that have already parsed the xml (e.g. DOMSource) if we are parsed one of those throw an exception (which can be disabled with a System property.
-
- 23 1月, 2015 1 次提交
-
-
由 Jesse Glick 提交于
[SECURITY-163] Non-browser-based DownloadService
-
- 21 1月, 2015 2 次提交
-
-
由 Jesse Glick 提交于
In 20340e18 @daniel-beck suggested updating this text.
-
由 Jesse Glick 提交于
-
- 14 1月, 2015 7 次提交
-
-
由 Jesse Glick 提交于
Avoids rechecking at every startup, mainly relevant during interactive testing when restarts may be quite frequent.
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
In this case we are probably interested in looking at the output as it arrives in real time. Can always be overridden on the command line if desired. (cherry picked from commit 44a8ec11)
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
-
- 13 1月, 2015 1 次提交
-
-
由 Jesse Glick 提交于
Also moving this switch to security settings.
-
- 10 1月, 2015 17 次提交
-
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
(cherry picked from commit 6318b8d8)
-
由 Jesse Glick 提交于
(cherry picked from commit e4c5c710)
-
由 Jesse Glick 提交于
-
由 Jesse Glick 提交于
(cherry picked from commit df9c92e4)
-
由 Jesse Glick 提交于
(cherry picked from commit 1c99cc1a)
-
由 Jesse Glick 提交于
loadJSON does not support parsing HTML. Nor should it need to, since UC URLs are supposed to be to the JSONP file. The .html extension is added automatically by downloadService when postBack is supported. (cherry picked from commit d6b37a94) Conflicts: test/src/test/java/hudson/model/UpdateSiteTest.java test/src/test/resources/hudson/model/update-center.json.html
-
由 Jesse Glick 提交于
(cherry picked from commit fb524145)
-
由 Jesse Glick 提交于
@kohsuke prefers that the option to disable signature checks not even be presented unless -Dhudson.model.DownloadService.noSignatureCheck is used. (cherry picked from commit 54c85007)
-
由 Jesse Glick 提交于
Be a bit paranoid and ensure the admin has CONFIGURE_UPDATECENTER before turning off signature checks. (cherry picked from commit 1262d882)
-
由 Jesse Glick 提交于
(cherry picked from commit 1ac77750) Conflicts: core/src/main/java/hudson/model/DownloadService.java core/src/main/java/hudson/model/UpdateSite.java
-
由 Oliver Gondža 提交于
Ugly hack to fix destroyProcess for Java8 (cherry picked from commit 19640e7b)
-
由 Kohsuke Kawaguchi 提交于
Integrated the new version of XStream that contains the fix. (cherry picked from commit 585eb87c) Conflicts: changelog.html
-
- 10 3月, 2014 2 次提交
-
-
由 Kohsuke Kawaguchi 提交于
-
由 Kohsuke Kawaguchi 提交于
-
- 03 3月, 2014 3 次提交
-
-
由 Kohsuke Kawaguchi 提交于
-
由 Kohsuke Kawaguchi 提交于
-
由 Kohsuke Kawaguchi 提交于
-