Added "X-Content-Type-Options: nosniff" for serving user-generated
contents to improve security a little bit

Plugins that depend on LTS shouldn't be using this API.

CONFIGURE permission shouldn't allow the type of the job to be changed.
That's more of CREATE+DELETE.

In any case, the code doesn't correctly handling submitting config.xml
for a different type.

After talking to Jesse, he's OK with me bringing it back to public so
long as we don't allow other programmatic dependencies to it.

The intention of leaving them mutable is to allow admins to play with
this in the groovy script during the initialization and at runtime.

Groovy currently ignores the private access modifier anyway, but that is
considered as a bug in the upstream
(https://jira.codehaus.org/browse/GROOVY-3010)

It may be that the 'newName' exists and just not visible to the user trying to do a rename

[SECURITY-120] Do not print a warning with stack trace just because we are using a 2.x servlet container.

If Jenkins URL is set to https, force the secure flag. Also force the
cookie to be HTTP only, which mitigates the damage that XSS can cause.

See https://www.owasp.org/index.php/SecureFlag

Don't let UsernameNotFoundException vs BadCredentialsException
difference to be seen by the caller, for that tells whether the user
exists or not.

But to assist trouble-shooting, do report that error to the server. UUID
helps the user finds the information in the log file

Don't wait for a connection forever, which can cause the thread to hang forever if the upload link never arrives

ZeroClipboard 1.3.5 is rather incompatible with 1.1.7, and various API changes were needed.

 - setText() call doesn't work until the DOM is populated, which is at some unknown time AFAICT.
   installing it via the datarequested event avoids this problem.
 - constructor now demands the element to attach to, and it's unclear if relative positioning is working or not.
 - "display: inline-block" is needed for ZeroClipboard to correctly compute the height of the element

Protect default password value from users who are triggering builds.

Coerce the parameter value to one of a legal value

[FIXED SECURITY-155] Do not allow plugin code to be downloaded via doDynamic, only static resources.

In this case we are probably interested in looking at the output as it arrives in real time.
Can always be overridden on the command line if desired.
(cherry picked from commit 44a8ec11)

[FIXED SECURITY-131] Recode restOfPath before constructing URLs from it, so it cannot be used for directory traversal.

Seems to work in 8.0 at least for some functional tests.
Developers can always disable it privately if they run into issues.
(cherry picked from commit 7b420175)

Conflicts:
	pom.xml

Updating branch base to 1.532.

[FIXED SECURITY-109] SECURITY-55 fix to BuildTrigger configuration failed if downstream project was not visible.

[FIXED SECURITY-107] When security-related fields in Jenkins cannot be unmarshaled, it is best to halt startup.

[FIXED SECURITY-93] PasswordParameterDefinition should serve existing default value in encrypted form.
And strengthen functional tests (using configRoundTrip) to ensure that the same mistake is not made elsewhere.