Merge pull request #68 from jenkinsci-cert/SECURITY-273

[FIX SECURITY-273] Require admin permission to check update sites

Merge pull request #68 from jenkinsci-cert/SECURITY-273
[FIX SECURITY-273] Require admin permission to check update sites
53dd9046 · Jesse Glick · a92bb2df · 56be107f · 53dd9046
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

core/src/main/java/hudson/PluginManager.java core/src/main/java/hudson/PluginManager.java +1 -0

未找到文件。
--- a/core/src/main/java/hudson/PluginManager.java
+++ b/core/src/main/java/hudson/PluginManager.java
@@ -890,6 +890,7 @@ public abstract class PluginManager extends AbstractModelObject implements OnMas

    @Restricted(NoExternalUse.class)
    @RequirePOST public HttpResponse doCheckUpdatesServer() throws IOException {
+        Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
        for (UpdateSite site : Jenkins.getInstance().getUpdateCenter().getSites()) {
            FormValidation v = site.updateDirectlyNow(DownloadService.signatureCheck);
            if (v.kind != FormValidation.Kind.OK) {