[SECURITY-233] Only append crumb to URL in multipart forms

ba747888 · Daniel Beck · ef2c0dc1 · ba747888
隐藏空白更改
内联并排

Showing with 7 addition and 4 deletion

war/src/main/webapp/scripts/hudson-behavior.js war/src/main/webapp/scripts/hudson-behavior.js +7 -4

未找到文件。
--- a/war/src/main/webapp/scripts/hudson-behavior.js
+++ b/war/src/main/webapp/scripts/hudson-behavior.js
@@ -117,10 +117,12 @@ var crumb = {
        var div = document.createElement("div");
        div.innerHTML = "<input type=hidden name='"+this.fieldName+"' value='"+this.value+"'>";
        form.appendChild(div);
-        if (form.action.indexOf("?") != -1) {
-            form.action = form.action+"&"+this.fieldName+"="+this.value;
-        } else {
-            form.action = form.action+"?"+this.fieldName+"="+this.value;
+        if (form.enctype == "multipart/form-data") {
+            if (form.action.indexOf("?") != -1) {
+                form.action = form.action+"&"+this.fieldName+"="+this.value;
+            } else {
+                form.action = form.action+"?"+this.fieldName+"="+this.value;
+            }
        }
    }
 }
@@ -2424,6 +2426,7 @@ function buildFormTree(form) {
                // switch to multipart/form-data to support file submission
                // @enctype is the standard, but IE needs @encoding.
                form.enctype = form.encoding = "multipart/form-data";
+                crumb.appendToForm(form);
                break;
            case "radio":
                if(!e.checked)  break;