[FIXED JENKINS-14113]

The proposed fix https://github.com/buckett/jenkins/commit/eec16f1b6156aea76bd0cc6e0262538713ebffb6 has a problem in that it'd allow anything that has the given URL name as a prefix.

core/src/main/java/jenkins/model/Jenkins.java

@@ -3520,7 +3520,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableItemGroup<TopLe
 
             for (Action a : getActions()) {
                 if (a instanceof UnprotectedRootAction) {
-                    if (rest.startsWith("/"+a.getUrlName()+"/"))
+                    if (rest.startsWith("/"+a.getUrlName()+"/") || rest.equals("/"+a.getUrlName()))
                         return this;
                 }
             }

core/src/main/resources/hudson/model/EnvironmentContributor/EnvVarsHtml/index.groovy

+package hudson.model.EnvironmentContributor.EnvVarsHtml;
 import hudson.model.EnvironmentContributor
 import hudson.scm.SCM
 

test/src/test/java/jenkins/model/JenkinsTest.java

@@ -23,12 +23,24 @@
  */
 package jenkins.model;
 
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import hudson.model.InvisibleAction;
+import hudson.model.RootAction;
+import hudson.model.UnprotectedRootAction;
+import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
+import hudson.util.HttpResponses;
 import junit.framework.Assert;
 import hudson.model.FreeStyleProject;
 import hudson.util.FormValidation;
 
 import org.junit.Test;
+import org.jvnet.hudson.test.Bug;
 import org.jvnet.hudson.test.HudsonTestCase;
+import org.jvnet.hudson.test.TestExtension;
+import org.kohsuke.stapler.HttpResponse;
+import org.xml.sax.SAXException;
+
+import java.io.IOException;
 
 /**
  * @author kingfai
@@ -161,4 +173,69 @@ public class JenkinsTest extends HudsonTestCase {
         FormValidation v = jenkins.doCheckDisplayName(jobName, curJobName);
         Assert.assertEquals(FormValidation.Kind.WARNING, v.kind);                
     }
+
+    /**
+     * Makes sure access to "/foobar" for UnprotectedRootAction gets through.
+     */
+    @Bug(14113)
+    public void testUnprotectedRootAction() throws Exception {
+        jenkins.setSecurityRealm(createDummySecurityRealm());
+        jenkins.setAuthorizationStrategy(new FullControlOnceLoggedInAuthorizationStrategy());
+        WebClient wc = createWebClient();
+        wc.goTo("/foobar");
+        wc.goTo("/foobar/");
+        wc.goTo("/foobar/zot");
+
+        // and make sure this fails
+        try {
+            wc.goTo("/foobar-zot/");
+            fail();
+        } catch (FailingHttpStatusCodeException e) {
+            assertEquals(500,e.getStatusCode());
+        }
+
+        assertEquals(3,jenkins.getExtensionList(RootAction.class).get(RootActionImpl.class).count);
+    }
+
+    @TestExtension("testUnprotectedRootAction")
+    public static class RootActionImpl implements UnprotectedRootAction {
+        private int count;
+
+        public String getIconFileName() {
+            return null;
+        }
+
+        public String getDisplayName() {
+            return null;
+        }
+
+        public String getUrlName() {
+            return "foobar";
+        }
+
+        public HttpResponse doDynamic() {
+            assertTrue(Jenkins.getInstance().getAuthentication().getName().equals("anonymous"));
+            count++;
+            return HttpResponses.html("OK");
+        }
+    }
+
+    @TestExtension("testUnprotectedRootAction")
+    public static class ProtectedRootActionImpl implements RootAction {
+        public String getIconFileName() {
+            return null;
+        }
+
+        public String getDisplayName() {
+            return null;
+        }
+
+        public String getUrlName() {
+            return "foobar-zot";
+        }
+
+        public HttpResponse doDynamic() {
+            throw new AssertionError();
+        }
+    }
 }