Merge branch 'security' into security-stable-1.596

921cfa9e · Kohsuke Kawaguchi · 9abf3661 · 69908093 · 921cfa9e · 921cfa9e
2 changed file
--- a/core/src/main/java/hudson/security/HudsonFilter.java
+++ b/core/src/main/java/hudson/security/HudsonFilter.java
@@ -36,6 +36,7 @@ import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;

 import org.acegisecurity.AuthenticationManager;
 import org.acegisecurity.ui.rememberme.RememberMeServices;
@@ -153,7 +154,10 @@ public class HudsonFilter implements Filter {

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        LOGGER.entering(HudsonFilter.class.getName(), "doFilter");
-        
+
+        // this is not the best place to do it, but doing it here makes the patch smaller.
+        ((HttpServletResponse)response).setHeader("X-Content-Type-Options", "nosniff");
+
        // to deal with concurrency, we need to capture the object.
        Filter f = filter;


--- a/test/src/test/java/jenkins/security/Security177Test.java
+++ b/test/src/test/java/jenkins/security/Security177Test.java
+package jenkins.security;
+
+import com.gargoylesoftware.htmlunit.Page;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.JenkinsRule.WebClient;
+
+import java.net.URL;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * @author Kohsuke Kawaguchi
+ */
+// @Issue("SECURITY-177")
+public class Security177Test {
+    @Rule
+    public JenkinsRule jenkins = new JenkinsRule();
+    
+    @Test
+    public void nosniff() throws Exception {
+        WebClient wc = jenkins.createWebClient();
+        wc.setThrowExceptionOnFailingStatusCode(false);
+
+        URL u = jenkins.getURL();
+        verifyNoSniff(wc.getPage(new URL(u, "adjuncts/507db12b/nosuch/adjunct.js")));
+        verifyNoSniff(wc.getPage(new URL(u, "no-such-page")));
+        verifyNoSniff(wc.getPage(new URL(u, "images/title.svg")));
+        verifyNoSniff(wc.getPage(u));
+    }
+
+    private void verifyNoSniff(Page p) {
+        String v = p.getWebResponse().getResponseHeaderValue("X-Content-Type-Options");
+        assertEquals(v,"nosniff");
+    }
+}