Merge branch 'security' into security-stable-1.596

Conflicts: core/src/test/java/hudson/util/FormValidationTest.java test/src/test/java/hudson/model/UserTest.java

Merge branch 'security' into security-stable-1.596
Conflicts: core/src/test/java/hudson/util/FormValidationTest.java test/src/test/java/hudson/model/UserTest.java
9abf3661 · Jesse Glick · 2f4d8907 · f58ba6e7 · 9abf3661 · 9abf3661
4 changed file
--- a/core/src/main/java/hudson/util/FormValidation.java
+++ b/core/src/main/java/hudson/util/FormValidation.java
@@ -199,7 +199,7 @@ public abstract class FormValidation extends IOException implements HttpResponse
            " <a href='#' class='showDetails'>"
            + Messages.FormValidation_Error_Details()
            + "</a><pre style='display:none'>"
-            + Functions.printThrowable(e) +
+            + Util.escape(Functions.printThrowable(e)) +
            "</pre>",kind
        );
    }

--- a/core/src/main/java/jenkins/security/ApiTokenProperty.java
+++ b/core/src/main/java/jenkins/security/ApiTokenProperty.java
@@ -81,6 +81,7 @@ public class ApiTokenProperty extends UserProperty {
    }

    public void changeApiToken() throws IOException {
+        user.checkPermission(Jenkins.ADMINISTER);
        _changeApiToken();
        if (user!=null)
            user.save();

--- a/core/src/test/java/hudson/util/FormValidationTest.java
+++ b/core/src/test/java/hudson/util/FormValidationTest.java
@@ -28,6 +28,9 @@ import static org.junit.Assert.*;
 import java.util.Arrays;

 import org.junit.Test;
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.MatcherAssert.assertThat;

 /**
 * @author sogabe
@@ -105,4 +108,10 @@ public class FormValidationTest {
    private FormValidation aggregate(FormValidation... fvs) {
        return FormValidation.aggregate(Arrays.asList(fvs));
    }
+
+    @Test
+    public void formValidationException() {
+        FormValidation fv = FormValidation.error(new Exception("<html"), "Message<html");
+        assertThat(fv.renderHtml(), not(containsString("<html")));
+    }
 }
--- a/test/src/test/java/hudson/model/UserTest.java
+++ b/test/src/test/java/hudson/model/UserTest.java
@@ -28,6 +28,7 @@ import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
 import com.gargoylesoftware.htmlunit.WebAssert;
 import com.gargoylesoftware.htmlunit.html.HtmlForm;
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
+
 import hudson.security.AccessDeniedException2;
 import hudson.security.GlobalMatrixAuthorizationStrategy;
 import hudson.security.HudsonPrivateSecurityRealm;
@@ -41,9 +42,13 @@ import java.util.Collections;

 import jenkins.model.IdStrategy;
 import jenkins.model.Jenkins;
+import jenkins.security.ApiTokenProperty;
+
+import org.acegisecurity.AccessDeniedException;
 import org.acegisecurity.Authentication;
 import org.acegisecurity.context.SecurityContext;
 import org.acegisecurity.context.SecurityContextHolder;
+
 import static org.junit.Assert.*;
 import static org.junit.Assume.*;
 import org.junit.Rule;
@@ -498,6 +503,42 @@ public class UserTest {
        assertTrue("But once storage is allocated, he can be deleted", user3.canDelete());
    }

+    @Test
+    // @Issue("SECURITY-180")
+    public void security180() throws Exception {
+        final GlobalMatrixAuthorizationStrategy auth = new GlobalMatrixAuthorizationStrategy();
+        j.jenkins.setAuthorizationStrategy(auth);
+        j.jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(false));
+
+        User alice = User.get("alice");
+        User bob = User.get("bob");
+        User anonymous = User.get("anonymous");
+        User admin = User.get("admin");
+
+        auth.add(Jenkins.READ, alice.getId());
+        auth.add(Jenkins.READ, bob.getId());
+        auth.add(Jenkins.ADMINISTER, admin.getId());
+
+        SecurityContextHolder.getContext().setAuthentication(admin.impersonate());
+        // Change token by admin
+        admin.getProperty(ApiTokenProperty.class).changeApiToken();
+        alice.getProperty(ApiTokenProperty.class).changeApiToken();
+
+        SecurityContextHolder.getContext().setAuthentication(bob.impersonate());
+        // Change own token
+        bob.getProperty(ApiTokenProperty.class).changeApiToken();
+
+        try {
+            alice.getProperty(ApiTokenProperty.class).changeApiToken();
+            fail("Bob should not be authorized to change alice's token");
+        } catch (AccessDeniedException expected) { }
+
+        try {
+            anonymous.getProperty(ApiTokenProperty.class).changeApiToken();
+            fail("Anonymous should not be authorized to change alice's token");
+        } catch (AccessDeniedException expected) { }
+    }
+
     public static class SomeUserProperty extends UserProperty {
         
        @TestExtension