Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
31eeb753
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
31eeb753
编写于
5月 01, 2013
作者:
K
Kohsuke Kawaguchi
浏览文件
操作
浏览文件
下载
差异文件
merged back the RC branch
上级
555d2b1d
384544c7
变更
10
显示空白变更内容
内联
并排
Showing
10 changed file
with
114 addition
and
42 deletion
+114
-42
changelog.html
changelog.html
+13
-2
core/pom.xml
core/pom.xml
+1
-1
core/src/main/java/hudson/markup/MyspacePolicy.java
core/src/main/java/hudson/markup/MyspacePolicy.java
+0
-1
core/src/main/java/hudson/model/Computer.java
core/src/main/java/hudson/model/Computer.java
+1
-16
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/java/jenkins/model/Jenkins.java
+13
-6
core/src/test/java/hudson/markup/MyspacePolicyTest.java
core/src/test/java/hudson/markup/MyspacePolicyTest.java
+1
-1
debian/debian/changelog
debian/debian/changelog
+6
-0
maven-plugin/src/main/java/hudson/maven/MavenProbeAction.java
...n-plugin/src/main/java/hudson/maven/MavenProbeAction.java
+1
-15
maven-plugin/src/main/java/hudson/maven/reporters/MavenAbstractArtifactRecord.java
...a/hudson/maven/reporters/MavenAbstractArtifactRecord.java
+2
-0
test/src/test/java/jenkins/model/JenkinsTest.java
test/src/test/java/jenkins/model/JenkinsTest.java
+76
-0
未找到文件。
changelog.html
浏览文件 @
31eeb753
...
...
@@ -72,7 +72,10 @@ Upcoming changes</a>
<!-- these changes are controlled by the release process. DO NOT MODIFY -->
<div
id=
"rc"
style=
"display:none;"
>
<!--=BEGIN=-->
<h3><a
name=
v1.514
>
What's new in 1.514
</a>
<!--=DATE=-->
</h3>
<h3><a
name=
v1.515
>
What's new in 1.515
</a>
<!--=DATE=-->
</h3>
<!--=RC-CHANGES=-->
</div>
<!--=END=-->
<h3><a
name=
v1.514
>
What's new in 1.514
</a>
(2013/05/01)
</h3>
<ul
class=
image
>
<li
class=
rfe
>
Added a new
<tt>
set-build-parameter
</tt>
command that can update a build variable from within a build.
...
...
@@ -95,7 +98,6 @@ Upcoming changes</a>
<li
class=
rfe
>
Updated bundled plugins.
</ul>
</div>
<!--=END=-->
<h3><a
name=
v1.513
>
What's new in 1.513
</a>
(2013/04/28)
</h3>
<ul
class=
image
>
<li
class=
rfe
>
...
...
@@ -108,6 +110,15 @@ Upcoming changes</a>
<li
class=
rfe
>
Breadcrumb is reworked to show descendants to provide additional navigational shortcuts.
(
<a
href=
"https://wiki.jenkins-ci.org/display/JENKINS/FOSDEM+UI+Enhancement+discussion+notes+2013"
>
discussion
</a>
)
<li
class=
bug
>
Fixed CSRF vulnerabilities
(SECURITY-63,SECURITY-69)
<li
class=
bug
>
Fixed an XSS vulnerability via stylesheet
(SECURITY-67)
<li
class=
bug
>
Fixed an XSS vulnerability to copy arbitrary text into clipboard
(SECURITY-71/CVE-2013-1808)
</ul>
<h3><a
name=
v1.512
>
What's new in 1.512
</a>
(2013/04/21)
</h3>
<ul
class=
image
>
...
...
core/pom.xml
浏览文件 @
31eeb753
...
...
@@ -164,7 +164,7 @@ THE SOFTWARE.
<dependency>
<groupId>
org.kohsuke.stapler
</groupId>
<artifactId>
stapler-adjunct-zeroclipboard
</artifactId>
<version>
1.
0.7-2
</version>
<version>
1.
1.7-1
</version>
</dependency>
<dependency>
<groupId>
org.kohsuke.stapler
</groupId>
...
...
core/src/main/java/hudson/markup/MyspacePolicy.java
浏览文件 @
31eeb753
...
...
@@ -67,7 +67,6 @@ public class MyspacePolicy {
tag
(
"img"
,
"src"
,
ONSITE_OR_OFFSITE_URL
,
"hspace"
,
"vspace"
);
tag
(
"iframe"
,
"src"
);
tag
(
"link"
,
"type"
,
"rel"
);
tag
(
"ul,ol,li,dd,dl,dt,thead,tbody,tfoot"
);
tag
(
"table"
,
"noresize"
);
tag
(
"td,th,tr"
);
...
...
core/src/main/java/hudson/model/Computer.java
浏览文件 @
31eeb753
...
...
@@ -51,8 +51,6 @@ import hudson.slaves.RetentionStrategy;
import
hudson.slaves.WorkspaceList
;
import
hudson.slaves.OfflineCause
;
import
hudson.slaves.OfflineCause.ByCLI
;
import
hudson.tasks.BuildWrapper
;
import
hudson.tasks.Publisher
;
import
hudson.util.DaemonThreadFactory
;
import
hudson.util.EditDistance
;
import
hudson.util.ExceptionCatchingThreadFactory
;
...
...
@@ -1157,20 +1155,7 @@ public /*transient*/ abstract class Computer extends Actionable implements Acces
}
protected
void
_doScript
(
StaplerRequest
req
,
StaplerResponse
rsp
,
String
view
)
throws
IOException
,
ServletException
{
// ability to run arbitrary script is dangerous
checkPermission
(
Jenkins
.
RUN_SCRIPTS
);
String
text
=
req
.
getParameter
(
"script"
);
if
(
text
!=
null
)
{
try
{
req
.
setAttribute
(
"output"
,
RemotingDiagnostics
.
executeGroovy
(
text
,
getChannel
()));
}
catch
(
InterruptedException
e
)
{
throw
new
ServletException
(
e
);
}
}
req
.
getView
(
this
,
view
).
forward
(
req
,
rsp
);
Jenkins
.
_doScript
(
req
,
rsp
,
req
.
getView
(
this
,
view
),
getChannel
(),
getACL
());
}
/**
...
...
core/src/main/java/jenkins/model/Jenkins.java
浏览文件 @
31eeb753
...
...
@@ -261,6 +261,7 @@ import java.io.InputStream;
import
java.io.PrintWriter
;
import
java.io.StringWriter
;
import
java.net.BindException
;
import
java.net.HttpURLConnection
;
import
java.net.URL
;
import
java.nio.charset.Charset
;
import
java.security.SecureRandom
;
...
...
@@ -3357,25 +3358,31 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
* Run arbitrary Groovy script.
*/
public
void
doScript
(
StaplerRequest
req
,
StaplerResponse
rsp
)
throws
IOException
,
ServletException
{
doScript
(
req
,
rsp
,
req
.
getView
(
this
,
"_script.jelly"
));
_doScript
(
req
,
rsp
,
req
.
getView
(
this
,
"_script.jelly"
),
MasterComputer
.
localChannel
,
getACL
(
));
}
/**
* Run arbitrary Groovy script and return result as plain text.
*/
public
void
doScriptText
(
StaplerRequest
req
,
StaplerResponse
rsp
)
throws
IOException
,
ServletException
{
doScript
(
req
,
rsp
,
req
.
getView
(
this
,
"_scriptText.jelly"
));
_doScript
(
req
,
rsp
,
req
.
getView
(
this
,
"_scriptText.jelly"
),
MasterComputer
.
localChannel
,
getACL
(
));
}
private
void
doScript
(
StaplerRequest
req
,
StaplerResponse
rsp
,
RequestDispatcher
view
)
throws
IOException
,
ServletException
{
/**
* @since 1.509.1
*/
public
static
void
_doScript
(
StaplerRequest
req
,
StaplerResponse
rsp
,
RequestDispatcher
view
,
VirtualChannel
channel
,
ACL
acl
)
throws
IOException
,
ServletException
{
// ability to run arbitrary script is dangerous
checkPermission
(
RUN_SCRIPTS
);
acl
.
checkPermission
(
RUN_SCRIPTS
);
String
text
=
req
.
getParameter
(
"script"
);
if
(
text
!=
null
)
{
if
(!
"POST"
.
equals
(
req
.
getMethod
()))
{
throw
HttpResponses
.
error
(
HttpURLConnection
.
HTTP_BAD_METHOD
,
"requires POST"
);
}
try
{
req
.
setAttribute
(
"output"
,
RemotingDiagnostics
.
executeGroovy
(
text
,
MasterComputer
.
localC
hannel
));
RemotingDiagnostics
.
executeGroovy
(
text
,
c
hannel
));
}
catch
(
InterruptedException
e
)
{
throw
new
ServletException
(
e
);
}
...
...
@@ -3391,7 +3398,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
*/
@RequirePOST
public
void
doEval
(
StaplerRequest
req
,
StaplerResponse
rsp
)
throws
IOException
,
ServletException
{
checkPermission
(
ADMINISTER
);
checkPermission
(
RUN_SCRIPTS
);
try
{
MetaClass
mc
=
WebApp
.
getCurrent
().
getMetaClass
(
getClass
());
...
...
core/src/test/java/hudson/markup/MyspacePolicyTest.java
浏览文件 @
31eeb753
...
...
@@ -43,7 +43,7 @@ public class MyspacePolicyTest extends Assert {
assertReject
(
"script"
,
"<script src='relative.js'></script>"
);
assertIntact
(
"<style>H1 { display:none; }</style>"
);
assert
Intact
(
"<link rel='stylesheet' type='text/css' href='http://www.microsoft.com/'>"
);
assert
Reject
(
"link"
,
"<link rel='stylesheet' type='text/css' href='http://www.microsoft.com/'>"
);
assertIntact
(
"<div style='background-color:white'>inline CSS</div>"
);
assertIntact
(
"<br><hr>"
);
...
...
debian/debian/changelog
浏览文件 @
31eeb753
jenkins (1.514) unstable; urgency=low
* See http://jenkins-ci.org/changelog for more details.
-- Kohsuke Kawaguchi <kk@kohsuke.org> Wed, 01 May 2013 20:15:32 -0700
jenkins (1.513) unstable; urgency=low
* See http://jenkins-ci.org/changelog for more details.
...
...
maven-plugin/src/main/java/hudson/maven/MavenProbeAction.java
浏览文件 @
31eeb753
...
...
@@ -97,21 +97,7 @@ public final class MavenProbeAction implements Action {
}
public
void
doScript
(
StaplerRequest
req
,
StaplerResponse
rsp
)
throws
IOException
,
ServletException
{
// ability to run arbitrary script is dangerous,
// so tie it to the admin access
owner
.
checkPermission
(
Jenkins
.
RUN_SCRIPTS
);
String
text
=
req
.
getParameter
(
"script"
);
if
(
text
!=
null
)
{
try
{
req
.
setAttribute
(
"output"
,
RemotingDiagnostics
.
executeGroovy
(
text
,
channel
));
}
catch
(
InterruptedException
e
)
{
throw
new
ServletException
(
e
);
}
}
req
.
getView
(
this
,
"_script.jelly"
).
forward
(
req
,
rsp
);
Jenkins
.
_doScript
(
req
,
rsp
,
req
.
getView
(
this
,
"_script.jelly"
),
channel
,
owner
.
getACL
());
}
/**
...
...
maven-plugin/src/main/java/hudson/maven/reporters/MavenAbstractArtifactRecord.java
浏览文件 @
31eeb753
...
...
@@ -65,6 +65,7 @@ import org.kohsuke.stapler.StaplerRequest;
import
org.kohsuke.stapler.StaplerResponse
;
import
org.kohsuke.stapler.export.Exported
;
import
org.kohsuke.stapler.export.ExportedBean
;
import
org.kohsuke.stapler.interceptor.RequirePOST
;
/**
* UI to redeploy artifacts after the fact.
...
...
@@ -208,6 +209,7 @@ public abstract class MavenAbstractArtifactRecord<T extends AbstractBuild<?,?>>
/**
* Performs a redeployment.
*/
@RequirePOST
public
final
HttpResponse
doRedeploy
(
@QueryParameter
(
"_.id"
)
final
String
id
,
@QueryParameter
(
"_.url"
)
final
String
repositoryUrl
,
...
...
test/src/test/java/jenkins/model/JenkinsTest.java
浏览文件 @
31eeb753
...
...
@@ -23,6 +23,9 @@
*/
package
jenkins.model
;
import
com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException
;
import
com.gargoylesoftware.htmlunit.HttpMethod
;
import
com.gargoylesoftware.htmlunit.WebRequestSettings
;
import
com.gargoylesoftware.htmlunit.html.HtmlForm
;
import
hudson.maven.MavenModuleSet
;
import
hudson.maven.MavenModuleSetBuild
;
...
...
@@ -32,6 +35,9 @@ import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
import
hudson.util.HttpResponses
;
import
junit.framework.Assert
;
import
hudson.model.FreeStyleProject
;
import
hudson.security.GlobalMatrixAuthorizationStrategy
;
import
hudson.security.LegacySecurityRealm
;
import
hudson.security.Permission
;
import
hudson.util.FormValidation
;
import
org.junit.Test
;
...
...
@@ -41,6 +47,7 @@ import org.jvnet.hudson.test.HudsonTestCase;
import
org.jvnet.hudson.test.TestExtension
;
import
org.kohsuke.stapler.HttpResponse
;
import
java.net.HttpURLConnection
;
import
java.net.URL
;
/**
* @author kingfai
...
...
@@ -237,6 +244,75 @@ public class JenkinsTest extends HudsonTestCase {
assertEquals
(
3
,
jenkins
.
getExtensionList
(
RootAction
.
class
).
get
(
RootActionImpl
.
class
).
count
);
}
public
void
testDoScript
()
throws
Exception
{
jenkins
.
setSecurityRealm
(
new
LegacySecurityRealm
());
GlobalMatrixAuthorizationStrategy
gmas
=
new
GlobalMatrixAuthorizationStrategy
()
{
@Override
public
boolean
hasPermission
(
String
sid
,
Permission
p
)
{
return
p
==
Jenkins
.
RUN_SCRIPTS
?
hasExplicitPermission
(
sid
,
p
)
:
super
.
hasPermission
(
sid
,
p
);
}
};
gmas
.
add
(
Jenkins
.
ADMINISTER
,
"alice"
);
gmas
.
add
(
Jenkins
.
RUN_SCRIPTS
,
"alice"
);
gmas
.
add
(
Jenkins
.
READ
,
"bob"
);
gmas
.
add
(
Jenkins
.
ADMINISTER
,
"charlie"
);
jenkins
.
setAuthorizationStrategy
(
gmas
);
WebClient
wc
=
createWebClient
();
wc
.
login
(
"alice"
);
wc
.
goTo
(
"script"
);
wc
.
assertFails
(
"script?script=System.setProperty('hack','me')"
,
HttpURLConnection
.
HTTP_BAD_METHOD
);
assertNull
(
System
.
getProperty
(
"hack"
));
WebRequestSettings
req
=
new
WebRequestSettings
(
new
URL
(
wc
.
getContextPath
()
+
"script?script=System.setProperty('hack','me')"
),
HttpMethod
.
POST
);
wc
.
getPage
(
wc
.
addCrumb
(
req
));
assertEquals
(
"me"
,
System
.
getProperty
(
"hack"
));
wc
.
assertFails
(
"scriptText?script=System.setProperty('hack','me')"
,
HttpURLConnection
.
HTTP_BAD_METHOD
);
req
=
new
WebRequestSettings
(
new
URL
(
wc
.
getContextPath
()
+
"scriptText?script=System.setProperty('huck','you')"
),
HttpMethod
.
POST
);
wc
.
getPage
(
wc
.
addCrumb
(
req
));
assertEquals
(
"you"
,
System
.
getProperty
(
"huck"
));
wc
.
login
(
"bob"
);
wc
.
assertFails
(
"script"
,
HttpURLConnection
.
HTTP_FORBIDDEN
);
wc
.
login
(
"charlie"
);
wc
.
assertFails
(
"script"
,
HttpURLConnection
.
HTTP_FORBIDDEN
);
}
public
void
testDoEval
()
throws
Exception
{
jenkins
.
setSecurityRealm
(
new
LegacySecurityRealm
());
GlobalMatrixAuthorizationStrategy
gmas
=
new
GlobalMatrixAuthorizationStrategy
()
{
@Override
public
boolean
hasPermission
(
String
sid
,
Permission
p
)
{
return
p
==
Jenkins
.
RUN_SCRIPTS
?
hasExplicitPermission
(
sid
,
p
)
:
super
.
hasPermission
(
sid
,
p
);
}
};
gmas
.
add
(
Jenkins
.
ADMINISTER
,
"alice"
);
gmas
.
add
(
Jenkins
.
RUN_SCRIPTS
,
"alice"
);
gmas
.
add
(
Jenkins
.
READ
,
"bob"
);
gmas
.
add
(
Jenkins
.
ADMINISTER
,
"charlie"
);
jenkins
.
setAuthorizationStrategy
(
gmas
);
// Otherwise get "RuntimeException: Trying to set the request parameters, but the request body has already been specified;the two are mutually exclusive!" from WebRequestSettings.setRequestParameters when POSTing content:
jenkins
.
setCrumbIssuer
(
null
);
WebClient
wc
=
createWebClient
();
wc
.
login
(
"alice"
);
wc
.
assertFails
(
"eval"
,
HttpURLConnection
.
HTTP_INTERNAL_ERROR
);
assertEquals
(
"3"
,
eval
(
wc
));
wc
.
login
(
"bob"
);
try
{
eval
(
wc
);
fail
(
"bob has only READ"
);
}
catch
(
FailingHttpStatusCodeException
e
)
{
assertEquals
(
HttpURLConnection
.
HTTP_FORBIDDEN
,
e
.
getStatusCode
());
}
wc
.
login
(
"charlie"
);
try
{
eval
(
wc
);
fail
(
"charlie has ADMINISTER but not RUN_SCRIPTS"
);
}
catch
(
FailingHttpStatusCodeException
e
)
{
assertEquals
(
HttpURLConnection
.
HTTP_FORBIDDEN
,
e
.
getStatusCode
());
}
}
private
String
eval
(
WebClient
wc
)
throws
Exception
{
WebRequestSettings
req
=
new
WebRequestSettings
(
new
URL
(
wc
.
getContextPath
()
+
"eval"
),
HttpMethod
.
POST
);
req
.
setRequestBody
(
"<j:jelly xmlns:j='jelly:core'>${1+2}</j:jelly>"
);
return
wc
.
getPage
(
/*wc.addCrumb(*/
req
/*)*/
).
getWebResponse
().
getContentAsString
();
}
@TestExtension
(
"testUnprotectedRootAction"
)
public
static
class
RootActionImpl
implements
UnprotectedRootAction
{
private
int
count
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录