Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
5564a62e
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
5564a62e
编写于
2月 05, 2015
作者:
J
James Nord
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #7 from jenkinsci-cert/SECURITY-167_2
[SECURITY-167] Followup tweaks to address review comments.
上级
1338e661
fe5077e5
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
8 addition
and
20 deletion
+8
-20
core/src/main/java/jenkins/util/xml/RestrictiveEntityResolver.java
...main/java/jenkins/util/xml/RestrictiveEntityResolver.java
+3
-2
core/src/main/java/jenkins/util/xml/XMLUtils.java
core/src/main/java/jenkins/util/xml/XMLUtils.java
+3
-0
test/src/test/java/hudson/model/AbstractItemSecurityTest.java
.../src/test/java/hudson/model/AbstractItemSecurityTest.java
+2
-18
未找到文件。
core/src/main/java/jenkins/util/xml/RestrictiveEntityResolver.java
浏览文件 @
5564a62e
package
jenkins.util.xml
;
import
org.kohsuke.accmod.Restricted
;
import
org.kohsuke.accmod.restrictions.NoExternalUse
;
import
org.xml.sax.EntityResolver
;
import
org.xml.sax.InputSource
;
import
org.xml.sax.SAXException
;
...
...
@@ -9,9 +11,8 @@ import java.io.IOException;
/**
* An EntityResolver that will fail to resolve any entities.
* Useful in preventing External XML Entity injection attacks.
*
* @since TODO
*/
@Restricted
(
NoExternalUse
.
class
)
public
final
class
RestrictiveEntityResolver
implements
EntityResolver
{
public
final
static
RestrictiveEntityResolver
INSTANCE
=
new
RestrictiveEntityResolver
();
...
...
core/src/main/java/jenkins/util/xml/XMLUtils.java
浏览文件 @
5564a62e
package
jenkins.util.xml
;
import
org.kohsuke.accmod.Restricted
;
import
org.kohsuke.accmod.restrictions.NoExternalUse
;
import
org.xml.sax.InputSource
;
import
org.xml.sax.SAXException
;
import
org.xml.sax.XMLReader
;
...
...
@@ -21,6 +23,7 @@ import javax.xml.transform.sax.SAXTransformerFactory;
/**
* Utilities useful when working with various XML types.
*/
@Restricted
(
NoExternalUse
.
class
)
public
final
class
XMLUtils
{
private
final
static
Logger
LOGGER
=
LogManager
.
getLogManager
().
getLogger
(
XMLUtils
.
class
.
getName
());
...
...
test/src/test/java/hudson/model/AbstractItemSecurityTest.java
浏览文件 @
5564a62e
...
...
@@ -56,22 +56,14 @@ public class AbstractItemSecurityTest {
@Test
()
// SECURITY-167
public
void
testUpdateByXml
I
DoesNotProcessForeignResources
()
throws
Exception
{
public
void
testUpdateByXmlDoesNotProcessForeignResources
()
throws
Exception
{
final
String
xml
=
"<?xml version='1.0' encoding='UTF-8'?>\n"
+
"<!DOCTYPE project[\n"
+
" <!ENTITY foo SYSTEM \"file:///\">\n"
+
"]>\n"
+
"<project>\n"
+
" <actions/>\n"
+
" <description>&foo;</description>\n"
+
" <keepDependencies>false</keepDependencies>\n"
+
" <properties/>\n"
+
" <scm class=\"hudson.scm.NullSCM\"/>\n"
+
" <canRoam>true</canRoam>\n"
+
" <triggers/>\n"
+
" <builders/>\n"
+
" <publishers/>\n"
+
" <buildWrappers/>\n"
+
"</project>"
;
FreeStyleProject
project
=
jenkinsRule
.
createFreeStyleProject
(
"security-167"
);
...
...
@@ -90,19 +82,11 @@ public class AbstractItemSecurityTest {
@Test
()
// SECURITY-167
public
void
test
hamyXmlI
DoesNotFail
()
throws
Exception
{
public
void
test
UpdateByXml
DoesNotFail
()
throws
Exception
{
final
String
xml
=
"<?xml version='1.0' encoding='UTF-8'?>\n"
+
"<project>\n"
+
" <actions/>\n"
+
" <description>&</description>\n"
+
" <keepDependencies>false</keepDependencies>\n"
+
" <properties/>\n"
+
" <scm class=\"hudson.scm.NullSCM\"/>\n"
+
" <canRoam>true</canRoam>\n"
+
" <triggers/>\n"
+
" <builders/>\n"
+
" <publishers/>\n"
+
" <buildWrappers/>\n"
+
"</project>"
;
FreeStyleProject
project
=
jenkinsRule
.
createFreeStyleProject
(
"security-167"
);
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录