Merge branch 'security-stable-2.32' into security-stable-2.46

59ec1290 · Daniel Beck · 5df63bc6 · 7a764161 · 59ec1290 · 59ec1290
4 changed file
--- a/core/src/main/java/hudson/util/XStream2.java
+++ b/core/src/main/java/hudson/util/XStream2.java
@@ -145,6 +145,9 @@ public class XStream2 extends XStream {
        // list up types that should be marshalled out like a value, without referential integrity tracking.
        addImmutableType(Result.class);

+        // http://www.openwall.com/lists/oss-security/2017/04/03/4
+        denyTypes(new Class[] { void.class, Void.class });
+
        registerConverter(new RobustCollectionConverter(getMapper(),getReflectionProvider()),10);
        registerConverter(new RobustMapConverter(getMapper()), 10);
        registerConverter(new ImmutableMapConverter(getMapper(),getReflectionProvider()),10);

--- a/core/src/main/java/jenkins/install/SetupWizard.java
+++ b/core/src/main/java/jenkins/install/SetupWizard.java
@@ -458,7 +458,6 @@ public class SetupWizard extends PageDecorator {
    /**
     * Remove the setupWizard filter, ensure all updates are written to disk, etc
     */
-    @RequirePOST
    public HttpResponse doCompleteInstall() throws IOException, ServletException {
        completeSetup();
        return HttpResponses.okJSON();

--- a/core/src/test/java/hudson/util/XStream2Test.java
+++ b/core/src/test/java/hudson/util/XStream2Test.java
@@ -28,6 +28,7 @@ import static org.junit.Assert.*;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.thoughtworks.xstream.XStreamException;
+import com.thoughtworks.xstream.security.ForbiddenClassException;
 import hudson.XmlFile;
 import hudson.model.Result;
 import hudson.model.Run;
@@ -296,4 +297,15 @@ public class XStream2Test {
        assertEquals("3.2.1", XStream2.trimVersion("3.2.1"));
        assertEquals("3.2-SNAPSHOT", XStream2.trimVersion("3.2-SNAPSHOT (private-09/23/2012 12:26-jhacker)"));
    }
+
+    @Issue("SECURITY-503")
+    @Test
+    public void crashXstream() throws Exception {
+        try {
+            new XStream2().fromXML("<void/>");
+            fail("expected to throw ForbiddenClassException, but why are we still alive?");
+        } catch (ForbiddenClassException ex) {
+            // pass
+        }
+    }
 }
--- a/war/src/main/js/api/pluginManager.js
+++ b/war/src/main/js/api/pluginManager.js
@@ -177,7 +177,7 @@ exports.incompleteInstallStatus = function(handler, correlationId) {
 * Call this to complete the installation without installing anything
 */
 exports.completeInstall = function(handler) {
-	jenkins.post('/setupWizard/completeInstall', {}, function() {
+	jenkins.get('/setupWizard/completeInstall', function() {
 		handler.call({ isError: false });
 	}, {
 		timeout: pluginManagerErrorTimeoutMillis,