[FIXED HUDSON-7961] support CSRF protection when submitting results

of external job; patch from davidreiss with 1 minor addition. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@36678 71c3de6d-444a-0410-be80-ed276b4c234a

[FIXED HUDSON-7961] support CSRF protection when submitting results
of external job; patch from davidreiss with 1 minor addition. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@36678 71c3de6d-444a-0410-be80-ed276b4c234a
87eeedc4 · mindless · c1a95b8e · 87eeedc4
隐藏空白更改
内联并排

Showing with 23 addition and 0 deletion

core/src/main/java/hudson/Main.java core/src/main/java/hudson/Main.java +23 -0

未找到文件。
--- a/core/src/main/java/hudson/Main.java
+++ b/core/src/main/java/hudson/Main.java
@@ -27,10 +27,12 @@ import hudson.util.DualOutputStream;
 import hudson.util.EncodingStream;
 import com.thoughtworks.xstream.core.util.Base64Encoder;

+import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.InputStreamReader;
 import java.io.OutputStreamWriter;
 import java.io.Writer;
 import java.net.HttpRetryException;
@@ -109,6 +111,24 @@ public class Main {
            }
        }

+        // get a crumb to pass the csrf check
+        String crumbField = null, crumbValue = null;
+        try {
+            HttpURLConnection con = open(new URL(home +
+                    "crumbIssuer/api/xml?xpath=concat(//crumbRequestField,\":\",//crumb)'"));
+            if (auth != null) con.setRequestProperty("Authorization", auth);
+            BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
+            String line = in.readLine();
+            in.close();
+            String[] components = line.split(":");
+            if (components.length == 2) {
+                crumbField = components[0];
+                crumbValue = components[1];
+            }
+        } catch (IOException e) {
+            // presumably this Hudson doesn't use CSRF protection
+        }
+
        // write the output to a temporary file first.
        File tmpFile = File.createTempFile("hudson","log");
        try {
@@ -139,6 +159,9 @@ public class Main {
                    // start a remote connection
                    HttpURLConnection con = open(new URL(location));
                    if (auth != null) con.setRequestProperty("Authorization", auth);
+                    if (crumbField != null && crumbValue != null) {
+                        con.setRequestProperty(crumbField, crumbValue);
+                    }
                    con.setDoOutput(true);
                    // this tells HttpURLConnection not to buffer the whole thing
                    con.setFixedLengthStreamingMode((int)tmpFile.length());