From 87eeedc4d3bcd084e3d866f4d328e7b0900d4ef6 Mon Sep 17 00:00:00 2001
From: mindless <mindless@71c3de6d-444a-0410-be80-ed276b4c234a>
Date: Fri, 5 Nov 2010 19:14:04 +0000
Subject: [PATCH] [FIXED HUDSON-7961] support CSRF protection when submitting
 results of external job; patch from davidreiss with 1 minor addition.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@36678 71c3de6d-444a-0410-be80-ed276b4c234a
---
 core/src/main/java/hudson/Main.java | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/core/src/main/java/hudson/Main.java b/core/src/main/java/hudson/Main.java
index bdc00c48c1..cdf15e62f7 100644
--- a/core/src/main/java/hudson/Main.java
+++ b/core/src/main/java/hudson/Main.java
@@ -27,10 +27,12 @@ import hudson.util.DualOutputStream;
 import hudson.util.EncodingStream;
 import com.thoughtworks.xstream.core.util.Base64Encoder;
 
+import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.InputStreamReader;
 import java.io.OutputStreamWriter;
 import java.io.Writer;
 import java.net.HttpRetryException;
@@ -109,6 +111,24 @@ public class Main {
             }
         }
 
+        // get a crumb to pass the csrf check
+        String crumbField = null, crumbValue = null;
+        try {
+            HttpURLConnection con = open(new URL(home +
+                    "crumbIssuer/api/xml?xpath=concat(//crumbRequestField,\":\",//crumb)'"));
+            if (auth != null) con.setRequestProperty("Authorization", auth);
+            BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
+            String line = in.readLine();
+            in.close();
+            String[] components = line.split(":");
+            if (components.length == 2) {
+                crumbField = components[0];
+                crumbValue = components[1];
+            }
+        } catch (IOException e) {
+            // presumably this Hudson doesn't use CSRF protection
+        }
+
         // write the output to a temporary file first.
         File tmpFile = File.createTempFile("hudson","log");
         try {
@@ -139,6 +159,9 @@ public class Main {
                     // start a remote connection
                     HttpURLConnection con = open(new URL(location));
                     if (auth != null) con.setRequestProperty("Authorization", auth);
+                    if (crumbField != null && crumbValue != null) {
+                        con.setRequestProperty(crumbField, crumbValue);
+                    }
                     con.setDoOutput(true);
                     // this tells HttpURLConnection not to buffer the whole thing
                     con.setFixedLengthStreamingMode((int)tmpFile.length());
-- 
GitLab