[SECURITY-1641]

cd28a6d9 · Wadeck Follonier · c0d3c041 · cd28a6d9 · cd28a6d9 · cd28a6d9
4 changed file
--- a/core/src/main/java/hudson/DNSMultiCast.java
+++ b/core/src/main/java/hudson/DNSMultiCast.java
@@ -88,5 +88,5 @@ public class DNSMultiCast implements Closeable {

    private static final Logger LOGGER = Logger.getLogger(DNSMultiCast.class.getName());

-    public static boolean disabled = SystemProperties.getBoolean(DNSMultiCast.class.getName()+".disabled");
+    public static boolean disabled = SystemProperties.getBoolean(DNSMultiCast.class.getName()+".disabled", true);
 }
--- a/core/src/main/java/hudson/UDPBroadcastThread.java
+++ b/core/src/main/java/hudson/UDPBroadcastThread.java
@@ -129,7 +129,8 @@ public class UDPBroadcastThread extends Thread {
        interrupt();
    }

-    public static final int PORT = SystemProperties.getInteger("hudson.udp",33848);
+    // The previous default port was 33848, before the "disabled by default" change
+    public static final int PORT = SystemProperties.getInteger("hudson.udp", -1);

    private static final Logger LOGGER = Logger.getLogger(UDPBroadcastThread.class.getName());


--- a/test/src/test/java/hudson/UDPBroadcastThreadSEC1641Test.java
+++ b/test/src/test/java/hudson/UDPBroadcastThreadSEC1641Test.java
+package hudson;
+
+import jenkins.model.Jenkins;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+
+import java.lang.reflect.Field;
+
+import static org.junit.Assert.assertNull;
+
+public class UDPBroadcastThreadSEC1641Test {
+
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    @Test
+    public void ensureThereIsNoThreadRunningByDefault() throws Exception {
+        UDPBroadcastThread thread = getPrivateThread(j.jenkins);
+        assertNull(thread);
+    }
+
+    private static UDPBroadcastThread getPrivateThread(Jenkins jenkins) throws Exception {
+        Field threadField = Jenkins.class.getDeclaredField("udpBroadcastThread");
+        threadField.setAccessible(true);
+
+        return (UDPBroadcastThread) threadField.get(jenkins);
+    }
+}
--- a/test/src/test/java/hudson/UDPBroadcastThreadTest.java
+++ b/test/src/test/java/hudson/UDPBroadcastThreadTest.java
 package hudson;

+import jenkins.model.Jenkins;
+import org.hamcrest.Matchers;
+import org.junit.Assert;
+import org.junit.BeforeClass;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.helpers.DefaultHandler;

 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
 import java.net.DatagramSocket;
 import java.net.DatagramPacket;
 import java.net.InetAddress;
@@ -17,18 +23,40 @@ import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.JenkinsRule;

+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
 /**
 * @author Kohsuke Kawaguchi
 */
 public class UDPBroadcastThreadTest {

    @Rule public JenkinsRule j = new JenkinsRule();
+    
+    @BeforeClass
+    public static void forceActivateUDPMulticast() throws Exception {
+        // required to be done before JenkinsRule starts the Jenkins instance 
+        // as the usage of this port is in the constructor
+        updatePort(33848);
+    }
+
+    private static void updatePort(int newValue) throws Exception {
+        Field portField = UDPBroadcastThread.class.getField("PORT");
+
+        Field modifiersField = Field.class.getDeclaredField("modifiers");
+        modifiersField.setAccessible(true);
+        modifiersField.setInt(portField, portField.getModifiers() & ~Modifier.FINAL);

+        portField.setInt(null, newValue);
+    }
+    
    /**
     * Old unicast based clients should still be able to receive some reply,
     * as we haven't changed the port.
     */
    @Test public void legacy() throws Exception {
+        updatePort(33848);
        DatagramSocket s = new DatagramSocket();
        sendQueryTo(s, InetAddress.getLocalHost());
        s.setSoTimeout(15000); // to prevent test hang
@@ -60,18 +88,38 @@ public class UDPBroadcastThreadTest {

            // we should at least get two replies since we run two broadcasts
            try {
+                // from first (Jenkins one) (order does not matter)
+                receiveAndVerify(s);
+                // from second
                receiveAndVerify(s);
+                // from third
                receiveAndVerify(s);
            } catch (SocketTimeoutException x) {
                Assume.assumeFalse(UDPBroadcastThread.udpHandlingProblem);
                throw x;
            }
+
+            // to fail fast
+            s.setSoTimeout(2000);
+            try {
+                receiveAndVerify(s);
+                fail("There should be only 3 listeners");
+            } catch (SocketTimeoutException x) {
+                // expected to throw
+            }
        } finally {
            third.interrupt();
            second.interrupt();
        }
    }

+    @Test
+    public void ensureTheThreadIsRunningWithSysProp() throws Exception {
+        UDPBroadcastThread thread = getPrivateThread(j.jenkins);
+        assertNotNull(thread);
+        assertTrue(thread.isAlive());
+    }
+
    private void sendQueryTo(DatagramSocket s, InetAddress dest) throws IOException {
        DatagramPacket p = new DatagramPacket(new byte[1024],1024);
        p.setAddress(dest);
@@ -86,11 +134,20 @@ public class UDPBroadcastThreadTest {
        DatagramPacket p = new DatagramPacket(new byte[1024],1024);
        s.receive(p);
        String xml = new String(p.getData(), 0, p.getLength(), "UTF-8");
+        //example: <hudson><version>2.164.4-SNAPSHOT</version><url>http://localhost:23146/jenkins/</url><server-id>be6757793486931ff50c259b66c77704</server-id><slave-port>23149</slave-port></hudson>
        System.out.println(xml);
+        Assert.assertThat(xml, Matchers.containsString("<hudson>"));

        // make sure at least this XML parses
        SAXParserFactory spf = SAXParserFactory.newInstance();
        spf.setNamespaceAware(true);
        spf.newSAXParser().parse(new InputSource(new StringReader(xml)),new DefaultHandler());
    }
+
+    private static UDPBroadcastThread getPrivateThread(Jenkins jenkins) throws Exception {
+        Field threadField = Jenkins.class.getDeclaredField("udpBroadcastThread");
+        threadField.setAccessible(true);
+
+        return (UDPBroadcastThread) threadField.get(jenkins);
+    }
 }