Merge branch 'security-stable-2.73' into security-stable-2.89

core/src/main/java/hudson/Plugin.java

@@ -44,6 +44,7 @@ import com.thoughtworks.xstream.XStream;
 import hudson.init.Initializer;
 import hudson.init.Terminator;
 import java.net.URL;
+import java.util.Locale;
 import java.util.logging.Logger;
 import jenkins.model.GlobalConfiguration;
 
@@ -226,7 +227,8 @@ public abstract class Plugin implements Saveable {
     public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
         String path = req.getRestOfPath();
 
-        if (path.isEmpty() || path.contains("..") || path.contains("%") || path.contains("META-INF") || path.contains("WEB-INF")) {
+        String pathUC = path.toUpperCase(Locale.ENGLISH);
+        if (path.isEmpty() || path.contains("..") || path.contains("%") || pathUC.contains("META-INF") || pathUC.contains("WEB-INF")) {
             LOGGER.warning("rejecting possibly malicious " + req.getRequestURIWithQueryString());
             rsp.sendError(HttpServletResponse.SC_BAD_REQUEST);
             return;

test/src/test/java/hudson/PluginTest.java

@@ -53,6 +53,8 @@ public class PluginTest {
         // SECURITY-155:
         r.createWebClient().assertFails("plugin/credentials/WEB-INF/licenses.xml", HttpServletResponse.SC_BAD_REQUEST);
         r.createWebClient().assertFails("plugin/credentials/META-INF/MANIFEST.MF", HttpServletResponse.SC_BAD_REQUEST);
+        r.createWebClient().assertFails("plugin/credentials/web-inf/licenses.xml", HttpServletResponse.SC_BAD_REQUEST);
+        r.createWebClient().assertFails("plugin/credentials/meta-inf/manifest.mf", HttpServletResponse.SC_BAD_REQUEST);
     }
 
 }