From 416fdddb97f8a6f8778a66bfe38d5eb39a77149c Mon Sep 17 00:00:00 2001 From: Daniel Beck Date: Fri, 14 Apr 2017 22:45:57 +0200 Subject: [PATCH] [SECURITY-420] RequirePOST to finish setup wizard --- core/src/main/java/jenkins/install/SetupWizard.java | 1 + war/src/main/js/api/pluginManager.js | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/jenkins/install/SetupWizard.java b/core/src/main/java/jenkins/install/SetupWizard.java index 2d98160b9b..0f3567ff9f 100644 --- a/core/src/main/java/jenkins/install/SetupWizard.java +++ b/core/src/main/java/jenkins/install/SetupWizard.java @@ -443,6 +443,7 @@ public class SetupWizard extends PageDecorator { /** * Remove the setupWizard filter, ensure all updates are written to disk, etc */ + @RequirePOST public HttpResponse doCompleteInstall() throws IOException, ServletException { completeSetup(); return HttpResponses.okJSON(); diff --git a/war/src/main/js/api/pluginManager.js b/war/src/main/js/api/pluginManager.js index 3f2cf7fedb..1af7995c1b 100644 --- a/war/src/main/js/api/pluginManager.js +++ b/war/src/main/js/api/pluginManager.js @@ -177,7 +177,7 @@ exports.incompleteInstallStatus = function(handler, correlationId) { * Call this to complete the installation without installing anything */ exports.completeInstall = function(handler) { - jenkins.get('/setupWizard/completeInstall', function() { + jenkins.post('/setupWizard/completeInstall', {}, function() { handler.call({ isError: false }); }, { timeout: pluginManagerErrorTimeoutMillis, -- GitLab