Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWinston Prakash2015-12-09 17:56:22 -0500
committerWinston Prakash2015-12-09 18:08:55 -0500
commit6cae5b7f9f88ac0afdc13ae8ea1c2f5070441b9e (patch)
tree5aab57b248751c0f96f84e3a766a01cc94f6b09a
parent58f8d633bfa694a097c23e66e67429103f684a07 (diff)
downloadorg.eclipse.hudson.core-6cae5b7f9f88ac0afdc13ae8ea1c2f5070441b9e.tar.gz
org.eclipse.hudson.core-6cae5b7f9f88ac0afdc13ae8ea1c2f5070441b9e.tar.xz
org.eclipse.hudson.core-6cae5b7f9f88ac0afdc13ae8ea1c2f5070441b9e.zip
Bug Fix: Bug 483532 - Lock down the Hudson CLI by default
-rw-r--r--hudson-core/src/main/java/hudson/cli/CLICommand.java5
-rw-r--r--hudson-core/src/main/resources/hudson/model/Hudson/configure.jelly4
-rw-r--r--hudson-core/src/main/resources/hudson/model/Hudson/configure.properties3
-rw-r--r--hudson-war/src/main/webapp/help/system-config/allow-cli.html19
4 files changed, 31 insertions, 0 deletions
diff --git a/hudson-core/src/main/java/hudson/cli/CLICommand.java b/hudson-core/src/main/java/hudson/cli/CLICommand.java
index e8ea4ec8..a134a29a 100644
--- a/hudson-core/src/main/java/hudson/cli/CLICommand.java
+++ b/hudson-core/src/main/java/hudson/cli/CLICommand.java
@@ -156,6 +156,11 @@ public abstract class CLICommand implements ExtensionPoint, Cloneable {
this.channel = Channel.current();
registerOptionHandlers();
CmdLineParser p = new CmdLineParser(this);
+
+ if (!Hudson.getInstance().allowCli()){
+ stderr.println("\n\nCommand Line access is disabled. Ask your administrator to enable CLI in the System Configuration\n\n");
+ return -1;
+ }
// add options from the authenticator
SecurityContext sc = SecurityContextHolder.getContext();
diff --git a/hudson-core/src/main/resources/hudson/model/Hudson/configure.jelly b/hudson-core/src/main/resources/hudson/model/Hudson/configure.jelly
index 42fb5c90..d383bc75 100644
--- a/hudson-core/src/main/resources/hudson/model/Hudson/configure.jelly
+++ b/hudson-core/src/main/resources/hudson/model/Hudson/configure.jelly
@@ -126,6 +126,10 @@
<f:optionalBlock name="allowUnsecuredAction" checked="${it.allowUnsecuredAction()}"
title="${%allowUnsecuredActionBlurb}"
help="/help/system-config/allow-unsecured-action.html" />
+
+ <f:optionalBlock name="allowCli" checked="${it.allowCli()}"
+ title="${%allowCLIBlurb}"
+ help="/help/system-config/allow-cli.html" />
<f:descriptorList title="${%Global properties}"
name="globalNodeProperties"
diff --git a/hudson-core/src/main/resources/hudson/model/Hudson/configure.properties b/hudson-core/src/main/resources/hudson/model/Hudson/configure.properties
index 175c5d43..f6b57f3c 100644
--- a/hudson-core/src/main/resources/hudson/model/Hudson/configure.properties
+++ b/hudson-core/src/main/resources/hudson/model/Hudson/configure.properties
@@ -24,6 +24,9 @@ useBlueBallBlurb=\
allowUnsecuredActionBlurb=\
Allow actions that are unsecured and performed outside of Hudson security envelop.
+allowCLIBlurb=\
+ Allow Command Line Interface (CLI)
+
statsBlurb=\
Help make Hudson better by sending anonymous usage statistics and crash reports to the Hudson team.
diff --git a/hudson-war/src/main/webapp/help/system-config/allow-cli.html b/hudson-war/src/main/webapp/help/system-config/allow-cli.html
new file mode 100644
index 00000000..c29ba4c0
--- /dev/null
+++ b/hudson-war/src/main/webapp/help/system-config/allow-cli.html
@@ -0,0 +1,19 @@
+<!-- **************************************************************************
+#
+# Copyright (C) 2004-2009 Oracle Corporation
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+# Contributors:
+# Winston Prakash
+#
+#************************************************************************** -->
+
+<div>
+ Allow users to access various features in Hudson through a command-line tool.
+ Allowing unrestricted access through Hudson CLI from outside of a controlled environment
+ is not recommended for security reasons.
+</div>

Back to the top