Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWinston Prakash2014-05-24 01:15:57 +0000
committerWinston Prakash2014-05-24 01:15:57 +0000
commita862ad4da569f2dfe2f62579c0dc9046afd1ceb4 (patch)
tree64c80037fd9857571120a8c23dfdf67ea873be41 /hudson-core/src
parente35a85884a157aa5dd96f2edc519fd209927f8e1 (diff)
downloadorg.eclipse.hudson.core-a862ad4da569f2dfe2f62579c0dc9046afd1ceb4.tar.gz
org.eclipse.hudson.core-a862ad4da569f2dfe2f62579c0dc9046afd1ceb4.tar.xz
org.eclipse.hudson.core-a862ad4da569f2dfe2f62579c0dc9046afd1ceb4.zip
Security fix. Only the POST HTTP method should be allowed for diagnostic script execution
Diffstat (limited to 'hudson-core/src')
-rw-r--r--hudson-core/src/main/java/hudson/model/Computer.java3
1 files changed, 3 insertions, 0 deletions
diff --git a/hudson-core/src/main/java/hudson/model/Computer.java b/hudson-core/src/main/java/hudson/model/Computer.java
index b1645f9e..67fc6a0e 100644
--- a/hudson-core/src/main/java/hudson/model/Computer.java
+++ b/hudson-core/src/main/java/hudson/model/Computer.java
@@ -1046,6 +1046,9 @@ public /*transient*/ abstract class Computer extends Actionable implements Acces
}
protected void _doScript(StaplerRequest req, StaplerResponse rsp, String view) throws IOException, ServletException {
+ if (!"POST".equals(req.getMethod())) {
+ throw HttpResponses.error(HttpURLConnection.HTTP_BAD_METHOD, "requires POST");
+ }
// ability to run arbitrary script is dangerous,
// so tie it to the admin access
checkPermission(Hudson.ADMINISTER);

Back to the top