[SECURITY-412] Require POST for restart URLs

jenkinsci · Apr 13, 2017 · 3c5e5ca · 3c5e5ca
1 parent 4fb7172
commit 3c5e5ca
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/core/src/main/java/hudson/model/UpdateCenter.java b/core/src/main/java/hudson/model/UpdateCenter.java
@@ -379,6 +379,7 @@ public HttpResponse doInvalidateData() {
     /**
      * Schedules a Jenkins restart.
      */
+    @RequirePOST
     public void doSafeRestart(StaplerRequest request, StaplerResponse response) throws IOException, ServletException {
         synchronized (jobs) {
             if (!isRestartScheduled()) {
@@ -467,6 +468,7 @@ public void doDowngrade(StaplerResponse rsp) throws IOException, ServletExceptio
     /**
      * Performs hudson downgrade.
      */
+    @RequirePOST
     public void doRestart(StaplerResponse rsp) throws IOException, ServletException {
         Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
         HudsonDowngradeJob job = new HudsonDowngradeJob(getCoreSource(), Jenkins.getAuthentication());

diff --git a/core/src/main/java/jenkins/model/Jenkins.java b/core/src/main/java/jenkins/model/Jenkins.java
@@ -3366,6 +3366,7 @@ public DirectoryBrowserSupport doUserContent() {
      * This first replaces "app" to {@link HudsonIsRestarting}
      */
     @CLIMethod(name="restart")
+    @RequirePOST
     public void doRestart(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException, RestartNotSupportedException {
         checkPermission(ADMINISTER);
         if (req != null && req.getMethod().equals("GET")) {
@@ -3387,6 +3388,7 @@ public void doRestart(StaplerRequest req, StaplerResponse rsp) throws IOExceptio
      * @since 1.332
      */
     @CLIMethod(name="safe-restart")
+    @RequirePOST
     public HttpResponse doSafeRestart(StaplerRequest req) throws IOException, ServletException, RestartNotSupportedException {
         checkPermission(ADMINISTER);
         if (req != null && req.getMethod().equals("GET"))