From 3c5e5ca63d9a1ac1c4087682dc0d426625eafed8 Mon Sep 17 00:00:00 2001 From: Daniel Beck Date: Sat, 1 Apr 2017 02:30:51 +0200 Subject: [PATCH] [SECURITY-412] Require POST for restart URLs --- core/src/main/java/hudson/model/UpdateCenter.java | 2 ++ core/src/main/java/jenkins/model/Jenkins.java | 2 ++ 2 files changed, 4 insertions(+) diff --git a/core/src/main/java/hudson/model/UpdateCenter.java b/core/src/main/java/hudson/model/UpdateCenter.java index 91d052b68360..016efbe80a8f 100644 --- a/core/src/main/java/hudson/model/UpdateCenter.java +++ b/core/src/main/java/hudson/model/UpdateCenter.java @@ -379,6 +379,7 @@ public HttpResponse doInvalidateData() { /** * Schedules a Jenkins restart. */ + @RequirePOST public void doSafeRestart(StaplerRequest request, StaplerResponse response) throws IOException, ServletException { synchronized (jobs) { if (!isRestartScheduled()) { @@ -467,6 +468,7 @@ public void doDowngrade(StaplerResponse rsp) throws IOException, ServletExceptio /** * Performs hudson downgrade. */ + @RequirePOST public void doRestart(StaplerResponse rsp) throws IOException, ServletException { Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); HudsonDowngradeJob job = new HudsonDowngradeJob(getCoreSource(), Jenkins.getAuthentication()); diff --git a/core/src/main/java/jenkins/model/Jenkins.java b/core/src/main/java/jenkins/model/Jenkins.java index 0006b2658b0d..f24ff8a08805 100644 --- a/core/src/main/java/jenkins/model/Jenkins.java +++ b/core/src/main/java/jenkins/model/Jenkins.java @@ -3366,6 +3366,7 @@ public DirectoryBrowserSupport doUserContent() { * This first replaces "app" to {@link HudsonIsRestarting} */ @CLIMethod(name="restart") + @RequirePOST public void doRestart(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException, RestartNotSupportedException { checkPermission(ADMINISTER); if (req != null && req.getMethod().equals("GET")) { @@ -3387,6 +3388,7 @@ public void doRestart(StaplerRequest req, StaplerResponse rsp) throws IOExceptio * @since 1.332 */ @CLIMethod(name="safe-restart") + @RequirePOST public HttpResponse doSafeRestart(StaplerRequest req) throws IOException, ServletException, RestartNotSupportedException { checkPermission(ADMINISTER); if (req != null && req.getMethod().equals("GET"))