Skip to content
Permalink
Browse files Browse the repository at this point in the history
[FIXED SECURITY-89] When checking an API token, verify that the user …
…actually exists.
  • Loading branch information
jglick committed Feb 11, 2014
1 parent 788b7d7 commit 5548b52
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions core/src/main/java/jenkins/security/ApiTokenFilter.java
Expand Up @@ -2,9 +2,13 @@

import hudson.model.User;
import hudson.security.ACL;
import hudson.security.UserMayOrMayNotExistException;
import hudson.util.Scrambler;
import jenkins.model.Jenkins;
import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.springframework.dao.DataAccessException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
Expand Down Expand Up @@ -41,6 +45,17 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
int idx = uidpassword.indexOf(':');
if (idx >= 0) {
String username = uidpassword.substring(0, idx);
try {
Jenkins.getInstance().getSecurityRealm().loadUserByUsername(username);
} catch (UserMayOrMayNotExistException x) {
// OK, give them the benefit of the doubt.
} catch (UsernameNotFoundException x) {
// Not/no longer a user; deny the API token. (But do not leak the information that this happened.)
chain.doFilter(request, response);
return;
} catch (DataAccessException x) {
throw new ServletException(x);
}
String password = uidpassword.substring(idx+1);

// attempt to authenticate as API token
Expand Down

0 comments on commit 5548b52

Please sign in to comment.