Skip to content
Permalink
Browse files Browse the repository at this point in the history
[FIXED SECURITY-77] XSS in iconSize cookie.
  • Loading branch information
jglick committed Feb 11, 2014
1 parent 535c111 commit a0b0050
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 7 deletions.
11 changes: 11 additions & 0 deletions core/src/main/java/hudson/Functions.java
Expand Up @@ -123,6 +123,8 @@
import java.util.logging.SimpleFormatter;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

/**
* Utility functions used in views.
Expand Down Expand Up @@ -426,6 +428,15 @@ public static String getCookie(HttpServletRequest req,String name, String defaul
return c.getValue();
}

private static final Pattern ICON_SIZE = Pattern.compile("\\d+x\\d+");
@Restricted(NoExternalUse.class)
public static String validateIconSize(String iconSize) throws SecurityException {
if (!ICON_SIZE.matcher(iconSize).matches()) {
throw new SecurityException("invalid iconSize");
}
return iconSize;
}

/**
* Gets the suffix to use for YUI JavaScript.
*/
Expand Down
2 changes: 1 addition & 1 deletion core/src/main/java/hudson/model/View.java
Expand Up @@ -766,7 +766,7 @@ public AsynchPeople(View parent) {

{
StaplerRequest req = Stapler.getCurrentRequest();
iconSize = req != null ? Functions.getCookie(req, "iconSize", "32x32") : "32x32";
iconSize = req != null ? Functions.validateIconSize(Functions.getCookie(req, "iconSize", "32x32")) : "32x32";
}

@Override protected void compute() throws Exception {
Expand Down
7 changes: 2 additions & 5 deletions core/src/main/java/jenkins/model/Jenkins.java
Expand Up @@ -295,7 +295,6 @@
import static java.util.logging.Level.SEVERE;
import java.util.logging.LogRecord;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
Expand Down Expand Up @@ -3417,9 +3416,9 @@ public void doSignup( StaplerRequest req, StaplerResponse rsp ) throws IOExcepti
*/
public void doIconSize( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
String qs = req.getQueryString();
if(qs==null || !ICON_SIZE.matcher(qs).matches())
if(qs==null)
throw new ServletException();
Cookie cookie = new Cookie("iconSize", qs);
Cookie cookie = new Cookie("iconSize", Functions.validateIconSize(qs));
cookie.setMaxAge(/* ~4 mo. */9999999); // #762
rsp.addCookie(cookie);
String ref = req.getHeader("Referer");
Expand Down Expand Up @@ -3964,8 +3963,6 @@ public static VersionNumber getVersion() {

private static final Logger LOGGER = Logger.getLogger(Jenkins.class.getName());

private static final Pattern ICON_SIZE = Pattern.compile("\\d+x\\d+");

public static final PermissionGroup PERMISSIONS = Permission.HUDSON_PERMISSIONS;
public static final Permission ADMINISTER = Permission.HUDSON_ADMINISTER;
public static final Permission READ = new Permission(PERMISSIONS,"Read",Messages._Hudson_ReadPermission_Description(),Permission.READ,PermissionScope.JENKINS);
Expand Down
2 changes: 1 addition & 1 deletion core/src/main/resources/lib/hudson/setIconSize.jelly
Expand Up @@ -27,7 +27,7 @@ THE SOFTWARE.
-->
<?jelly escape-by-default='true'?>
<j:jelly xmlns:j="jelly:core" xmlns:x="jelly:xml" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
<j:set scope="parent" var="iconSize" value="${h.getCookie(request,'iconSize','32x32')}" />
<j:set scope="parent" var="iconSize" value="${h.validateIconSize(h.getCookie(request,'iconSize','32x32'))}" />
<!--
balls look smaller than their actual size,
so we try not to make the secondary icons look bigger than the icon.
Expand Down

0 comments on commit a0b0050

Please sign in to comment.