Skip to content
Permalink
Browse files
[FIXED JENKINS-27277]
  • Loading branch information
kohsuke committed Mar 7, 2015
1 parent 2ba1f8f commit b400d1507a25c895f99b983bee713952af5edadd
Showing with 45 additions and 6 deletions.
  1. +3 −1 changelog.html
  2. +42 −5 core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
@@ -55,7 +55,9 @@
<!-- Record your changes in the trunk here. -->
<div id="trunk" style="display:none"><!--=TRUNK-BEGIN=-->
<ul class=image>
<li class=>
<li class=rfe>
As security hardening, mark "remember me" cookie as HTTP only
(<a href="https://issues.jenkins-ci.org/browse/JENKINS-27277">issue 27277</a>)
</ul>
</div><!--=TRUNK-END=-->

@@ -1,18 +1,18 @@
/*
* The MIT License
*
*
* Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi
*
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -35,9 +35,13 @@
import org.apache.commons.codec.binary.Base64;
import org.springframework.util.Assert;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Date;
import java.util.logging.Level;

/**
* {@link TokenBasedRememberMeServices} with modification so as not to rely
@@ -128,8 +132,41 @@ public Authentication autoLogin(HttpServletRequest request, HttpServletResponse
}
}

/**
@Override
protected Cookie makeValidCookie(String tokenValueBase64, HttpServletRequest request, long maxAge) {
Cookie cookie = super.makeValidCookie(tokenValueBase64, request, maxAge);
// if we can mark the cookie HTTP only, do so to protect this cookie even in case of XSS vulnerability.
if (SET_HTTP_ONLY!=null) {
try {
SET_HTTP_ONLY.invoke(cookie,true);
} catch (IllegalAccessException e) {
// ignore
} catch (InvocationTargetException e) {
// ignore
}
}

// if the user is running Jenkins over HTTPS, we also want to prevent the cookie from leaking in HTTP.
// whether the login is done over HTTPS or not would be a good enough approximation of whether Jenkins runs in
// HTTPS or not, so use that.
if (request.isSecure())
cookie.setSecure(true);
return cookie;
}

/**
* Used to compute the token signature securely.
*/
private static final HMACConfidentialKey MAC = new HMACConfidentialKey(TokenBasedRememberMeServices.class,"mac");

private static final Method SET_HTTP_ONLY;

static {
Method m = null;
try {
m = Cookie.class.getMethod("setHttpOnly", boolean.class);
} catch (NoSuchMethodException x) { // 3.0+
}
SET_HTTP_ONLY = m;
}
}

0 comments on commit b400d15

Please sign in to comment.