Backporting for LTS 2.303.1

.mvn/maven.config

@@ -1,2 +1,3 @@
 -Pconsume-incrementals
 -Pmight-produce-incrementals
+-Plts-release

core/src/main/java/hudson/FilePath.java

@@ -697,7 +697,7 @@ private void unzip(File dir, File zipFile) throws IOException {
             while (entries.hasMoreElements()) {
                 ZipEntry e = entries.nextElement();
                 File f = new File(dir, e.getName());
-                if (!f.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
+                if (!f.getCanonicalFile().toPath().startsWith(dir.getCanonicalPath())) {
                     throw new IOException(
                         "Zip " + zipFile.getPath() + " contains illegal file name that breaks out of the target directory: " + e.getName());
                 }

core/src/main/java/jenkins/monitor/JavaVersionRecommendationAdminMonitor.java

@@ -28,6 +28,7 @@
 import hudson.model.AdministrativeMonitor;
 import hudson.security.Permission;
 import jenkins.model.Jenkins;
+import jenkins.util.SystemProperties;
 import jenkins.util.java.JavaUtils;
 import org.jenkinsci.Symbol;
 import org.kohsuke.accmod.Restricted;
@@ -46,9 +47,11 @@
 @Symbol("javaVersionRecommendation")
 public class JavaVersionRecommendationAdminMonitor extends AdministrativeMonitor {
 
+    private static Boolean disabled = SystemProperties.getBoolean(JavaVersionRecommendationAdminMonitor.class.getName() + ".disabled", false);
+
     @Override
     public boolean isActivated() {
-        return JavaUtils.isRunningWithJava8OrBelow();
+        return !disabled && JavaUtils.isRunningWithJava8OrBelow();
     }
 
     @Override

core/src/main/resources/lib/layout/icon.jelly

@@ -70,9 +70,9 @@ THE SOFTWARE.
 
       <span class="build-status-icon__wrapper ${attrs.class}" style="${imgStyle}">
           <span class="build-status-icon__outer">
-            <l:svgIcon href="${rootURL}/images/build-status/build-status-sprite.svg#${outerLayer}" id="${attrs.id}" />
+            <l:svgIcon href="${rootURL}/images/build-status/build-status-sprite.svg#${outerLayer}" id="${attrs.id}" tooltip="${attrs.tooltip}"/>
           </span>
-          <l:svgIcon class="${attrs.class}" href="${iconSrc}" id="${attrs.id}"/>
+          <l:svgIcon class="${attrs.class}" href="${iconSrc}" id="${attrs.id}" tooltip="${attrs.tooltip}"/>
       </span>
     </j:when>
 

packaging-ref.txt

@@ -1 +1 @@
-master
+stable-2.302

pom.xml

@@ -69,7 +69,7 @@ THE SOFTWARE.
   </issueManagement>
 
   <properties>
-    <revision>2.303</revision>
+    <revision>2.302.1</revision>
     <changelist>-SNAPSHOT</changelist>
 
     <!-- *.html files are in UTF-8, and *.properties are in iso-8859-1, so this configuration is actually incorrect,

test/src/test/java/hudson/FilePathTest.java

@@ -222,4 +222,63 @@ public void zipTarget_relative() throws Exception {
         assertThat(simple1.exists(), is(true));
         assertThat(simple2.exists(), is(true));
     }
+
+    @Test
+    @Issue("JENKINS-66094")
+    @LocalData("ZipSlipSamePathPrefix")
+    public void zipSlipSamePathPrefix() throws Exception {
+        assumeFalse(Functions.isWindows());
+
+        // > unzip -l evil.zip
+        // good.txt
+        //  ../foo_evil.txt
+        FilePath zipFile = r.jenkins.getRootPath().child("evil.zip");
+
+        // foo_evil.txt will be extracted to unzip-target/foo_evil.txt
+        // which has the same path prefix as unzip-target/foo
+        FilePath targetLocationParent = r.jenkins.getRootPath().child("unzip-target");
+        FilePath targetLocationFoo = targetLocationParent.child("foo");
+        FilePath evilEntry = targetLocationParent.child("foo_evil.txt");
+
+        assertThat(evilEntry.exists(), is(false));
+
+        try {
+            zipFile.unzip(targetLocationFoo);
+            fail("The ../foo_evil.txt should have triggered an exception");
+        } catch(IOException e){
+            e.printStackTrace();
+            assertThat(e.getMessage(), containsString("contains illegal file name that breaks out of the target directory"));
+        }
+
+        assertThat(evilEntry.exists(), is(false));
+    }
+
+    @Test
+    @Issue("JENKINS-66094")
+    @LocalData("ZipSlipSamePathPrefix")
+    public void zipSlipSamePathPrefixWin() throws Exception {
+        assumeTrue(Functions.isWindows());
+
+        // > unzip -l evil-win.zip
+        // good.txt
+        //  ..\foo_evil.txt
+        FilePath zipFile = r.jenkins.getRootPath().child("evil-win.zip");
+
+        // foo_evil.txt will be extracted to unzip-target\foo_evil.txt
+        // which has the same path prefix as unzip-target\foo
+        FilePath targetLocationParent = r.jenkins.getRootPath().child("unzip-target");
+        FilePath targetLocationFoo = targetLocationParent.child("foo");
+        FilePath evilEntry = targetLocationParent.child("foo_evil.txt");
+
+        assertThat(evilEntry.exists(), is(false));
+
+        try {
+            zipFile.unzip(targetLocationFoo);
+            fail("The ../foo_evil.txt should have triggered an exception");
+        } catch(IOException e){
+            assertThat(e.getMessage(), containsString("contains illegal file name that breaks out of the target directory"));
+        }
+
+        assertThat(evilEntry.exists(), is(false));
+    }
 }