Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[FIXED JENKINS-14113]
The proposed fix buckett@eec16f1 has a problem in that it'd allow anything that has the given URL name as a prefix.
  • Loading branch information
kohsuke committed Jun 15, 2012
1 parent 9272e67 commit 4e7a43c
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 1 deletion.
2 changes: 1 addition & 1 deletion core/src/main/java/jenkins/model/Jenkins.java
Expand Up @@ -3520,7 +3520,7 @@ public Object getTarget() {

for (Action a : getActions()) {
if (a instanceof UnprotectedRootAction) {
if (rest.startsWith("/"+a.getUrlName()+"/"))
if (rest.startsWith("/"+a.getUrlName()+"/") || rest.equals("/"+a.getUrlName()))
return this;
}
}
Expand Down
@@ -1,3 +1,4 @@
package hudson.model.EnvironmentContributor.EnvVarsHtml;
import hudson.model.EnvironmentContributor
import hudson.scm.SCM

Expand Down
77 changes: 77 additions & 0 deletions test/src/test/java/jenkins/model/JenkinsTest.java
Expand Up @@ -23,12 +23,24 @@
*/
package jenkins.model;

import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
import hudson.model.InvisibleAction;
import hudson.model.RootAction;
import hudson.model.UnprotectedRootAction;
import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
import hudson.util.HttpResponses;
import junit.framework.Assert;
import hudson.model.FreeStyleProject;
import hudson.util.FormValidation;

import org.junit.Test;
import org.jvnet.hudson.test.Bug;
import org.jvnet.hudson.test.HudsonTestCase;
import org.jvnet.hudson.test.TestExtension;
import org.kohsuke.stapler.HttpResponse;
import org.xml.sax.SAXException;

import java.io.IOException;

/**
* @author kingfai
Expand Down Expand Up @@ -161,4 +173,69 @@ public void testDoCheckDisplayNameSameAsJobName() throws Exception {
FormValidation v = jenkins.doCheckDisplayName(jobName, curJobName);
Assert.assertEquals(FormValidation.Kind.WARNING, v.kind);
}

/**
* Makes sure access to "/foobar" for UnprotectedRootAction gets through.
*/
@Bug(14113)
public void testUnprotectedRootAction() throws Exception {
jenkins.setSecurityRealm(createDummySecurityRealm());
jenkins.setAuthorizationStrategy(new FullControlOnceLoggedInAuthorizationStrategy());
WebClient wc = createWebClient();
wc.goTo("/foobar");
wc.goTo("/foobar/");
wc.goTo("/foobar/zot");

// and make sure this fails
try {
wc.goTo("/foobar-zot/");
fail();
} catch (FailingHttpStatusCodeException e) {
assertEquals(500,e.getStatusCode());
}

assertEquals(3,jenkins.getExtensionList(RootAction.class).get(RootActionImpl.class).count);
}

@TestExtension("testUnprotectedRootAction")
public static class RootActionImpl implements UnprotectedRootAction {
private int count;

public String getIconFileName() {
return null;
}

public String getDisplayName() {
return null;
}

public String getUrlName() {
return "foobar";
}

public HttpResponse doDynamic() {
assertTrue(Jenkins.getInstance().getAuthentication().getName().equals("anonymous"));
count++;
return HttpResponses.html("OK");
}
}

@TestExtension("testUnprotectedRootAction")
public static class ProtectedRootActionImpl implements RootAction {
public String getIconFileName() {
return null;
}

public String getDisplayName() {
return null;
}

public String getUrlName() {
return "foobar-zot";
}

public HttpResponse doDynamic() {
throw new AssertionError();
}
}
}

0 comments on commit 4e7a43c

Please sign in to comment.