[FIXED JENKINS-11397] Require POST for doConfigSubmit on views

[FIXED JENKINS-7847] Require POST for doConfigSubmit on jobs Merge remote branch 'ohtake/get-configsubmit'
jenkinsci · Oct 20, 2011 · 5247178 · 5247178
2 parents c236f9d + e31dbf7
commit 5247178
Show file tree

Hide file tree

Showing 9 changed files with 11 additions and 3 deletions.
diff --git a/changelog.html b/changelog.html
@@ -58,6 +58,9 @@
   <li class=bug>
     "Changes" in Build Summary broken in IE standard mode since 1.434
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-11383">issue 11383</a>)
+  <li class=bug>
+    GET request to configSubmit wipes some configuration
+    (<a href="https://issues.jenkins-ci.org/browse/JENKINS-11397">issue 11397</a>, <a href="https://issues.jenkins-ci.org/browse/JENKINS-7847">issue 7847</a>)
 </ul>
 </div><!--=TRUNK-END=-->
 

diff --git a/core/src/main/java/hudson/logging/LogRecorder.java b/core/src/main/java/hudson/logging/LogRecorder.java
@@ -157,6 +157,7 @@ public LogRecorderManager getParent() {
      * Accepts submission from the configuration page.
      */
     public synchronized void doConfigSubmit( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
+        requirePOST();
         JSONObject src = req.getSubmittedForm();
 
         String newName = src.getString("name"), redirect = ".";

diff --git a/core/src/main/java/hudson/model/Computer.java b/core/src/main/java/hudson/model/Computer.java
@@ -1059,6 +1059,7 @@ protected void _doScript( StaplerRequest req, StaplerResponse rsp, String view)
      */
     public void doConfigSubmit( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException, FormException {
         checkPermission(CONFIGURE);
+        requirePOST();
 
         String name = Util.fixEmptyAndTrim(req.getSubmittedForm().getString("name"));
         Jenkins.checkGoodName(name);

diff --git a/core/src/main/java/hudson/model/ComputerSet.java b/core/src/main/java/hudson/model/ComputerSet.java
@@ -306,6 +306,7 @@ public synchronized void doConfigSubmit( StaplerRequest req, StaplerResponse rsp
         BulkChange bc = new BulkChange(MONITORS_OWNER);
         try {
             Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
+            requirePOST();
             monitors.rebuild(req,req.getSubmittedForm(),getNodeMonitorDescriptors());
 
             // add in the rest of instances are ignored instances

diff --git a/core/src/main/java/hudson/model/Job.java b/core/src/main/java/hudson/model/Job.java
@@ -941,6 +941,7 @@ private HealthReport getBuildStabilityHealthReport() {
     public synchronized void doConfigSubmit(StaplerRequest req,
             StaplerResponse rsp) throws IOException, ServletException, FormException {
         checkPermission(CONFIGURE);
+        requirePOST();
 
         description = req.getParameter("description");
 

diff --git a/core/src/main/java/hudson/model/Run.java b/core/src/main/java/hudson/model/Run.java
@@ -1899,6 +1899,7 @@ public long getEstimatedDuration() {
 
     public HttpResponse doConfigSubmit( StaplerRequest req ) throws IOException, ServletException, FormException {
         checkPermission(UPDATE);
+        requirePOST();
         BulkChange bc = new BulkChange(this);
         try {
             JSONObject json = req.getSubmittedForm();

diff --git a/core/src/main/java/hudson/model/User.java b/core/src/main/java/hudson/model/User.java
@@ -454,6 +454,7 @@ public Api getApi() {
      */
     public void doConfigSubmit( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException, FormException {
         checkPermission(Jenkins.ADMINISTER);
+        requirePOST();
 
         fullName = req.getParameter("fullName");
         description = req.getParameter("description");

diff --git a/core/src/main/java/hudson/model/View.java b/core/src/main/java/hudson/model/View.java
@@ -48,7 +48,6 @@
 import hudson.views.ListViewColumn;
 import hudson.widgets.Widget;
 import jenkins.model.Jenkins;
-import net.sf.json.JSONObject;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
@@ -698,6 +697,7 @@ public synchronized void doSubmitDescription( StaplerRequest req, StaplerRespons
      */
     public final synchronized void doConfigSubmit( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException, FormException {
         checkPermission(CONFIGURE);
+        requirePOST();
 
         submit(req);
 
@@ -707,8 +707,6 @@ public final synchronized void doConfigSubmit( StaplerRequest req, StaplerRespon
 
         rename(req.getParameter("name"));
 
-        JSONObject json = req.getSubmittedForm();
-
         getProperties().rebuild(req, req.getSubmittedForm(), getApplicablePropertyDescriptors());
 
         save();

diff --git a/core/src/main/java/hudson/model/labels/LabelAtom.java b/core/src/main/java/hudson/model/labels/LabelAtom.java
@@ -203,6 +203,7 @@ public void doConfigSubmit( StaplerRequest req, StaplerResponse rsp ) throws IOE
         final Jenkins app = Jenkins.getInstance();
 
         app.checkPermission(Jenkins.ADMINISTER);
+        requirePOST();
 
         properties.rebuild(req, req.getSubmittedForm(), getApplicablePropertyDescriptors());
         updateTransientActions();