Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[Fix JENKINS-30116] NegSecFilter should not secure notifyCommit URLs
git, mercurial, and subversion all support push notifications to trigger
polling and builds. These are not supposed to be secured, so make the
filter bypass authentication when "/notifyCommit" is in the requested URL.
https://issues.jenkins-ci.org/browse/JENKINS-30116
  • Loading branch information
FarmGeek4Life committed Aug 30, 2015
1 parent cff63d0 commit fc41c77
Showing 1 changed file with 19 additions and 4 deletions.
Expand Up @@ -41,6 +41,7 @@
import java.util.logging.Logger;
import java.io.IOException;
import java.net.URL;
import java.util.StringTokenizer;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
Expand All @@ -64,6 +65,8 @@ public final class NegSecFilter extends NegotiateSecurityFilter {
private boolean redirectEnabled = false;
private String redirect = "yourdomain.com";
private boolean allowLocalhost = true;
private String pathsNotAuthenticated = "/userContent";
private String pathWildCardsNotAuthenticated = "/notifyCommit"; // "/git/notifyCommit;/subversion/*/notifyCommit"

/**
* Add call to advertise Jenkins headers, as appropriate.
Expand All @@ -83,11 +86,23 @@ public void doFilter(final ServletRequest request, final ServletResponse respons
}

HttpServletRequest httpRequest = (HttpServletRequest)request;
String userContentPath = httpRequest.getContextPath() + "/userContent";
String contextPath = httpRequest.getContextPath();
String requestURI = httpRequest.getRequestURI();

if (httpRequest.getRequestURI().startsWith(userContentPath)) {
chain.doFilter(request, response);
return;
StringTokenizer notAuthPathsTokenizer = new StringTokenizer(pathsNotAuthenticated, ";");
while (notAuthPathsTokenizer.hasMoreTokens()) {
if (requestURI.startsWith(contextPath + notAuthPathsTokenizer.nextToken())) {
chain.doFilter(request, response);
return;
}
}

StringTokenizer notAuthPathWildCardsTokenizer = new StringTokenizer(pathWildCardsNotAuthenticated, ";");
while (notAuthPathWildCardsTokenizer.hasMoreTokens()) {
if (requestURI.contains(notAuthPathWildCardsTokenizer.nextToken())) {
chain.doFilter(request, response);
return;
}
}

if (this.allowLocalhost && httpRequest.getLocalAddr().equals(httpRequest.getRemoteAddr())) {
Expand Down

0 comments on commit fc41c77

Please sign in to comment.