@Extension
public class CSRFExclusionImpl
extends hudson.security.csrf.CrumbExclusion
We do some basic checks to significantly limit the scope of exclusion, but
because of the dynamic nature of the URL structure, this doesn't guarantee
that we have no leak.
So to further protect Jenkins, we pass through a fake HttpServletRequest
that masks the values of the submission.
If the fake request is routed to HttpGitRepository, which is
the only legitimate destination of the request, we'll unwrap this fake request
and pass the real request to JGit.
In this way, even if an attacker manages to route the request to elsewhere in Jenkins, that request will not be interpreted as a POST request.
| Constructor and Description |
|---|
CSRFExclusionImpl() |
| Modifier and Type | Method and Description |
|---|---|
boolean |
process(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain) |
static javax.servlet.http.HttpServletRequest |
unwrapRequest(javax.servlet.http.HttpServletRequest req) |
public boolean process(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
process in class hudson.security.csrf.CrumbExclusionIOExceptionjavax.servlet.ServletExceptionpublic static javax.servlet.http.HttpServletRequest unwrapRequest(javax.servlet.http.HttpServletRequest req)
Copyright © 2016. All rights reserved.