Fix SECURITY-809

jenkinsci · Jun 1, 2018 · 25d9521 · 25d9521
1 parent 8c79249
commit 25d9521
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/src/main/java/org/jenkinsci/plugins/cas/CasSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/cas/CasSecurityRealm.java
@@ -27,6 +27,7 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.springframework.security.cas.ServiceProperties;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -287,7 +288,10 @@ public String getDisplayName() {
  return "CAS (Central Authentication Service)";
  }
 
+ @RequirePOST
  public FormValidation doCheckCasServerUrl(@QueryParameter String value) throws IOException, ServletException {
+ Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
+
  value = Util.fixEmptyAndTrim(value);
  if (value == null)
  return FormValidation.error(Messages.CasSecurityRealm_casServerUrl_missingUrl());

diff --git a/src/main/resources/org/jenkinsci/plugins/cas/CasSecurityRealm/config.jelly b/src/main/resources/org/jenkinsci/plugins/cas/CasSecurityRealm/config.jelly
@@ -1,7 +1,7 @@
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
  <f:entry title="${%casServerUrl}" field="casServerUrl">
- <f:textbox />
+ <f:textbox checkMethod="post" />
  </f:entry>
  <f:dropdownDescriptorSelector title="${%casProtocol}" field="casProtocol" />
  <f:entry title="${%forceRenewal}" field="forceRenewal">