jenkinsci
/
configuration-as-code-plugin
mirror of https://github.com/jenkinsci/configuration-as-code-plugin.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[SECURITY-2141]

This commit is contained in:
Yaroslav Afenkin 2021-12-16 11:03:13 +02:00
parent d2f06c9876
commit 35a17beaf5
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
plugin/src/main/java/io/jenkins/plugins/casc/TokenReloadAction.java
View File

@ -6,6 +6,8 @@ import hudson.model.UnprotectedRootAction;
import hudson.security.ACL;
import hudson.security.ACLContext;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.logging.Logger;
import javax.annotation.CheckForNull;
import javax.servlet.http.HttpServletRequest;
@ -49,7 +51,8 @@ public class TokenReloadAction implements UnprotectedRootAction {
} else {
String requestToken = getRequestToken(request);
if (token.equals(requestToken)) {
if (requestToken != null && MessageDigest.isEqual(token.getBytes(StandardCharsets.UTF_8), requestToken.getBytes(
StandardCharsets.UTF_8))) {
LOGGER.info("Configuration reload triggered via token");
try (ACLContext ignored = ACL.as(ACL.SYSTEM)) {