Skip to content
Commit 0de3e9b1 authored by Jesse Glick's avatar Jesse Glick Committed by Kohsuke Kawaguchi
Browse files

[SECURITY-47] 

- My second patch, with whitelisted XPath values and forbidden JSONP.
- Disabling JSONP altogether for REST API (unless explicitly allowed).
- Forbid primitive XPath result sets by default.
- Refuse to serve _crumb=123456 as this could (very hypothetically) be exploited.
(cherry picked from commit f4af9b1a)

Conflicts:

	core/src/main/java/hudson/model/Api.java
parent 4c52ddfe
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment