[jenkins] 01/04: add en upstream patch to ensure HttpOnly cookie flag is properly set and avoid warning messages about Security cookie flag

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Fri Dec 5 11:38:04 UTC 2014 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository jenkins.

commit f63a94ed21bd1584ab3043c33a4b22ee05a31b7e
Author: Yann Rouillard <yrouillard at octo.com>
Date:   Mon Nov 17 21:10:13 2014 +0000

    add en upstream patch to ensure HttpOnly cookie flag is properly set and avoid warning messages about Security cookie flag
---
 debian/changelog                                   |   2 +
 ...028-properly-set-httponly-flag-for-tomcat.patch | 109 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 112 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 8a5652e..9e2a02a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ jenkins (1.565.3-3) unstable; urgency=medium
     Tomcat 8 and are not required for Jenkins (Closes: #769594)
   * Removed useless properties Debug and AllowLinking in Context definition
     to suppress warnings in Tomcat logs.
+  * Backported upstream patch to ensure HttpOnly cookie flag is properly set
+    and avoid warning messages about Security cookie flag (Closes: #769682)
 
  -- Yann Rouillard <yann at pleiades.fr.eu.org>  Sat, 15 Nov 2014 12:14:33 +0000
 
diff --git a/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch b/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch
new file mode 100644
index 0000000..6d0160b
--- /dev/null
+++ b/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch
@@ -0,0 +1,109 @@
+Description: This patch fixes 2 issues. It set the HttpOnly flag
+ at an ealier stage so that the setting is properly taken into
+ account by Tomcat.
+ It suppress the warning about the secure flag that only happens
+ in Tomcat as it should be configured in Tomcat configuration and
+ not set by Jenkins in that case.
+Origin: backport,https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
+From 582128b9ac179a788d43c1478be8a5224dc19710 Mon Sep 17 00:00:00 2001
+From: Kohsuke Kawaguchi <kk at kohsuke.org>
+Date: Thu, 16 Oct 2014 19:15:56 -0700
+Subject: [PATCH] [FIXED JENKINS-25019]
+
+A truly conforming servlet 3.0 container does not allow us to set "secure cookie" flag beyond ServletContextListener.onInitialized().
+If we see that, don't scare the users.
+---
+ core/src/main/java/hudson/WebAppMain.java          | 29 +++++++++++++++++++++++
+ .../model/JenkinsLocationConfiguration.java        | 16 ++++++++-----
+ 2 files changed, 39 insertions(+), 6 deletions(-)
+
+diff --git a/core/src/main/java/hudson/WebAppMain.java b/core/src/main/java/hudson/WebAppMain.java
+index 1f332e9..11d438d 100644
+--- a/core/src/main/java/hudson/WebAppMain.java
++++ b/core/src/main/java/hudson/WebAppMain.java
+@@ -56,6 +56,7 @@
+ import java.io.File;
+ import java.io.FileOutputStream;
+ import java.io.IOException;
++import java.lang.reflect.Method;
+ import java.net.URL;
+ import java.net.URLClassLoader;
+ import java.util.Date;
+@@ -116,6 +117,9 @@ public Locale get() {
+ 
+             installLogger();
+
++            System.out.println("I am here");
++            markCookieAsHttpOnly(context);
++
+             final FileAndDescription describedHomeDir = getHomeDir(event);
+             home = describedHomeDir.file.getAbsoluteFile();
+             home.mkdirs();
+@@ -251,6 +254,31 @@ public void run() {
+         }
+     }
+ 
++    /**
++     * Set the session cookie as HTTP only.
++     *
++     * @see <a href="https://www.owasp.org/index.php/HttpOnly">discussion of this topic in OWASP</a>
++     */
++    private void markCookieAsHttpOnly(ServletContext context) {
++        try {
++            Method m;
++            try {
++                m = context.getClass().getMethod("getSessionCookieConfig");
++            } catch (NoSuchMethodException x) { // 3.0+
++                LOGGER.log(Level.FINE, "Failed to set secure cookie flag", x);
++                return;
++            }
++            Object sessionCookieConfig = m.invoke(context);
++
++            // not exposing session cookie to JavaScript to mitigate damage caused by XSS
++            Class scc = Class.forName("javax.servlet.SessionCookieConfig");
++            Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class);
++            setHttpOnly.invoke(sessionCookieConfig,true);
++        } catch (Exception e) {
++            LOGGER.log(Level.WARNING, "Failed to set HTTP-only cookie flag", e);
++        }
++    }
++
+     public void joinInit() throws InterruptedException {
+         initThread.join();
+     }
+diff --git a/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java b/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java
+index 6836467..c10e51d 100644
+--- a/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java
++++ b/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java
+@@ -14,6 +14,7 @@
+ import javax.servlet.ServletContext;
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.reflect.InvocationTargetException;
+ import java.lang.reflect.Method;
+ import java.util.logging.Level;
+ import java.util.logging.Logger;
+@@ -117,14 +118,17 @@ private void updateSecureSessionFlag() {
+             }
+             Object sessionCookieConfig = m.invoke(context);
+ 
+-            // not exposing session cookie to JavaScript to mitigate damage caused by XSS
+             Class scc = Class.forName("javax.servlet.SessionCookieConfig");
+-            Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class);
+-            setHttpOnly.invoke(sessionCookieConfig,true);
+-
+-            Method setSecure = scc.getMethod("setSecure",boolean.class);
++            Method setSecure = scc.getMethod("setSecure", boolean.class);
+             boolean v = fixNull(jenkinsUrl).startsWith("https");
+-            setSecure.invoke(sessionCookieConfig,v);
++            setSecure.invoke(sessionCookieConfig, v);
++        } catch (InvocationTargetException e) {
++            if (e.getTargetException() instanceof IllegalStateException) {
++                // servlet 3.0 spec seems to prohibit this from getting set at runtime,
++                // though Winstone is happy to accept i. see JENKINS-25019
++                return;
++            }
++            LOGGER.log(Level.WARNING, "Failed to set secure cookie flag ici", e);
+         } catch (Exception e) {
+             LOGGER.log(Level.WARNING, "Failed to set secure cookie flag", e);
+         }
diff --git a/debian/patches/series b/debian/patches/series
index ef92203..8192d0b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ build/0019-io-compat.pach.patch
 0025-specify-plugins-versions.patch
 0026-add-jsr305-dependency.patch
 0027-add-cglib-dependency.patch
+0028-properly-set-httponly-flag-for-tomcat.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/jenkins.git

More information about the pkg-java-commits mailing list