[SECURITY-1094]

Wadeck · daniel-beck · commit 8954b3a1e498 · 2020-04-30T10:15:13.000+02:00
diff --git a/src/main/java/hudson/scm/browsers/FishEyeCVS.java b/src/main/java/hudson/scm/browsers/FishEyeCVS.java
@@ -35,6 +35,7 @@
 import jenkins.model.Jenkins;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.servlet.ServletException;
 import java.io.IOException;
@@ -84,6 +85,7 @@ public String getDisplayName() {
             return "FishEye";
         }
 
+        @RequirePOST
         public FormValidation doCheckUrl(@QueryParameter String value) throws IOException, ServletException {
             value = Util.fixEmpty(value);
             if (value == null) return FormValidation.ok();
diff --git a/src/main/java/hudson/scm/cvstagging/CvsTagAction.java b/src/main/java/hudson/scm/cvstagging/CvsTagAction.java
@@ -38,6 +38,7 @@
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.servlet.ServletException;
 import java.io.IOException;
@@ -106,6 +107,7 @@ public AbstractCvs getParent() {
         return parentScm;
     }
 
+	@RequirePOST
     public synchronized void doSubmit(final StaplerRequest request, final StaplerResponse response) throws IOException,
                     ServletException {
         // check the user is allowed to tag
diff --git a/src/main/java/hudson/scm/cvstagging/LegacyTagAction.java b/src/main/java/hudson/scm/cvstagging/LegacyTagAction.java
@@ -36,6 +36,7 @@
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.netbeans.lib.cvsclient.Client;
 import org.netbeans.lib.cvsclient.command.GlobalOptions;
 import org.netbeans.lib.cvsclient.command.tag.TagCommand;
@@ -137,6 +138,7 @@ public boolean isTagged() {
     /**
      * Invoked to actually tag the workspace.
      */
+	@RequirePOST
     @SuppressWarnings("unchecked")
     public synchronized void doSubmit(final StaplerRequest req,
                     final StaplerResponse rsp) throws IOException,
diff --git a/src/main/resources/hudson/scm/browsers/FishEyeCVS/config.jelly b/src/main/resources/hudson/scm/browsers/FishEyeCVS/config.jelly
@@ -25,6 +25,6 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:entry title="URL" field="url">
-    <f:textbox />
+    <f:textbox checkMethod="post"/>
   </f:entry>
 </j:jelly>
diff --git a/src/main/resources/hudson/scm/cvstagging/CvsTagAction/tagForm.jelly b/src/main/resources/hudson/scm/cvstagging/CvsTagAction/tagForm.jelly
@@ -32,7 +32,7 @@ THE SOFTWARE.
 
   <d:taglib uri="local">
     <d:tag name="tagForm">
-      <form action="submit" method="get">
+      <form action="submit" method="post">
         <j:set var="descriptor" value="${it.descriptor}" />
 
         <table>
diff --git a/src/main/resources/hudson/scm/cvstagging/LegacyTagAction/tagForm.jelly b/src/main/resources/hudson/scm/cvstagging/LegacyTagAction/tagForm.jelly
@@ -32,7 +32,7 @@ THE SOFTWARE.
 
   <d:taglib uri="local">
     <d:tag name="tagForm">
-      <form action="submit" method="get">
+      <form action="submit" method="post">
         <j:set var="descriptor" value="${it.descriptor}" />
 
         <table>
