Only allow POST verb on VM control submit

This addresses SECURITY-1764 additionally to d6a07fe
("Add missing permission checks to list box model functions").

Signed-off-by: Bastian Germann <[email protected]>
Reviewed-by: Benedikt Spranger <[email protected]>

Author: Bastian Germann

CHANGELOG.md

@@ -7,6 +7,9 @@ Unreleased
 -   Fix [JENKINS-64698](https://issues.jenkins.io/browse/JENKINS-64698A):
     Cannot create a libvirt agent
     (Thanks to Benoit Guerin for the contribution)
+-   Fix SECURITY-1764:
+    Missing CSRF protection allows to shutdown cloud nodes
+    (Thanks to Wadeck Follonier for the report)
 
 ### 1.9.0
 

src/main/java/hudson/plugins/libvirt/VirtualMachineManagementServer.java

@@ -12,6 +12,7 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.verb.POST;
 
 import javax.servlet.ServletException;
 
@@ -60,6 +61,7 @@ public String getJsUrl(String jsName) {
         return Consts.PLUGIN_JS_URL + jsName;
     }
 
+    @POST
     public void doControlSubmit(@QueryParameter("stopId") String stopId, StaplerRequest req, StaplerResponse rsp) throws ServletException,
             IOException,
             InterruptedException, VirtException {