Verifies the integrety of the projects, as builds are executed immediately after a code change was detected. This plan provides no artifiacts (use a nightly build instead).

Build: #1874 was successful Changes by daryl herzmann <akrherz@iastate.edu>

Code commits

Openfire (master)

  • daryl herzmann <akrherz@iastate.edu>

    daryl herzmann <akrherz@iastate.edu> e6a9db94f684056ced0d5e5a4291c89488fbeecc

    Merge pull request #1497 from guusdk/OF-1885_SSRF-guard-favicon
    OF-1885: SSRF guard favicon

  • Guus der Kinderen

    Guus der Kinderen 2dabb16e9ab4a378e33e32b2d4e4bc052d03d3c5 m

    Increate favicon retrieval timeouts
    I've noticed that many favicons are not shown. Increasing retrieval timeouts in the hope that this yields better results.

    • xmppserver/src/main/java/org/jivesoftware/util/FaviconServlet.java (version 2dabb16e9ab4a378e33e32b2d4e4bc052d03d3c5)
  • Guus der Kinderen

    Guus der Kinderen c2ccb38250910587498597955d0bbee8b58e46df m

    OF-1885: Guard against SSRF by inpecting favicon results
    The Openfire servlet that is supposed to be used to retrieve favicons from remote servers could be used to obtain anything. To prevent unauthorized use, this commit adds a check that verifies if the returned data is an image. If that's not the case, the returned data is ignored.

    • xmppserver/src/main/java/org/jivesoftware/util/FaviconServlet.java (version c2ccb38250910587498597955d0bbee8b58e46df)
    • xmppserver/src/main/java/org/jivesoftware/util/GraphicsUtils.java (version c2ccb38250910587498597955d0bbee8b58e46df)
    • xmppserver/src/test/java/org/jivesoftware/util/GraphicsUtilsTest.java (version c2ccb38250910587498597955d0bbee8b58e46df)