Verifies the integrety of the projects, as builds are executed immediately after a code change was detected. This plan provides no artifiacts (use a nightly build instead).

Build: #1835 was successful

Job: Build was successful

Stages & jobs

  1. Default Stage

Code commits

Openfire (master)

  • daryl herzmann <akrherz@iastate.edu>

    daryl herzmann <akrherz@iastate.edu> 8b4e42c45c386d9578fe6a8624746c514210706b

    Merge pull request #1440 from guusdk/OF-1021_plugin-upload-file_extensions
    OF-1021: Additional checks on (uploaded) plugin files

  • Guus der Kinderen

    Guus der Kinderen 28972842d1d4147e018959d790dd1e9d22a540c7 m

    OF-1021: Verify magic bytes of uploaded plugins
    Commit 9c62dbf599f266bde214c5a68a004708edc7da48 adds code that removes uploaded files that cannot be parsed as JAR files.

    To further guard against malicous files being uploaded, this commit verifies the magic bytes (the first few bytes) of the uploaded file.

    The new functionality is controlled by two new properties:
    - plugins.upload.magic-number-check.enabled A boolean value that enables or disables the check (defaults to true).
    - plugins.upload.magic-number.values.expected-value A list of hex representations of valid magic byte sequences (defaults to "504B0304", "504B0506", "504B0708").

    • i18n/src/main/resources/openfire_i18n.properties (version 28972842d1d4147e018959d790dd1e9d22a540c7)
    • xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginManager.java (version 28972842d1d4147e018959d790dd1e9d22a540c7)
    • xmppserver/src/test/java/org/jivesoftware/openfire/container/PluginManagerTest.java (version 28972842d1d4147e018959d790dd1e9d22a540c7)
    • xmppserver/src/test/resources/hello.jar (version 28972842d1d4147e018959d790dd1e9d22a540c7)
  • Guus der Kinderen

    Guus der Kinderen 368db057c0a33b65598c77dc7f8eea8bef1d5c11 m

    OF-1021: Verify JAR content
    Commit 9c62dbf599f266bde214c5a68a004708edc7da48 adds code that removes uploaded files that cannot be parsed as JAR files.

    To further guard against malicous files being uploaded, this commit verifies that the uploaded JAR file contains a 'plugin.xml' entry.

    The new functionality is controlled by two new properties:
    - plugins.upload.pluginxml-check.enabled A boolean value that enables or disables the check (defaults to true).

    • i18n/src/main/resources/openfire_i18n.properties (version 368db057c0a33b65598c77dc7f8eea8bef1d5c11)
    • xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginManager.java (version 368db057c0a33b65598c77dc7f8eea8bef1d5c11)
  • Guus der Kinderen

    Guus der Kinderen 72cf4bf6dd5ea7df2ad4f60b8587b4cfcc579d63 m

    OF-1021: Verify content type of uploaded plugins
    Commit 9c62dbf599f266bde214c5a68a004708edc7da48 adds code that removes uploaded files that cannot be parsed as JAR files.

    To further guard against malicous files being uploaded, this commit adds functionality to allow to verify the content type, as specified by the browser, of the uploaded file.

    As a potential attacker is likely to be able to modify the reported content type. The added security value of this change is therefor not very signification. By default, this functionality is therefor disabled, to prevent valid use cased from being stopped by this.

    The new functionality is controlled by two new properties:
    - plugins.upload.content-type-check.enabled A boolean value that enables or disables the check (defaults to false).
    - plugins.upload.content-type-check.expected-value Text value that is the expected content type (defaults to application/x-java-archive).

    • xmppserver/src/main/webapp/plugin-admin.jsp (version 72cf4bf6dd5ea7df2ad4f60b8587b4cfcc579d63)
  • Guus der Kinderen

    Guus der Kinderen f1a8ec1f641117c0570e0d6471f63828bc419394 m

    Fixed logged messages.

    • xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginManager.java (version f1a8ec1f641117c0570e0d6471f63828bc419394)