From 8954b3a1e498f11c09296d4f54dc2de6a371c448 Mon Sep 17 00:00:00 2001
From: Wadeck Follonier <wadeck.follonier@gmail.com>
Date: Thu, 30 Apr 2020 10:15:13 +0200
Subject: [PATCH] [SECURITY-1094]

---
 src/main/java/hudson/scm/browsers/FishEyeCVS.java               | 2 ++
 src/main/java/hudson/scm/cvstagging/CvsTagAction.java           | 2 ++
 src/main/java/hudson/scm/cvstagging/LegacyTagAction.java        | 2 ++
 src/main/resources/hudson/scm/browsers/FishEyeCVS/config.jelly  | 2 +-
 .../resources/hudson/scm/cvstagging/CvsTagAction/tagForm.jelly  | 2 +-
 .../hudson/scm/cvstagging/LegacyTagAction/tagForm.jelly         | 2 +-
 6 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/main/java/hudson/scm/browsers/FishEyeCVS.java b/src/main/java/hudson/scm/browsers/FishEyeCVS.java
index 7a40cd9..a115b11 100644
--- a/src/main/java/hudson/scm/browsers/FishEyeCVS.java
+++ b/src/main/java/hudson/scm/browsers/FishEyeCVS.java
@@ -35,6 +35,7 @@
 import jenkins.model.Jenkins;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.servlet.ServletException;
 import java.io.IOException;
@@ -84,6 +85,7 @@ public String getDisplayName() {
             return "FishEye";
         }
 
+        @RequirePOST
         public FormValidation doCheckUrl(@QueryParameter String value) throws IOException, ServletException {
             value = Util.fixEmpty(value);
             if (value == null) return FormValidation.ok();
diff --git a/src/main/java/hudson/scm/cvstagging/CvsTagAction.java b/src/main/java/hudson/scm/cvstagging/CvsTagAction.java
index 53f1762..6fdbf14 100644
--- a/src/main/java/hudson/scm/cvstagging/CvsTagAction.java
+++ b/src/main/java/hudson/scm/cvstagging/CvsTagAction.java
@@ -38,6 +38,7 @@
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.servlet.ServletException;
 import java.io.IOException;
@@ -106,6 +107,7 @@ public AbstractCvs getParent() {
         return parentScm;
     }
 
+	@RequirePOST
     public synchronized void doSubmit(final StaplerRequest request, final StaplerResponse response) throws IOException,
                     ServletException {
         // check the user is allowed to tag
diff --git a/src/main/java/hudson/scm/cvstagging/LegacyTagAction.java b/src/main/java/hudson/scm/cvstagging/LegacyTagAction.java
index 858070b..3afdbf6 100644
--- a/src/main/java/hudson/scm/cvstagging/LegacyTagAction.java
+++ b/src/main/java/hudson/scm/cvstagging/LegacyTagAction.java
@@ -36,6 +36,7 @@
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.netbeans.lib.cvsclient.Client;
 import org.netbeans.lib.cvsclient.command.GlobalOptions;
 import org.netbeans.lib.cvsclient.command.tag.TagCommand;
@@ -137,6 +138,7 @@ public boolean isTagged() {
     /**
      * Invoked to actually tag the workspace.
      */
+	@RequirePOST
     @SuppressWarnings("unchecked")
     public synchronized void doSubmit(final StaplerRequest req,
                     final StaplerResponse rsp) throws IOException,
diff --git a/src/main/resources/hudson/scm/browsers/FishEyeCVS/config.jelly b/src/main/resources/hudson/scm/browsers/FishEyeCVS/config.jelly
index db06580..db49ca7 100644
--- a/src/main/resources/hudson/scm/browsers/FishEyeCVS/config.jelly
+++ b/src/main/resources/hudson/scm/browsers/FishEyeCVS/config.jelly
@@ -25,6 +25,6 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:entry title="URL" field="url">
-    <f:textbox />
+    <f:textbox checkMethod="post"/>
   </f:entry>
 </j:jelly>
diff --git a/src/main/resources/hudson/scm/cvstagging/CvsTagAction/tagForm.jelly b/src/main/resources/hudson/scm/cvstagging/CvsTagAction/tagForm.jelly
index b071813..41be59f 100644
--- a/src/main/resources/hudson/scm/cvstagging/CvsTagAction/tagForm.jelly
+++ b/src/main/resources/hudson/scm/cvstagging/CvsTagAction/tagForm.jelly
@@ -32,7 +32,7 @@ THE SOFTWARE.
 
   <d:taglib uri="local">
     <d:tag name="tagForm">
-      <form action="submit" method="get">
+      <form action="submit" method="post">
         <j:set var="descriptor" value="${it.descriptor}" />
 
         <table>
diff --git a/src/main/resources/hudson/scm/cvstagging/LegacyTagAction/tagForm.jelly b/src/main/resources/hudson/scm/cvstagging/LegacyTagAction/tagForm.jelly
index a9d1952..7827af9 100644
--- a/src/main/resources/hudson/scm/cvstagging/LegacyTagAction/tagForm.jelly
+++ b/src/main/resources/hudson/scm/cvstagging/LegacyTagAction/tagForm.jelly
@@ -32,7 +32,7 @@ THE SOFTWARE.
 
   <d:taglib uri="local">
     <d:tag name="tagForm">
-      <form action="submit" method="get">
+      <form action="submit" method="post">
         <j:set var="descriptor" value="${it.descriptor}" />
 
         <table>