From 536a97b8d649b3114f5db24ea32a7c63188a35c6 Mon Sep 17 00:00:00 2001
From: Alexander Brandes <mc.cache@web.de>
Date: Tue, 12 Jul 2022 21:01:26 +0200
Subject: [PATCH] [SECURITY-2766] (#216)

---
 .../jobConfigHistory/ComputerConfigHistoryAction.java        | 3 +++
 .../jobConfigHistory/JobConfigHistoryProjectAction.java      | 3 +++
 .../plugins/jobConfigHistory/JobConfigHistoryRootAction.java | 3 +++
 src/main/webapp/deleteRevisionAndTableEntry.js               | 5 +++--
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/main/java/hudson/plugins/jobConfigHistory/ComputerConfigHistoryAction.java b/src/main/java/hudson/plugins/jobConfigHistory/ComputerConfigHistoryAction.java
index 88e19e62..b590d9b7 100644
--- a/src/main/java/hudson/plugins/jobConfigHistory/ComputerConfigHistoryAction.java
+++ b/src/main/java/hudson/plugins/jobConfigHistory/ComputerConfigHistoryAction.java
@@ -35,6 +35,7 @@
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
+import org.kohsuke.stapler.verb.POST;
 
 import java.io.IOException;
 import java.text.ParseException;
@@ -382,6 +383,7 @@ private XmlFile getOldConfigXml(String timestamp) {
      * @param rsp Outgoing StaplerResponse
      * @throws IOException If something goes wrong
      */
+    @POST
     public final void doRestore(StaplerRequest req, StaplerResponse rsp) throws IOException {
         checkConfigurePermission();
         final String timestamp = req.getParameter("timestamp");
@@ -413,6 +415,7 @@ public final void doForwardToRestoreQuestion(StaplerRequest req, StaplerResponse
         rsp.sendRedirect("restoreQuestion?timestamp=" + timestamp);
     }
 
+    @POST
     public final void doDeleteRevision(StaplerRequest req) {
         checkDeleteEntryPermission();
         final String timestamp = req.getParameter("timestamp");
diff --git a/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryProjectAction.java b/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryProjectAction.java
index 9af0bccf..680ffdd6 100644
--- a/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryProjectAction.java
+++ b/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryProjectAction.java
@@ -36,6 +36,7 @@
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
+import org.kohsuke.stapler.verb.POST;
 
 import javax.xml.transform.Source;
 import javax.xml.transform.stream.StreamSource;
@@ -463,6 +464,7 @@ private XmlFile getOldConfigXml(String timestamp) {
      * @param rsp Outgoing StaplerResponse
      * @throws IOException If something goes wrong
      */
+    @POST
     public final void doRestore(StaplerRequest req, StaplerResponse rsp)
             throws IOException {
         checkConfigurePermission();
@@ -492,6 +494,7 @@ public final void doForwardToRestoreQuestion(StaplerRequest req,
         rsp.sendRedirect("restoreQuestion?timestamp=" + timestamp);
     }
 
+    @POST
     public final void doDeleteRevision(StaplerRequest req, StaplerResponse rsp) {
         checkDeleteEntryPermission();
         final String timestamp = req.getParameter("timestamp");
diff --git a/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryRootAction.java b/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryRootAction.java
index b391d3d8..52413358 100644
--- a/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryRootAction.java
+++ b/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryRootAction.java
@@ -39,6 +39,7 @@
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;
+import org.kohsuke.stapler.verb.POST;
 
 import javax.servlet.ServletException;
 import java.io.ByteArrayInputStream;
@@ -662,6 +663,7 @@ public boolean checkParameters(String name, String timestamp) {
      * @param rsp Outgoing StaplerResponse
      * @throws IOException If something goes wrong
      */
+    @POST
     public final void doRestore(StaplerRequest req, StaplerResponse rsp)
             throws IOException {
         getAccessControlledObject().checkPermission(Item.CONFIGURE);
@@ -743,6 +745,7 @@ public final void doForwardToRestoreQuestion(StaplerRequest req,
         rsp.sendRedirect("restoreQuestion?name=" + name);
     }
 
+    @POST
     public final void doDeleteRevision(StaplerRequest req, StaplerResponse rsp) {
         checkDeleteEntryPermission();
         final String timestamp = req.getParameter("timestamp");
diff --git a/src/main/webapp/deleteRevisionAndTableEntry.js b/src/main/webapp/deleteRevisionAndTableEntry.js
index 62f6fb5d..d7f5aeb4 100644
--- a/src/main/webapp/deleteRevisionAndTableEntry.js
+++ b/src/main/webapp/deleteRevisionAndTableEntry.js
@@ -11,9 +11,10 @@ function removeEntryFromTable(id, timestamp, name, message) {
         if (name != null) {
             url += "&name=" + name;
         }
-        xmlHttp.open("GET", url, true);
+        xmlHttp.open("POST", url, true);
+        xmlHttp.setRequestHeader(document.head.getAttribute('data-crumb-header'), document.head.getAttribute('data-crumb-value'));
         xmlHttp.send(null);
     } else {
         return false;
     }
-}
\ No newline at end of file
+}