[SECURITY-2777]

core/src/main/java/hudson/Functions.java

@@ -2360,7 +2360,6 @@ public static String tryGetIconPath(String iconGuess, JellyContext context) {
         }
 
         StaplerRequest currentRequest = Stapler.getCurrentRequest();
-        currentRequest.getWebApp().getDispatchValidator().allowDispatch(currentRequest, Stapler.getCurrentResponse());
         String rootURL = currentRequest.getContextPath();
         Icon iconMetadata = tryGetIcon(iconGuess);
         String iconSource = null;

test/src/test/java/jenkins/security/Security2777Test.java

@@ -0,0 +1,50 @@
+package jenkins.security;
+
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import hudson.model.UnprotectedRootAction;
+import java.io.IOException;
+import org.junit.Assert;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.TestExtension;
+
+public class Security2777Test {
+    public static final String ACTION_URL = "security2777";
+
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    @Test
+    public void testView() throws IOException {
+        final JenkinsRule.WebClient wc = j.createWebClient();
+
+        // no exception on action index page
+        wc.getPage(wc.getContextPath() + ACTION_URL);
+
+        final FailingHttpStatusCodeException ex2 = Assert.assertThrows("no icon, no response", FailingHttpStatusCodeException.class, () -> wc.getPage(wc.getContextPath() + ACTION_URL + "/fragmentWithoutIcon"));
+        Assert.assertEquals("it's 404", 404, ex2.getStatusCode());
+
+        final FailingHttpStatusCodeException ex3 = Assert.assertThrows("icon, still no response", FailingHttpStatusCodeException.class, () -> wc.getPage(wc.getContextPath() + ACTION_URL + "/fragmentWithIcon"));
+        Assert.assertEquals("it's 404", 404, ex3.getStatusCode());
+    }
+
+    @TestExtension
+    public static class ViewHolder implements UnprotectedRootAction {
+
+        @Override
+        public String getIconFileName() {
+            return null;
+        }
+
+        @Override
+        public String getDisplayName() {
+            return null;
+        }
+
+        @Override
+        public String getUrlName() {
+            return ACTION_URL;
+        }
+    }
+}

test/src/test/resources/jenkins/security/Security2777Test/ViewHolder/fragmentWithIcon.jelly

@@ -0,0 +1,6 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:l="/lib/layout">
+  <j:new var="h" className="hudson.Functions" />
+  <l:icon src="lol" />
+  <h2>Help!</h2>
+</j:jelly>

test/src/test/resources/jenkins/security/Security2777Test/ViewHolder/fragmentWithoutIcon.jelly

@@ -0,0 +1,5 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core">
+  <h2>Help!</h2>
+  <p>I'm just HTML!</p>
+</j:jelly>

test/src/test/resources/jenkins/security/Security2777Test/ViewHolder/index.jelly

@@ -0,0 +1,8 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:l="/lib/layout">
+  <l:layout>
+    <l:main-panel>
+      <h1>Hello</h1>
+    </l:main-panel>
+  </l:layout>
+</j:jelly>