Details

    • Similar Issues:

      Description

      Note: I filed this under 'core' because the component in Jira for 'github' doesn't seem to exist, despite the wiki page querying it.

      What happens:

      I set up "Trigger a build when a change is pushed to GitHub". It creates the URL, etc. correctly on github.

      However, if I click "test" I get this error message in my tomcat log:

      ==> catalina.out <==
      Jul 8, 2011 12:17:04 PM hudson.security.csrf.CrumbFilter doFilter
      WARNING: No valid crumb was included in request for /jenkins/github-webhook/. Returning 403.

      Even though I have pushed changes, no builds have been triggered.

      Ciao!

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            If you can confirm that the issue existed but was since fixed, then go ahead and close as Fixed (or Duplicate, if you can find an original tracking issue).

            Show
            jglick Jesse Glick added a comment - If you can confirm that the issue existed but was since fixed, then go ahead and close as Fixed (or Duplicate, if you can find an original tracking issue).
            Hide
            fbelzunc Félix Belzunce Arcos added a comment -

            This is an old issue from 08/Jul/11.

            More recents versions of the GitHub plugin has GitHubWebHookCrumbExclusion.java to avoid this issue. In Oct 24, 2013 the feature was added.

            • Shouldn't we close this issue?
            Show
            fbelzunc Félix Belzunce Arcos added a comment - This is an old issue from 08/Jul/11. More recents versions of the GitHub plugin has GitHubWebHookCrumbExclusion.java to avoid this issue. In Oct 24, 2013 the feature was added. Shouldn't we close this issue?
            Hide
            jglick Jesse Glick added a comment -

            I wonder if it makes sense for there to be an implicit CrumbExclusion for any UnprotectedRootAction. Or if the crumb filter could safely be relaxed to ignore requests carrying either no authentication (in which case presumably the request cannot be doing anything harmful), or BASIC authentication using the API token (which presumably would not be loaded into browser credentials and available for malicious scripts). Probably someone more expert in web security needs to weigh in on this.

            Show
            jglick Jesse Glick added a comment - I wonder if it makes sense for there to be an implicit CrumbExclusion for any UnprotectedRootAction . Or if the crumb filter could safely be relaxed to ignore requests carrying either no authentication (in which case presumably the request cannot be doing anything harmful), or BASIC authentication using the API token (which presumably would not be loaded into browser credentials and available for malicious scripts). Probably someone more expert in web security needs to weigh in on this.
            Hide
            danielbeck Daniel Beck added a comment -

            Not a core issue.

            Show
            danielbeck Daniel Beck added a comment - Not a core issue.
            Hide
            aheritier Arnaud Héritier added a comment -

            I updated the component to add github (I didn't checked who is maintaining it). I confirm that disabling the crumb filter solves the issue but it is dangerous ....

            Show
            aheritier Arnaud Héritier added a comment - I updated the component to add github (I didn't checked who is maintaining it). I confirm that disabling the crumb filter solves the issue but it is dangerous ....

              People

              • Assignee:
                Unassigned
                Reporter:
                docwhat Christian Höltje
              • Votes:
                5 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: