Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14372

Can't publish to public server with CSRF security option

    Details

    • Similar Issues:

      Description

      When the public server has the "Prevent Cross Site Request Forgery exploits" security option turned on, it is not possible to publish builds to this server.

      The server log on the public server shows:
      Jul 10, 2012 8:16:16 AM hudson.security.csrf.CrumbFilter doFilter
      WARNING: No valid crumb was included in request for /. Returning 403.

        Attachments

          Activity

          Hide
          davehunt Dave Hunt added a comment -

          I just discovered this today. Are there any plans to fix this?

          Show
          davehunt Dave Hunt added a comment - I just discovered this today. Are there any plans to fix this?
          Hide
          stronk7 Eloy Lafuente added a comment -

          For reference, we recently enabled CSRF/Crumbs in a server and it stopped accepting published jobs from other, internal servers. Searching existing forks, I just saw the next one, that applied to current master, seems to be doing the work and our private servers can continue publishing like a charm:

          https://github.com/stronk7/build-publisher-plugin/commit/2bb9b7bfcece8100e849f1ed5b4a0908aa1771bf

          I only have needed to install the custom build-publisher.hpi in the sender, no change required in the receiver.

          Disclaimer, I'm a complete naab and haven't looked much if the patch is 100% correct or no... it just looked "legit enough" for me to give it a try. Credit goes to AJ Banck, I just picked the patch from there and rebuild the plugin.

          It really would be great to get the solution incorporated upstream if it's considered correct. Without it... the plugin loses much... because of the security compromise.

          TIA!

          Show
          stronk7 Eloy Lafuente added a comment - For reference, we recently enabled CSRF/Crumbs in a server and it stopped accepting published jobs from other, internal servers. Searching existing forks, I just saw the next one, that applied to current master, seems to be doing the work and our private servers can continue publishing like a charm: https://github.com/stronk7/build-publisher-plugin/commit/2bb9b7bfcece8100e849f1ed5b4a0908aa1771bf I only have needed to install the custom build-publisher.hpi  in the sender, no change required in the receiver. Disclaimer, I'm a complete naab and haven't looked much if the patch is 100% correct or no... it just looked "legit enough" for me to give it a try. Credit goes to AJ Banck , I just picked the patch from there and rebuild the plugin. It really would be great to get the solution incorporated upstream if it's considered correct. Without it... the plugin loses much... because of the security compromise. TIA!
          Hide
          ickersep ickersep added a comment -

          I created PR#9 with the patch from the stronk7 repo.

          Show
          ickersep ickersep added a comment - I created PR#9 with the patch from the stronk7 repo.

            People

            • Assignee:
              vjuranek vjuranek
              Reporter:
              ickersep ickersep
            • Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: