Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16936

Extension point for secure users of Api

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      As a security fix, hudson.model.Api no longer permits the jsonp parameter, or xpath with a primitive result set. This is the safest policy but in certain cases it is useful to whitelist particular requesters known to be harmless. The INSECURE system property should be deprecated or deleted and an extension point introduced so various policies can be added by plugins: whitelists based on host name, requests with no Referer, etc.

        Attachments

          Issue Links

            Activity

            Hide
            lancew Lance Wicks added a comment -

            Will this be implemented via the gui interface?

            Show
            lancew Lance Wicks added a comment - Will this be implemented via the gui interface?
            Hide
            jglick Jesse Glick added a comment -

            It would be up to the plugin implementing the extension point whether to offer a UI interface for customizing its behavior, and if so, what the customizations would consist of.

            Show
            jglick Jesse Glick added a comment - It would be up to the plugin implementing the extension point whether to offer a UI interface for customizing its behavior, and if so, what the customizations would consist of.
            Hide
            jglick Jesse Glick added a comment -

            Note: I have marked this lts-candidate even though it is an RFE, since forcing installations to use the legacy system property when only certain clients should really be authorized encourages a security vulnerability.

            Show
            jglick Jesse Glick added a comment - Note: I have marked this lts-candidate even though it is an RFE, since forcing installations to use the legacy system property when only certain clients should really be authorized encourages a security vulnerability.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            changelog.html
            core/src/main/java/hudson/model/Api.java
            core/src/main/java/jenkins/security/SecureRequester.java
            test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
            http://jenkins-ci.org/commit/jenkins/acff33106e56f9ee1d3da79a06f794151f17798d
            Log:
            [FIXED JENKINS-16936] Added SecureRequester extension point.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/hudson/model/Api.java core/src/main/java/jenkins/security/SecureRequester.java test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/jenkins/acff33106e56f9ee1d3da79a06f794151f17798d Log: [FIXED JENKINS-16936] Added SecureRequester extension point.
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #2956
            [FIXED JENKINS-16936] Added SecureRequester extension point. (Revision acff33106e56f9ee1d3da79a06f794151f17798d)

            Result = SUCCESS
            Jesse Glick : acff33106e56f9ee1d3da79a06f794151f17798d
            Files :

            • test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
            • core/src/main/java/jenkins/security/SecureRequester.java
            • changelog.html
            • core/src/main/java/hudson/model/Api.java
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2956 [FIXED JENKINS-16936] Added SecureRequester extension point. (Revision acff33106e56f9ee1d3da79a06f794151f17798d) Result = SUCCESS Jesse Glick : acff33106e56f9ee1d3da79a06f794151f17798d Files : test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java core/src/main/java/jenkins/security/SecureRequester.java changelog.html core/src/main/java/hudson/model/Api.java
            Show
            jglick Jesse Glick added a comment - https://wiki.jenkins-ci.org/display/JENKINS/Secure+Requester+Whitelist+Plugin

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: