Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33770

Setup wizard login trivial to circumvent

    Details

    • Similar Issues:

      Description

      The /securityRealm/firstUser is accessible and allows creating an account while the setup wizard is active, but nobody has logged in so far.

      Also, really weird UI brokenness since / is still the setup wizard.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Yep – First approach had a different Stapler root object (no Jenkins), but that quickly became a mess as Jenkins was needed e.g. for integrating the security configuration into the initial setup.

            The comment thread on this starts around https://github.com/jenkinsci/jenkins/pull/2042#issuecomment-191396954 in the initial PR.

            Show
            danielbeck Daniel Beck added a comment - Yep – First approach had a different Stapler root object (no Jenkins), but that quickly became a mess as Jenkins was needed e.g. for integrating the security configuration into the initial setup. The comment thread on this starts around https://github.com/jenkinsci/jenkins/pull/2042#issuecomment-191396954 in the initial PR.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: kzantow
            Path:
            core/src/main/java/jenkins/install/SetupWizard.java
            http://jenkins-ci.org/commit/jenkins/2968285d9a2158747bfc5fc2c93b8217bfff7702
            Log:
            JENKINS-33770 - not all paths restricted during SetupWizard

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: kzantow Path: core/src/main/java/jenkins/install/SetupWizard.java http://jenkins-ci.org/commit/jenkins/2968285d9a2158747bfc5fc2c93b8217bfff7702 Log: JENKINS-33770 - not all paths restricted during SetupWizard
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: kzantow
            Path:
            core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
            core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly
            war/src/main/js/api/securityConfig.js
            war/src/main/js/templates/firstUserPanel.hbs
            http://jenkins-ci.org/commit/jenkins/3cf8de04a9fae00dabcec4c3888903afda4336df
            Log:
            JENKINS-33770 - fix issue directly submitting firstUser page

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: kzantow Path: core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly war/src/main/js/api/securityConfig.js war/src/main/js/templates/firstUserPanel.hbs http://jenkins-ci.org/commit/jenkins/3cf8de04a9fae00dabcec4c3888903afda4336df Log: JENKINS-33770 - fix issue directly submitting firstUser page
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: kzantow
            Path:
            .mvn/jvm.config
            changelog.html
            core/pom.xml
            core/src/main/java/hudson/ExtensionFinder.java
            core/src/main/java/hudson/init/impl/InstallUncaughtExceptionHandler.java
            core/src/main/java/hudson/model/Fingerprint.java
            core/src/main/java/hudson/model/ItemGroupMixIn.java
            core/src/main/java/hudson/model/View.java
            core/src/main/java/hudson/model/ViewDescriptor.java
            core/src/main/java/jenkins/install/InstallUtil.java
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/model/AllView/noJob.jelly
            core/src/main/resources/hudson/tools/label.jelly
            core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly
            core/src/main/resources/jenkins/install/UpgradeWizard/footer.jelly
            core/src/main/resources/jenkins/install/UpgradeWizard/footer.properties
            core/src/main/resources/jenkins/install/pluginSetupWizard.properties
            core/src/main/resources/lib/form/repeatableDeleteButton.jelly
            core/src/main/resources/lib/hudson/ballColorTd.jelly
            core/src/main/resources/lib/layout/html.jelly
            test/src/test/java/hudson/jobs/CreateItemTest.java
            test/src/test/java/hudson/model/ViewDescriptorTest.java
            test/src/test/java/hudson/model/ViewTest.java
            war/src/main/js/api/pluginManager.js
            war/src/main/js/pluginSetupWizardGui.js
            war/src/main/js/templates/errorPanel.hbs
            war/src/main/less/pluginSetupWizard.less
            war/src/main/webapp/css/style.css
            http://jenkins-ci.org/commit/jenkins/f06ee0fef4632c7f0994f8d5ebee086240348e80
            Log:
            Merge remote-tracking branch 'primary/2.0' into JENKINS-33770-security-token-not-always-required

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: kzantow Path: .mvn/jvm.config changelog.html core/pom.xml core/src/main/java/hudson/ExtensionFinder.java core/src/main/java/hudson/init/impl/InstallUncaughtExceptionHandler.java core/src/main/java/hudson/model/Fingerprint.java core/src/main/java/hudson/model/ItemGroupMixIn.java core/src/main/java/hudson/model/View.java core/src/main/java/hudson/model/ViewDescriptor.java core/src/main/java/jenkins/install/InstallUtil.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/tools/label.jelly core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly core/src/main/resources/jenkins/install/UpgradeWizard/footer.jelly core/src/main/resources/jenkins/install/UpgradeWizard/footer.properties core/src/main/resources/jenkins/install/pluginSetupWizard.properties core/src/main/resources/lib/form/repeatableDeleteButton.jelly core/src/main/resources/lib/hudson/ballColorTd.jelly core/src/main/resources/lib/layout/html.jelly test/src/test/java/hudson/jobs/CreateItemTest.java test/src/test/java/hudson/model/ViewDescriptorTest.java test/src/test/java/hudson/model/ViewTest.java war/src/main/js/api/pluginManager.js war/src/main/js/pluginSetupWizardGui.js war/src/main/js/templates/errorPanel.hbs war/src/main/less/pluginSetupWizard.less war/src/main/webapp/css/style.css http://jenkins-ci.org/commit/jenkins/f06ee0fef4632c7f0994f8d5ebee086240348e80 Log: Merge remote-tracking branch 'primary/2.0' into JENKINS-33770 -security-token-not-always-required
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
            core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly
            war/src/main/js/api/securityConfig.js
            war/src/main/js/templates/firstUserPanel.hbs
            http://jenkins-ci.org/commit/jenkins/360cfcdcc87f8f10c9041e3fedfbee522fc035ed
            Log:
            Merge pull request #2170 from kzantow/JENKINS-33770-security-token-not-always-required

            [FIX JENKINS-33770] Prevent unauthenticated user registration

            Compare: https://github.com/jenkinsci/jenkins/compare/a9f12093debe...360cfcdcc87f

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly war/src/main/js/api/securityConfig.js war/src/main/js/templates/firstUserPanel.hbs http://jenkins-ci.org/commit/jenkins/360cfcdcc87f8f10c9041e3fedfbee522fc035ed Log: Merge pull request #2170 from kzantow/ JENKINS-33770 -security-token-not-always-required [FIX JENKINS-33770] Prevent unauthenticated user registration Compare: https://github.com/jenkinsci/jenkins/compare/a9f12093debe...360cfcdcc87f

              People

              • Assignee:
                kzantow Keith Zantow
                Reporter:
                danielbeck Daniel Beck
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: