Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34350

CSRF protection breaks POST to notifyCommit URL (GET is OK)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: git-plugin
    • Labels:
      None
    • Environment:
      Jenkins LTS 1.651.1
    • Similar Issues:

      Description

      CSRF breaks general commit hook actions, not just for Plugins. Since Kohsuke added the http://jenkins/git/notifyCommit?url= action to trigger a polling event, this kind of action is used generically outside of Github Plugin, e.g. projects using something other than Github. In my case, Gitlab, which has push hooks to generically trigger remote URLs.

      CSRF should have an exclusion for /git/notifyCommit

      See http://kohsuke.org/2011/12/01/polling-must-die-triggering-jenkins-builds-from-a-git-hook/
      See JENKINS-20140
      See JENKINS-10263

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jieryn jieryn
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: