Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35967

Hardening: Jenkins should not allow creating users like " system " or "anonymous "

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      Got into case during the fix of JENKINS-33600. I do not see any exploits in the code, but seems SECURITY-166 by Ryan Campbell was not enough aggressive in String checking.

      This code allows non-trimmed restricted usernames, hence I was able to create the " anonymous " account with "Anonymous " full name. The same can be done for SYSTEM as well. UIs do not present such trailing spaces, hence UI looks to be "fine"

      I have not obvious exploits in the code, but this logic gap may be a security issue if a plugin does not work with user IDs with spaces.

      Is it a security issue or should we handle it as a common bug?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                oleg_nenashev Oleg Nenashev
                Reporter:
                oleg_nenashev Oleg Nenashev
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: