Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-39402

Jenkins creates massive HTTP headers that blows up proxies

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When Jenkins serves an access denied for a page it includes in the HTTP headers ever group that the current user is a member of.

      In a large corporate environment this can be hundreds of groups which causes many KBs of headers.
      nginx, HAProxy, Apache HTTPd and other proxies limit the maximum size and number of HTTP headers - so in this case instead of the access denied the user would see a 502 error from the proxy which hides the underlying issue. (FWIW HAProxy limits the number of headers to 101 - and classes an application that uses more than this amount of headers as buggy)

      There is no reason to send all the list of groups by default - it perhaps could be enabled by a property but default to disabled, but in reality exposing what permission you need to the end user and what permissions they have is rarely (if ever) used.

      This is the code in question that needs fixing.

        Attachments

          Issue Links

            Activity

            Hide
            olivergondza Oliver Gondža added a comment -

            U presume the image 2.32.3 will pick it up without any additional action.

            Show
            olivergondza Oliver Gondža added a comment - U presume the image 2.32.3 will pick it up without any additional action.
            Hide
            alokjoshi89 Alok Joshi added a comment -

            Thanks Oliver Gondža, just curious what will be the ETA for 2.32.3 and will it be a LTS version? Since we run Jenkins at pretty big scale in our organization, we want to go out with a LTS version.

            Show
            alokjoshi89 Alok Joshi added a comment - Thanks Oliver Gondža , just curious what will be the ETA for 2.32.3 and will it be a LTS version? Since we run Jenkins at pretty big scale in our organization, we want to go out with a LTS version.
            Hide
            olivergondza Oliver Gondža added a comment -

            All double dot releases provided by upstream are LTS ones. See the wiki[1] and calendar[2] for more details. The release is today, btw.

            [1] https://wiki.jenkins-ci.org/display/JENKINS/LTS+Release+Line
            [2] https://jenkins.io/content/event-calendar/

            Show
            olivergondza Oliver Gondža added a comment - All double dot releases provided by upstream are LTS ones. See the wiki [1] and calendar [2] for more details. The release is today, btw. [1] https://wiki.jenkins-ci.org/display/JENKINS/LTS+Release+Line [2] https://jenkins.io/content/event-calendar/
            Hide
            alokjoshi89 Alok Joshi added a comment -

            This is wonderful! Thanks a lot.

            Show
            alokjoshi89 Alok Joshi added a comment - This is wonderful! Thanks a lot.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/security/AccessDeniedException2.java
            test/src/test/java/hudson/security/AccessDeniedException2Test.java
            http://jenkins-ci.org/commit/jenkins/cf78e48b446f34379e2a988d086693e5ca53e251
            Log:
            [FIXED JENKINS-39402] Cap the number of group headers printed by AccessDeniedException2.
            (cherry picked from commit d6f7e4101f055e14009bc4407b508fe5457e69c0)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/security/AccessDeniedException2.java test/src/test/java/hudson/security/AccessDeniedException2Test.java http://jenkins-ci.org/commit/jenkins/cf78e48b446f34379e2a988d086693e5ca53e251 Log: [FIXED JENKINS-39402] Cap the number of group headers printed by AccessDeniedException2. (cherry picked from commit d6f7e4101f055e14009bc4407b508fe5457e69c0)

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                teilo James Nord
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: