Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-6072

missing crumb header on project open

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Component/s: security
    • Labels:
      None
    • Environment:
      Mac OS X 10.6.2 Client,
      Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8l DAV/2 mod_jk/1.2.30,
      Hudson build 1.352,
      Hudson options: /usr/bin/java -Xms1G -Xmx1G -jar /PATH/TO/HUDSON/hudson.war --httpPort=-1 --ajp13Port=8090
    • Similar Issues:
      Show 5 results

      Description

      After choosing a project, one AJAX POST request fails with 403 error. The request does not include the .crumb header.

      Request: https://hudson/job/PROJECTNAME/buildHistory/ajax

      Response:
      <html><head><title>Error 403</title></head><body bgcolor="#ffffff"><h1>Status Code: 403</h1>Exception: No valid crumb was included in the request<br>Stacktrace: <pre>(none)
      </pre><br><hr size="1" width="90%"><i>Generated by Winstone Servlet Engine v0.9.10 at Thu Mar 25 20:39:36 CET 2010</i></body></html>

      Hudson installation is in a local network.

        Attachments

          Issue Links

            Activity

            jomey jomey created issue -
            Hide
            mindless Alan Harder added a comment -

            changing component, doesn't look related to changelog-history plugin.

            Show
            mindless Alan Harder added a comment - changing component, doesn't look related to changelog-history plugin.
            mindless Alan Harder made changes -
            Field Original Value New Value
            Assignee mindless [ mindless ]
            Component/s security [ 15508 ]
            Component/s changelog-history [ 15600 ]
            Hide
            dty Dean Yu added a comment - - edited

            Added patch to this bug per mindless's request in

            http://n4.nabble.com/Ajax-update-of-build-history-broken-when-XSRF-crumbs-are-enabled-td1692971.html#a1692971

            As an addendum to my comments on the e-mail thread, the patch seems to fix the problem. I'm just not sure it's the best way to fix it.

            Show
            dty Dean Yu added a comment - - edited Added patch to this bug per mindless's request in http://n4.nabble.com/Ajax-update-of-build-history-broken-when-XSRF-crumbs-are-enabled-td1692971.html#a1692971 As an addendum to my comments on the e-mail thread, the patch seems to fix the problem. I'm just not sure it's the best way to fix it.
            dty Dean Yu made changes -
            Attachment JENKINS-6072.diff [ 19279 ]
            mindless Alan Harder made changes -
            Assignee mindless [ mindless ]
            mindless Alan Harder made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            mindless Alan Harder added a comment -

            thx for the patch.. it did get me on the right track more quickly.
            prototype's Ajax.Request is supposed to support both arrays and objects for the requestHeaders, but it was Hudson's crumb handling that only supports objects (hence your workaround to change the input from array to object). I'll add support for arrays in crumb.wrap.

            Show
            mindless Alan Harder added a comment - thx for the patch.. it did get me on the right track more quickly. prototype's Ajax.Request is supposed to support both arrays and objects for the requestHeaders, but it was Hudson's crumb handling that only supports objects (hence your workaround to change the input from array to object). I'll add support for arrays in crumb.wrap.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in hudson
            User: : mindless
            Path:
            trunk/hudson/main/war/resources/scripts/hudson-behavior.js
            trunk/www/changelog.html
            http://jenkins-ci.org/commit/29597
            Log:
            [FIXED JENKINS-6072] Ajax.Request accepts both object(hash) or Array for requestHeaders,
            but crumb.wrap only worked with hash.. now support Array as well.
            This fixes ajax update of Build History when CSRF protection is turned on.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/war/resources/scripts/hudson-behavior.js trunk/www/changelog.html http://jenkins-ci.org/commit/29597 Log: [FIXED JENKINS-6072] Ajax.Request accepts both object(hash) or Array for requestHeaders, but crumb.wrap only worked with hash.. now support Array as well. This fixes ajax update of Build History when CSRF protection is turned on.
            scm_issue_link SCM/JIRA link daemon made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            rutsky rutsky added a comment -

            Is this fixes JENKINS-5241?

            Show
            rutsky rutsky added a comment - Is this fixes JENKINS-5241 ?
            mindless Alan Harder made changes -
            Link This issue is duplicated by JENKINS-5241 [ JENKINS-5241 ]
            abayer Andrew Bayer made changes -
            Status Resolved [ 5 ] Closed [ 6 ]
            Hide
            dbaktiar Daniel Baktiar added a comment - - edited

            This problem of "Missing Crumb Header on Project Open" also occurs when I am configuring project, and click on the "Preview" below the project "Description" field.
            I am running Jenkins 1.441 on Apache Tomcat 7.0.23, Windows 64-bit, Java 1.6.0_29.

            Show
            dbaktiar Daniel Baktiar added a comment - - edited This problem of "Missing Crumb Header on Project Open" also occurs when I am configuring project, and click on the "Preview" below the project "Description" field. I am running Jenkins 1.441 on Apache Tomcat 7.0.23, Windows 64-bit, Java 1.6.0_29.
            dbaktiar Daniel Baktiar made changes -
            Resolution Fixed [ 1 ]
            Status Closed [ 6 ] Reopened [ 4 ]
            Hide
            danielbeck Daniel Beck added a comment -

            Given the age of this issue, I'm resolving this.

            If something like this happens on recent Jenkins releases (notably 2.0), should be filed as a new issue.

            Show
            danielbeck Daniel Beck added a comment - Given the age of this issue, I'm resolving this. If something like this happens on recent Jenkins releases (notably 2.0), should be filed as a new issue.
            danielbeck Daniel Beck made changes -
            Status Reopened [ 4 ] Resolved [ 5 ]
            Resolution Cannot Reproduce [ 5 ]

              People

              • Assignee:
                mindless Alan Harder
                Reporter:
                jomey jomey
              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: