Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-6072

missing crumb header on project open

    Details

    • Type: Bug
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: security
    • Labels:
      None
    • Environment:
      Mac OS X 10.6.2 Client,
      Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8l DAV/2 mod_jk/1.2.30,
      Hudson build 1.352,
      Hudson options: /usr/bin/java -Xms1G -Xmx1G -jar /PATH/TO/HUDSON/hudson.war --httpPort=-1 --ajp13Port=8090

      Description

      After choosing a project, one AJAX POST request fails with 403 error. The request does not include the .crumb header.

      Request: https://hudson/job/PROJECTNAME/buildHistory/ajax

      Response:
      <html><head><title>Error 403</title></head><body bgcolor="#ffffff"><h1>Status Code: 403</h1>Exception: No valid crumb was included in the request<br>Stacktrace: <pre>(none)
      </pre><br><hr size="1" width="90%"><i>Generated by Winstone Servlet Engine v0.9.10 at Thu Mar 25 20:39:36 CET 2010</i></body></html>

      Hudson installation is in a local network.

        Issue Links

          Activity

          jomey jomey created issue -
          Hide
          mindless Alan Harder added a comment -

          changing component, doesn't look related to changelog-history plugin.

          Show
          mindless Alan Harder added a comment - changing component, doesn't look related to changelog-history plugin.
          mindless Alan Harder made changes -
          Field Original Value New Value
          Assignee mindless [ mindless ]
          Component/s security [ 15508 ]
          Component/s changelog-history [ 15600 ]
          Hide
          dty Dean Yu added a comment - - edited

          Added patch to this bug per mindless's request in

          http://n4.nabble.com/Ajax-update-of-build-history-broken-when-XSRF-crumbs-are-enabled-td1692971.html#a1692971

          As an addendum to my comments on the e-mail thread, the patch seems to fix the problem. I'm just not sure it's the best way to fix it.

          Show
          dty Dean Yu added a comment - - edited Added patch to this bug per mindless's request in http://n4.nabble.com/Ajax-update-of-build-history-broken-when-XSRF-crumbs-are-enabled-td1692971.html#a1692971 As an addendum to my comments on the e-mail thread, the patch seems to fix the problem. I'm just not sure it's the best way to fix it.
          dty Dean Yu made changes -
          Attachment JENKINS-6072.diff [ 19279 ]
          mindless Alan Harder made changes -
          Assignee mindless [ mindless ]
          mindless Alan Harder made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Hide
          mindless Alan Harder added a comment -

          thx for the patch.. it did get me on the right track more quickly.
          prototype's Ajax.Request is supposed to support both arrays and objects for the requestHeaders, but it was Hudson's crumb handling that only supports objects (hence your workaround to change the input from array to object). I'll add support for arrays in crumb.wrap.

          Show
          mindless Alan Harder added a comment - thx for the patch.. it did get me on the right track more quickly. prototype's Ajax.Request is supposed to support both arrays and objects for the requestHeaders, but it was Hudson's crumb handling that only supports objects (hence your workaround to change the input from array to object). I'll add support for arrays in crumb.wrap.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/main/war/resources/scripts/hudson-behavior.js
          trunk/www/changelog.html
          http://jenkins-ci.org/commit/29597
          Log:
          [FIXED JENKINS-6072] Ajax.Request accepts both object(hash) or Array for requestHeaders,
          but crumb.wrap only worked with hash.. now support Array as well.
          This fixes ajax update of Build History when CSRF protection is turned on.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/war/resources/scripts/hudson-behavior.js trunk/www/changelog.html http://jenkins-ci.org/commit/29597 Log: [FIXED JENKINS-6072] Ajax.Request accepts both object(hash) or Array for requestHeaders, but crumb.wrap only worked with hash.. now support Array as well. This fixes ajax update of Build History when CSRF protection is turned on.
          scm_issue_link SCM/JIRA link daemon made changes -
          Status In Progress [ 3 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Hide
          rutsky rutsky added a comment -

          Is this fixes JENKINS-5241?

          Show
          rutsky rutsky added a comment - Is this fixes JENKINS-5241 ?
          mindless Alan Harder made changes -
          Link This issue is duplicated by JENKINS-5241 [ JENKINS-5241 ]
          abayer abayer made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Hide
          dbaktiar Daniel Baktiar added a comment - - edited

          This problem of "Missing Crumb Header on Project Open" also occurs when I am configuring project, and click on the "Preview" below the project "Description" field.
          I am running Jenkins 1.441 on Apache Tomcat 7.0.23, Windows 64-bit, Java 1.6.0_29.

          Show
          dbaktiar Daniel Baktiar added a comment - - edited This problem of "Missing Crumb Header on Project Open" also occurs when I am configuring project, and click on the "Preview" below the project "Description" field. I am running Jenkins 1.441 on Apache Tomcat 7.0.23, Windows 64-bit, Java 1.6.0_29.
          dbaktiar Daniel Baktiar made changes -
          Resolution Fixed [ 1 ]
          Status Closed [ 6 ] Reopened [ 4 ]

            People

            • Assignee:
              mindless Alan Harder
              Reporter:
              jomey jomey
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: