Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61885

setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true is no use to disable csrf

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Not A Defect
    • Component/s: _unsorted
    • Labels:
      None
    • Environment:
      centos 7.x
      jenkins 2.230
    • Similar Issues:

      Description

      http request show

      ```
      Error 403 No valid crumb was included in the request
      ```
      and following https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774
      to disable this security fix by setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true
      but  still show Error 403 No valid crumb was included in the request

       

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          The security fix is unrelated to the now forced enablement of CSRF protection.

          For the latter, see https://jenkins.io/doc/upgrade-guide/2.222/#always-enabled-csrf-protection

          As the documentation indicates, this option will go away in the future. If you rely on it, make sure all components that rely on CSRF protection being disabled adapt to work with it enabled.

          Show
          danielbeck Daniel Beck added a comment - The security fix is unrelated to the now forced enablement of CSRF protection. For the latter, see https://jenkins.io/doc/upgrade-guide/2.222/#always-enabled-csrf-protection As the documentation indicates, this option will go away in the future. If you rely on it, make sure all components that rely on CSRF protection being disabled adapt to work with it enabled.

            People

            • Assignee:
              Unassigned
              Reporter:
              zhaoying818 zhao ying
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: