Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-7518

CLONE -Crumb breaks ajax request behind proxies. -- Still broken behind nginx proxies

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Component/s: core
    • Labels:
      None
    • Environment:
      Platform: All, OS: All

      Description

      Hudson: 1.310-SNAPSHOT (svn trunk)

      I checked "Prevent Cross Site Request Forgery exploits", then ajax request like
      ajaxBuildQueue returned "HTTP/1.1 430 Forbidden".

      I use Hudson installation behind some proxies.

      In hudson.security.csrf.DefaultCrumbIssuer L58, "Request#getRemoteAddr()" is
      used to update MessageDigest. but it will return diffrent IP behind proxies each
      request.

        Issue Links

          Activity

          Hide
          mdp mdp added a comment -

          nginx by default disallows some characters in header names that the HTTP specification allows: http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers
          '.' is one of them, so the .crumb header gets filtered out.

          This can be turned off as per the linked page - worth noting in documentation (in crumb issuer configuration help?).
          But maybe switching to a more compatible header (x-jenkins-crumb?) would be a safer choice?

          Show
          mdp mdp added a comment - nginx by default disallows some characters in header names that the HTTP specification allows: http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers '.' is one of them, so the .crumb header gets filtered out. This can be turned off as per the linked page - worth noting in documentation (in crumb issuer configuration help?). But maybe switching to a more compatible header (x-jenkins-crumb?) would be a safer choice?
          Hide
          snekse Derek E added a comment - - edited

          I agree with the comment about switching to a more compatible header like "x-jenkins-crumb".

          Show
          snekse Derek E added a comment - - edited I agree with the comment about switching to a more compatible header like "x-jenkins-crumb".
          Hide
          drkibitz Dr. Kibitz added a comment - - edited

          +1, this effects everyone who uses reverse proxy services such as CloudFlare, as they're using nginx, with default settings.

          Show
          drkibitz Dr. Kibitz added a comment - - edited +1, this effects everyone who uses reverse proxy services such as CloudFlare, as they're using nginx, with default settings.
          Hide
          jglick Jesse Glick added a comment -

          Careful and see DefaultCrumbIssuerTest.testApiXml; there are subtle security issues surrounding crumb names that could potentially be interpreted as JavaScript identifiers (or otherwise the start of a legal JavaScript statement).

          Show
          jglick Jesse Glick added a comment - Careful and see DefaultCrumbIssuerTest.testApiXml ; there are subtle security issues surrounding crumb names that could potentially be interpreted as JavaScript identifiers (or otherwise the start of a legal JavaScript statement).
          Hide
          danielbeck Daniel Beck added a comment -

          This duplicates JENKINS-12875, which also discusses nginx reverse proxies.

          As the number of watchers there is greater, marking this one as resolved.

          Show
          danielbeck Daniel Beck added a comment - This duplicates JENKINS-12875 , which also discusses nginx reverse proxies. As the number of watchers there is greater, marking this one as resolved.

            People

            • Assignee:
              dty Dean Yu
              Reporter:
              cap10morgan cap10morgan
            • Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: