Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-7518

CLONE -Crumb breaks ajax request behind proxies. -- Still broken behind nginx proxies

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Component/s: core
    • Labels:
      None
    • Environment:
      Platform: All, OS: All
    • Similar Issues:
      Show 5 results

      Description

      Hudson: 1.310-SNAPSHOT (svn trunk)

      I checked "Prevent Cross Site Request Forgery exploits", then ajax request like
      ajaxBuildQueue returned "HTTP/1.1 430 Forbidden".

      I use Hudson installation behind some proxies.

      In hudson.security.csrf.DefaultCrumbIssuer L58, "Request#getRemoteAddr()" is
      used to update MessageDigest. but it will return diffrent IP behind proxies each
      request.

        Attachments

          Issue Links

            Activity

            cap10morgan cap10morgan created issue -
            Hide
            dty Dean Yu added a comment - - edited

            It looks like you've cloned this issue from JENKINS-3854, but you've failed to include what version of Hudson you're seeing this with. As mentioned in the other issue, Hudson 1.313 included a fix for the original report.

            Show
            dty Dean Yu added a comment - - edited It looks like you've cloned this issue from JENKINS-3854 , but you've failed to include what version of Hudson you're seeing this with. As mentioned in the other issue, Hudson 1.313 included a fix for the original report.
            Hide
            cap10morgan cap10morgan added a comment -

            I didn't immediately see any way to edit / comment on the cloned issue. Sorry.

            This was on version 1.377, the latest version of Hudson as of 9/20/2010.

            All ajax requests get a 403 response. When I turn off the cross-site request forgery feature, they work again.

            Show
            cap10morgan cap10morgan added a comment - I didn't immediately see any way to edit / comment on the cloned issue. Sorry. This was on version 1.377, the latest version of Hudson as of 9/20/2010. All ajax requests get a 403 response. When I turn off the cross-site request forgery feature, they work again.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in hudson
            User: : dty
            Path:
            trunk/hudson/main/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
            trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly
            trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/help-excludeClientIPFromCrumb.html
            trunk/hudson/main/test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
            http://jenkins-ci.org/commit/35570
            Log:
            JENKINS-7518 Add an option to allow exclusion of HTTP client information from
            the crumb calculation. This can be enabled for users who sit behind a proxy
            that strips this information off, resulting in crumbs varying across requests.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : dty Path: trunk/hudson/main/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/help-excludeClientIPFromCrumb.html trunk/hudson/main/test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/35570 Log: JENKINS-7518 Add an option to allow exclusion of HTTP client information from the crumb calculation. This can be enabled for users who sit behind a proxy that strips this information off, resulting in crumbs varying across requests.
            Hide
            dogfood dogfood added a comment -

            Integrated in hudson_main_trunk #314

            Show
            dogfood dogfood added a comment - Integrated in hudson_main_trunk #314
            Hide
            dty Dean Yu added a comment -

            I added an option to the configuration UI to allow certain aspects of the crumb algorithm to be turned off. This was released in 1.380. Go to Manage Hudson | Configure System and, when you enable CSRF protection, you'll see a new checkbox underneath the Default Crumb Issuer, labeled "Proxy compatibility". Check this and try it again from your proxy.

            Show
            dty Dean Yu added a comment - I added an option to the configuration UI to allow certain aspects of the crumb algorithm to be turned off. This was released in 1.380. Go to Manage Hudson | Configure System and, when you enable CSRF protection, you'll see a new checkbox underneath the Default Crumb Issuer, labeled "Proxy compatibility". Check this and try it again from your proxy.
            dty Dean Yu made changes -
            Field Original Value New Value
            Status Open [ 1 ] Resolved [ 5 ]
            Fix Version/s current [ 10162 ]
            Resolution Fixed [ 1 ]
            Hide
            nrh nicholas harteau added a comment -

            I'm still seeing the behavior described here, even in 1.420, that is:

            • with CSRF enabled, I get 403s for ajax postbacks.
            • with CSRF enabled and "proxy compatibility" enabled, I get 403s for postbacks.
            • only with CSRF disabled do I see 200s for postbacks.

            I'm behind nginx-1.0.4

            are you sure this was fixed?

            Show
            nrh nicholas harteau added a comment - I'm still seeing the behavior described here, even in 1.420, that is: with CSRF enabled, I get 403s for ajax postbacks. with CSRF enabled and "proxy compatibility" enabled, I get 403s for postbacks. only with CSRF disabled do I see 200s for postbacks. I'm behind nginx-1.0.4 are you sure this was fixed?
            nrh nicholas harteau made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            ohtake_tomohiro OHTAKE Tomohiro made changes -
            Link This issue is related to JENKINS-3854 [ JENKINS-3854 ]
            Hide
            mdp mdp added a comment -

            nginx by default disallows some characters in header names that the HTTP specification allows: http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers
            '.' is one of them, so the .crumb header gets filtered out.

            This can be turned off as per the linked page - worth noting in documentation (in crumb issuer configuration help?).
            But maybe switching to a more compatible header (x-jenkins-crumb?) would be a safer choice?

            Show
            mdp mdp added a comment - nginx by default disallows some characters in header names that the HTTP specification allows: http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers '.' is one of them, so the .crumb header gets filtered out. This can be turned off as per the linked page - worth noting in documentation (in crumb issuer configuration help?). But maybe switching to a more compatible header (x-jenkins-crumb?) would be a safer choice?
            Hide
            snekse Derek E added a comment - - edited

            I agree with the comment about switching to a more compatible header like "x-jenkins-crumb".

            Show
            snekse Derek E added a comment - - edited I agree with the comment about switching to a more compatible header like "x-jenkins-crumb".
            Hide
            drkibitz Dr. Kibitz added a comment - - edited

            +1, this effects everyone who uses reverse proxy services such as CloudFlare, as they're using nginx, with default settings.

            Show
            drkibitz Dr. Kibitz added a comment - - edited +1, this effects everyone who uses reverse proxy services such as CloudFlare, as they're using nginx, with default settings.
            jglick Jesse Glick made changes -
            Link This issue is related to SECURITY-47 [ SECURITY-47 ]
            Hide
            jglick Jesse Glick added a comment -

            Careful and see DefaultCrumbIssuerTest.testApiXml; there are subtle security issues surrounding crumb names that could potentially be interpreted as JavaScript identifiers (or otherwise the start of a legal JavaScript statement).

            Show
            jglick Jesse Glick added a comment - Careful and see DefaultCrumbIssuerTest.testApiXml ; there are subtle security issues surrounding crumb names that could potentially be interpreted as JavaScript identifiers (or otherwise the start of a legal JavaScript statement).
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-12875 [ JENKINS-12875 ]
            Hide
            danielbeck Daniel Beck added a comment -

            This duplicates JENKINS-12875, which also discusses nginx reverse proxies.

            As the number of watchers there is greater, marking this one as resolved.

            Show
            danielbeck Daniel Beck added a comment - This duplicates JENKINS-12875 , which also discusses nginx reverse proxies. As the number of watchers there is greater, marking this one as resolved.
            danielbeck Daniel Beck made changes -
            Status Reopened [ 4 ] Resolved [ 5 ]
            Resolution Duplicate [ 3 ]

              People

              • Assignee:
                dty Dean Yu
                Reporter:
                cap10morgan cap10morgan
              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: