[JENKINS-14372] Can't publish to public server with CSRF security option

Type: Bug
Resolution: Unresolved
Priority: Major
Component/s: build-publisher-plugin
Labels:
None

Similar Issues:
Powered by SuggestiMate

Show

When the public server has the "Prevent Cross Site Request Forgery exploits" security option turned on, it is not possible to publish builds to this server.

The server log on the public server shows:
Jul 10, 2012 8:16:16 AM hudson.security.csrf.CrumbFilter doFilter
WARNING: No valid crumb was included in request for /. Returning 403.

Dave Hunt added a comment - 2015-02-10 16:53

I just discovered this today. Are there any plans to fix this?

Dave Hunt added a comment - 2015-02-10 16:53 I just discovered this today. Are there any plans to fix this?

Eloy Lafuente added a comment - 2017-12-05 17:52

For reference, we recently enabled CSRF/Crumbs in a server and it stopped accepting published jobs from other, internal servers. Searching existing forks, I just saw the next one, that applied to current master, seems to be doing the work and our private servers can continue publishing like a charm:

https://github.com/stronk7/build-publisher-plugin/commit/2bb9b7bfcece8100e849f1ed5b4a0908aa1771bf

I only have needed to install the custom build-publisher.hpi in the sender, no change required in the receiver.

Disclaimer, I'm a complete naab and haven't looked much if the patch is 100% correct or no... it just looked "legit enough" for me to give it a try. Credit goes to AJ Banck, I just picked the patch from there and rebuild the plugin.

It really would be great to get the solution incorporated upstream if it's considered correct. Without it... the plugin loses much... because of the security compromise.

TIA!

Eloy Lafuente added a comment - 2017-12-05 17:52 For reference, we recently enabled CSRF/Crumbs in a server and it stopped accepting published jobs from other, internal servers. Searching existing forks, I just saw the next one, that applied to current master, seems to be doing the work and our private servers can continue publishing like a charm: https://github.com/stronk7/build-publisher-plugin/commit/2bb9b7bfcece8100e849f1ed5b4a0908aa1771bf I only have needed to install the custom build-publisher.hpi in the sender, no change required in the receiver. Disclaimer, I'm a complete naab and haven't looked much if the patch is 100% correct or no... it just looked "legit enough" for me to give it a try. Credit goes to AJ Banck , I just picked the patch from there and rebuild the plugin. It really would be great to get the solution incorporated upstream if it's considered correct. Without it... the plugin loses much... because of the security compromise. TIA!

ickersep added a comment - 2018-01-08 15:33

I created PR#9 with the patch from the stronk7 repo.

ickersep added a comment - 2018-01-08 15:33 I created PR#9 with the patch from the stronk7 repo.

Assignee:: vjuranek

Reporter:: ickersep

Votes:: 2 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2012-07-10 08:25

Updated:: 2019-07-24 13:14

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Dave Hunt added a comment - 2015-02-10 16:53

Expand comment: Dave Hunt added a comment - 2015-02-10 16:53

Collapse comment: Eloy Lafuente added a comment - 2017-12-05 17:52

Expand comment: Eloy Lafuente added a comment - 2017-12-05 17:52

Collapse comment: ickersep added a comment - 2018-01-08 15:33

Expand comment: ickersep added a comment - 2018-01-08 15:33

People

Dates