Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16495

Saving global settings causes cross site request forgery option to be disabled

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • core
    • CentOS 6.3 x86-64
      Jenkins 1.498
      Tomcat 6
      Java 6

      If the "Prevent cross site forgery request exploit" option is selected in the "Configure global" security page and a change is made and saved on the global settings page - the cross site forgery prevention option is deactivated.

      This is causing issues with post-commit hooks that pass the API token as well as the crumb in the HTTP header when making RESTful calls to Jenkins.

          [JENKINS-16495] Saving global settings causes cross site request forgery option to be disabled

          The obvious fix to this is to modify the post-commit hook not to pass the crumb in the HTTP header which is what I've done but it would be nice to get this issue resolved.

          Youssuf ElKalay added a comment - The obvious fix to this is to modify the post-commit hook not to pass the crumb in the HTTP header which is what I've done but it would be nice to get this issue resolved.

          Jesse Glick added a comment -

          @domi/@imod (confusing!), this is a regression from https://github.com/jenkinsci/jenkins/pull/628 I guess?

          Jesse Glick added a comment - @domi/@imod (confusing!), this is a regression from https://github.com/jenkinsci/jenkins/pull/628 I guess?

          I'll have a look at ist after my vacations - Sorry that will march earliest

          Dominik Bartholdi added a comment - I'll have a look at ist after my vacations - Sorry that will march earliest

          I don't mind taking a stab at a bug fix if someone could direct me where in the code to look. The object model is a little tough to navigate.

          Youssuf ElKalay added a comment - I don't mind taking a stab at a bug fix if someone could direct me where in the code to look. The object model is a little tough to navigate.

          Jesse Glick added a comment -

          @buildscientist: core/src/main/java/hudson/security/csrf/GlobalCrumbIssuerConfiguration.java and core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/config.groovy and core/src/main/java/jenkins/model/Jenkins.java

          Jesse Glick added a comment - @buildscientist: core/src/main/java/hudson/security/csrf/GlobalCrumbIssuerConfiguration.java and core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/config.groovy and core/src/main/java/jenkins/model/Jenkins.java

          Jesse Glick added a comment -

          Already fixed.

          Jesse Glick added a comment - Already fixed.

            domi Dominik Bartholdi
            buildscientist Youssuf ElKalay
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: