• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core

      When a GET request is sent to a resource which (generally for security reasons) requires POST, an appropriate response code should be sent, so that clients such as python-jenkins may properly report the error.

      • Most such web methods use @RequirePOST, for which currently a 500 is sent because org.kohsuke.stapler.interceptor.RequirePOST$Processor simply throws IllegalAccessException.
      • Build-like requests use BuildAuthorizationToken which forwards to requirePOST.jelly with a 200, which is no good. (If a token is supplied but is incorrect, it more reasonably sends a 403, via AccessDeniedException.)

      Both cases should probably send a 405 ("Method Not Allowed") with Allow: POST, though a 403 would not be inappropriate for the latter case since under some circumstances GET is still allowed for compatibility.

          [JENKINS-16918] @RequirePOST and similar should send a 405

          Jesse Glick created issue -
          Jesse Glick made changes -
          Link New: This issue is blocking SECURITY-13 [ SECURITY-13 ]
          Jesse Glick made changes -
          Link New: This issue is blocking SECURITY-16 [ SECURITY-16 ]

          Jesse Glick added a comment -

          First part should be solved when Stapler 1.215 is integrated.

          Jesse Glick added a comment - First part should be solved when Stapler 1.215 is integrated.
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          Jesse Glick added a comment -

          Stapler 1.217 integrated and includes fix for the first part. (Forgot to include Allow: POST; 1.218 should do that.)

          Jesse Glick added a comment - Stapler 1.217 integrated and includes fix for the first part. (Forgot to include Allow: POST ; 1.218 should do that.)

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/java/hudson/model/BuildAuthorizationToken.java
          test/src/test/java/jenkins/model/JenkinsTest.java
          http://jenkins-ci.org/commit/jenkins/ec9d809ddd2ed6930d1bf970999b152c5debdaa4
          Log:
          [FIXED JENKINS-16918] Use HTTP 405 when POST is required.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/hudson/model/BuildAuthorizationToken.java test/src/test/java/jenkins/model/JenkinsTest.java http://jenkins-ci.org/commit/jenkins/ec9d809ddd2ed6930d1bf970999b152c5debdaa4 Log: [FIXED JENKINS-16918] Use HTTP 405 when POST is required.
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]

          dogfood added a comment -

          Integrated in jenkins_main_trunk #2797
          [FIXED JENKINS-16918] Use HTTP 405 when POST is required. (Revision ec9d809ddd2ed6930d1bf970999b152c5debdaa4)

          Result = SUCCESS
          Jesse Glick : ec9d809ddd2ed6930d1bf970999b152c5debdaa4
          Files :

          • test/src/test/java/jenkins/model/JenkinsTest.java
          • core/src/main/java/hudson/model/BuildAuthorizationToken.java
          • changelog.html

          dogfood added a comment - Integrated in jenkins_main_trunk #2797 [FIXED JENKINS-16918] Use HTTP 405 when POST is required. (Revision ec9d809ddd2ed6930d1bf970999b152c5debdaa4) Result = SUCCESS Jesse Glick : ec9d809ddd2ed6930d1bf970999b152c5debdaa4 Files : test/src/test/java/jenkins/model/JenkinsTest.java core/src/main/java/hudson/model/BuildAuthorizationToken.java changelog.html
          Philippe Jandot made changes -
          Link New: This issue is related to JENKINS-19281 [ JENKINS-19281 ]

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: