As a security fix, hudson.model.Api no longer permits the jsonp parameter, or xpath with a primitive result set. This is the safest policy but in certain cases it is useful to whitelist particular requesters known to be harmless. The INSECURE system property should be deprecated or deleted and an extension point introduced so various policies can be added by plugins: whitelists based on host name, requests with no Referer, etc.

          [JENKINS-16936] Extension point for secure users of Api

          Lance Wicks added a comment -

          Will this be implemented via the gui interface?

          Lance Wicks added a comment - Will this be implemented via the gui interface?

          Jesse Glick added a comment -

          It would be up to the plugin implementing the extension point whether to offer a UI interface for customizing its behavior, and if so, what the customizations would consist of.

          Jesse Glick added a comment - It would be up to the plugin implementing the extension point whether to offer a UI interface for customizing its behavior, and if so, what the customizations would consist of.

          Jesse Glick added a comment -

          Note: I have marked this lts-candidate even though it is an RFE, since forcing installations to use the legacy system property when only certain clients should really be authorized encourages a security vulnerability.

          Jesse Glick added a comment - Note: I have marked this lts-candidate even though it is an RFE, since forcing installations to use the legacy system property when only certain clients should really be authorized encourages a security vulnerability.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/java/hudson/model/Api.java
          core/src/main/java/jenkins/security/SecureRequester.java
          test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
          http://jenkins-ci.org/commit/jenkins/acff33106e56f9ee1d3da79a06f794151f17798d
          Log:
          [FIXED JENKINS-16936] Added SecureRequester extension point.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/hudson/model/Api.java core/src/main/java/jenkins/security/SecureRequester.java test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/jenkins/acff33106e56f9ee1d3da79a06f794151f17798d Log: [FIXED JENKINS-16936] Added SecureRequester extension point.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #2956
          [FIXED JENKINS-16936] Added SecureRequester extension point. (Revision acff33106e56f9ee1d3da79a06f794151f17798d)

          Result = SUCCESS
          Jesse Glick : acff33106e56f9ee1d3da79a06f794151f17798d
          Files :

          • test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
          • core/src/main/java/jenkins/security/SecureRequester.java
          • changelog.html
          • core/src/main/java/hudson/model/Api.java

          dogfood added a comment - Integrated in jenkins_main_trunk #2956 [FIXED JENKINS-16936] Added SecureRequester extension point. (Revision acff33106e56f9ee1d3da79a06f794151f17798d) Result = SUCCESS Jesse Glick : acff33106e56f9ee1d3da79a06f794151f17798d Files : test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java core/src/main/java/jenkins/security/SecureRequester.java changelog.html core/src/main/java/hudson/model/Api.java

          Jesse Glick added a comment -

          Jesse Glick added a comment - https://wiki.jenkins-ci.org/display/JENKINS/Secure+Requester+Whitelist+Plugin

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: