Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-17087

Saving Jenkins Global Config wipes out the crumb issuer settings in the Global Security Config

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Blocker
    • Resolution: Fixed
    • core
    • None
    • Windows Server 2008 R2 SP1
      Jenkins 1.502

    Description

      When I go and enable the Prevent Cross Site Request Forgery exploits setting in the Configure Global Security page and save it everything seems to work fine. If I then go and update settings in the Global Configure System page the Prevent Cross Site Request Forgery Exploits setting is wiped out from the global config.xml file. This is easily seen by the JobConfigHistory plugin.

      Attachments

        Issue Links

          Activity

            I just tested this on a clean (no extra plugins) Jenkins install of 1.504 and it still clears out the CSRF Protection settings whenever I save the /configure settings (Configure System on the Manage Jenkins Page)

            peter_nordquist Peter Nordquist added a comment - I just tested this on a clean (no extra plugins) Jenkins install of 1.504 and it still clears out the CSRF Protection settings whenever I save the /configure settings (Configure System on the Manage Jenkins Page)
            jglick Jesse Glick added a comment -

            We will try to get a fix in soon. Not sure it is a “Blocker” since there is a workaround (restore the CSRF settings) but this does leave open a window of vulnerability and it would be hard to remember consistently.

            jglick Jesse Glick added a comment - We will try to get a fix in soon. Not sure it is a “Blocker” since there is a workaround (restore the CSRF settings) but this does leave open a window of vulnerability and it would be hard to remember consistently.

            Yeah sorry about the Priority, I didn't fully read the bug submission guidelines so I was going on the fact that it can silently disable the settings if you aren't looking for the issue. Wish I could edit the summary of the issue, I didn't proofread it that well.

            peter_nordquist Peter Nordquist added a comment - Yeah sorry about the Priority, I didn't fully read the bug submission guidelines so I was going on the fact that it can silently disable the settings if you aren't looking for the issue. Wish I could edit the summary of the issue, I didn't proofread it that well.
            jglick Jesse Glick added a comment -

            A comment of mine in JENKINS-14538 is related to the cause of this problem.

            jglick Jesse Glick added a comment - A comment of mine in JENKINS-14538 is related to the cause of this problem.
            jglick Jesse Glick added a comment -

            Broken since this new page was introduced in 1.494 I guess.

            jglick Jesse Glick added a comment - Broken since this new page was introduced in 1.494 I guess.
            peter_nordquist Peter Nordquist added a comment - - edited

            Fixed summary readability

            peter_nordquist Peter Nordquist added a comment - - edited Fixed summary readability

            Code changed in jenkins
            User: Jesse Glick
            Path:
            changelog.html
            core/src/main/java/hudson/Functions.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/jenkins/model/Jenkins/configure.jelly
            http://jenkins-ci.org/commit/jenkins/ebd8ff1f0d85ee80650fe6730162975f00b81c63
            Log:
            [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit.


            You received this message because you are subscribed to the Google Groups "Jenkins Commits" group.
            To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-commits+unsubscribe@googlegroups.com.
            For more options, visit https://groups.google.com/groups/opt_out.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/hudson/Functions.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/jenkins/model/Jenkins/configure.jelly http://jenkins-ci.org/commit/jenkins/ebd8ff1f0d85ee80650fe6730162975f00b81c63 Log: [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit. – You received this message because you are subscribed to the Google Groups "Jenkins Commits" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-commits+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out .
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #2340
            [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit. (Revision ebd8ff1f0d85ee80650fe6730162975f00b81c63)

            Result = SUCCESS
            Jesse Glick : ebd8ff1f0d85ee80650fe6730162975f00b81c63
            Files :

            • core/src/main/java/jenkins/model/Jenkins.java
            • core/src/main/java/hudson/Functions.java
            • changelog.html
            • core/src/main/resources/jenkins/model/Jenkins/configure.jelly
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2340 [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit. (Revision ebd8ff1f0d85ee80650fe6730162975f00b81c63) Result = SUCCESS Jesse Glick : ebd8ff1f0d85ee80650fe6730162975f00b81c63 Files : core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/hudson/Functions.java changelog.html core/src/main/resources/jenkins/model/Jenkins/configure.jelly

            People

              jglick Jesse Glick
              peter_nordquist Peter Nordquist
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: