Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-17087

Saving Jenkins Global Config wipes out the crumb issuer settings in the Global Security Config

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Environment:
      Windows Server 2008 R2 SP1
      Jenkins 1.502
    • Similar Issues:

      Description

      When I go and enable the Prevent Cross Site Request Forgery exploits setting in the Configure Global Security page and save it everything seems to work fine. If I then go and update settings in the Global Configure System page the Prevent Cross Site Request Forgery Exploits setting is wiped out from the global config.xml file. This is easily seen by the JobConfigHistory plugin.

        Attachments

          Issue Links

            Activity

            Hide
            peter_nordquist Peter Nordquist added a comment -

            I just tested this on a clean (no extra plugins) Jenkins install of 1.504 and it still clears out the CSRF Protection settings whenever I save the /configure settings (Configure System on the Manage Jenkins Page)

            Show
            peter_nordquist Peter Nordquist added a comment - I just tested this on a clean (no extra plugins) Jenkins install of 1.504 and it still clears out the CSRF Protection settings whenever I save the /configure settings (Configure System on the Manage Jenkins Page)
            Hide
            jglick Jesse Glick added a comment -

            We will try to get a fix in soon. Not sure it is a “Blocker” since there is a workaround (restore the CSRF settings) but this does leave open a window of vulnerability and it would be hard to remember consistently.

            Show
            jglick Jesse Glick added a comment - We will try to get a fix in soon. Not sure it is a “Blocker” since there is a workaround (restore the CSRF settings) but this does leave open a window of vulnerability and it would be hard to remember consistently.
            Hide
            peter_nordquist Peter Nordquist added a comment -

            Yeah sorry about the Priority, I didn't fully read the bug submission guidelines so I was going on the fact that it can silently disable the settings if you aren't looking for the issue. Wish I could edit the summary of the issue, I didn't proofread it that well.

            Show
            peter_nordquist Peter Nordquist added a comment - Yeah sorry about the Priority, I didn't fully read the bug submission guidelines so I was going on the fact that it can silently disable the settings if you aren't looking for the issue. Wish I could edit the summary of the issue, I didn't proofread it that well.
            Hide
            jglick Jesse Glick added a comment -

            A comment of mine in JENKINS-14538 is related to the cause of this problem.

            Show
            jglick Jesse Glick added a comment - A comment of mine in JENKINS-14538 is related to the cause of this problem.
            Hide
            jglick Jesse Glick added a comment -

            Broken since this new page was introduced in 1.494 I guess.

            Show
            jglick Jesse Glick added a comment - Broken since this new page was introduced in 1.494 I guess.
            Hide
            peter_nordquist Peter Nordquist added a comment - - edited

            Fixed summary readability

            Show
            peter_nordquist Peter Nordquist added a comment - - edited Fixed summary readability
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            changelog.html
            core/src/main/java/hudson/Functions.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/jenkins/model/Jenkins/configure.jelly
            http://jenkins-ci.org/commit/jenkins/ebd8ff1f0d85ee80650fe6730162975f00b81c63
            Log:
            [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit.


            You received this message because you are subscribed to the Google Groups "Jenkins Commits" group.
            To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-commits+unsubscribe@googlegroups.com.
            For more options, visit https://groups.google.com/groups/opt_out.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/hudson/Functions.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/jenkins/model/Jenkins/configure.jelly http://jenkins-ci.org/commit/jenkins/ebd8ff1f0d85ee80650fe6730162975f00b81c63 Log: [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit. – You received this message because you are subscribed to the Google Groups "Jenkins Commits" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-commits+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out .
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #2340
            [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit. (Revision ebd8ff1f0d85ee80650fe6730162975f00b81c63)

            Result = SUCCESS
            Jesse Glick : ebd8ff1f0d85ee80650fe6730162975f00b81c63
            Files :

            • core/src/main/java/jenkins/model/Jenkins.java
            • core/src/main/java/hudson/Functions.java
            • changelog.html
            • core/src/main/resources/jenkins/model/Jenkins/configure.jelly
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2340 [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit. (Revision ebd8ff1f0d85ee80650fe6730162975f00b81c63) Result = SUCCESS Jesse Glick : ebd8ff1f0d85ee80650fe6730162975f00b81c63 Files : core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/hudson/Functions.java changelog.html core/src/main/resources/jenkins/model/Jenkins/configure.jelly

              People

              Assignee:
              jglick Jesse Glick
              Reporter:
              peter_nordquist Peter Nordquist
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: