Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-17087

Saving Jenkins Global Config wipes out the crumb issuer settings in the Global Security Config

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • core
    • None
    • Windows Server 2008 R2 SP1
      Jenkins 1.502

      When I go and enable the Prevent Cross Site Request Forgery exploits setting in the Configure Global Security page and save it everything seems to work fine. If I then go and update settings in the Global Configure System page the Prevent Cross Site Request Forgery Exploits setting is wiped out from the global config.xml file. This is easily seen by the JobConfigHistory plugin.

          [JENKINS-17087] Saving Jenkins Global Config wipes out the crumb issuer settings in the Global Security Config

          I just tested this on a clean (no extra plugins) Jenkins install of 1.504 and it still clears out the CSRF Protection settings whenever I save the /configure settings (Configure System on the Manage Jenkins Page)

          Peter Nordquist added a comment - I just tested this on a clean (no extra plugins) Jenkins install of 1.504 and it still clears out the CSRF Protection settings whenever I save the /configure settings (Configure System on the Manage Jenkins Page)

          Jesse Glick added a comment -

          We will try to get a fix in soon. Not sure it is a “Blocker” since there is a workaround (restore the CSRF settings) but this does leave open a window of vulnerability and it would be hard to remember consistently.

          Jesse Glick added a comment - We will try to get a fix in soon. Not sure it is a “Blocker” since there is a workaround (restore the CSRF settings) but this does leave open a window of vulnerability and it would be hard to remember consistently.

          Yeah sorry about the Priority, I didn't fully read the bug submission guidelines so I was going on the fact that it can silently disable the settings if you aren't looking for the issue. Wish I could edit the summary of the issue, I didn't proofread it that well.

          Peter Nordquist added a comment - Yeah sorry about the Priority, I didn't fully read the bug submission guidelines so I was going on the fact that it can silently disable the settings if you aren't looking for the issue. Wish I could edit the summary of the issue, I didn't proofread it that well.

          Jesse Glick added a comment -

          A comment of mine in JENKINS-14538 is related to the cause of this problem.

          Jesse Glick added a comment - A comment of mine in JENKINS-14538 is related to the cause of this problem.

          Jesse Glick added a comment -

          Broken since this new page was introduced in 1.494 I guess.

          Jesse Glick added a comment - Broken since this new page was introduced in 1.494 I guess.

          Peter Nordquist added a comment - - edited

          Fixed summary readability

          Peter Nordquist added a comment - - edited Fixed summary readability

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/java/hudson/Functions.java
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/main/resources/jenkins/model/Jenkins/configure.jelly
          http://jenkins-ci.org/commit/jenkins/ebd8ff1f0d85ee80650fe6730162975f00b81c63
          Log:
          [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit.


          You received this message because you are subscribed to the Google Groups "Jenkins Commits" group.
          To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-commits+unsubscribe@googlegroups.com.
          For more options, visit https://groups.google.com/groups/opt_out.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/hudson/Functions.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/jenkins/model/Jenkins/configure.jelly http://jenkins-ci.org/commit/jenkins/ebd8ff1f0d85ee80650fe6730162975f00b81c63 Log: [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit. – You received this message because you are subscribed to the Google Groups "Jenkins Commits" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-commits+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out .

          dogfood added a comment -

          Integrated in jenkins_main_trunk #2340
          [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit. (Revision ebd8ff1f0d85ee80650fe6730162975f00b81c63)

          Result = SUCCESS
          Jesse Glick : ebd8ff1f0d85ee80650fe6730162975f00b81c63
          Files :

          • core/src/main/java/jenkins/model/Jenkins.java
          • core/src/main/java/hudson/Functions.java
          • changelog.html
          • core/src/main/resources/jenkins/model/Jenkins/configure.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #2340 [FIXED JENKINS-17087] getSortedDescriptorsForGlobalConfigUnclassified needed to avoid clobbering GlobalCrumbIssuerConfiguration in Jenkins.doConfigSubmit. (Revision ebd8ff1f0d85ee80650fe6730162975f00b81c63) Result = SUCCESS Jesse Glick : ebd8ff1f0d85ee80650fe6730162975f00b81c63 Files : core/src/main/java/jenkins/model/Jenkins.java core/src/main/java/hudson/Functions.java changelog.html core/src/main/resources/jenkins/model/Jenkins/configure.jelly

            jglick Jesse Glick
            peter_nordquist Peter Nordquist
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: