Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-17087

Saving Jenkins Global Config wipes out the crumb issuer settings in the Global Security Config

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • core
    • None
    • Windows Server 2008 R2 SP1
      Jenkins 1.502

      When I go and enable the Prevent Cross Site Request Forgery exploits setting in the Configure Global Security page and save it everything seems to work fine. If I then go and update settings in the Global Configure System page the Prevent Cross Site Request Forgery Exploits setting is wiped out from the global config.xml file. This is easily seen by the JobConfigHistory plugin.

          [JENKINS-17087] Saving Jenkins Global Config wipes out the crumb issuer settings in the Global Security Config

          Peter Nordquist created issue -

          I just tested this on a clean (no extra plugins) Jenkins install of 1.504 and it still clears out the CSRF Protection settings whenever I save the /configure settings (Configure System on the Manage Jenkins Page)

          Peter Nordquist added a comment - I just tested this on a clean (no extra plugins) Jenkins install of 1.504 and it still clears out the CSRF Protection settings whenever I save the /configure settings (Configure System on the Manage Jenkins Page)
          Jesse Glick made changes -
          Assignee Original: Kohsuke Kawaguchi [ kohsuke ] New: Jesse Glick [ jglick ]
          Jesse Glick made changes -
          Labels New: 1.480.4-candidate

          Jesse Glick added a comment -

          We will try to get a fix in soon. Not sure it is a “Blocker” since there is a workaround (restore the CSRF settings) but this does leave open a window of vulnerability and it would be hard to remember consistently.

          Jesse Glick added a comment - We will try to get a fix in soon. Not sure it is a “Blocker” since there is a workaround (restore the CSRF settings) but this does leave open a window of vulnerability and it would be hard to remember consistently.

          Yeah sorry about the Priority, I didn't fully read the bug submission guidelines so I was going on the fact that it can silently disable the settings if you aren't looking for the issue. Wish I could edit the summary of the issue, I didn't proofread it that well.

          Peter Nordquist added a comment - Yeah sorry about the Priority, I didn't fully read the bug submission guidelines so I was going on the fact that it can silently disable the settings if you aren't looking for the issue. Wish I could edit the summary of the issue, I didn't proofread it that well.
          Jesse Glick made changes -
          Labels Original: 1.480.4-candidate
          Kohsuke Kawaguchi made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: core [ 15738 ]
          Key Original: SECURITY-64 New: JENKINS-17087
          Project Original: Security Issues [ 10180 ] New: Jenkins [ 10172 ]
          Workflow Original: jira [ 147858 ] New: JNJira [ 147918 ]
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          Jesse Glick added a comment -

          A comment of mine in JENKINS-14538 is related to the cause of this problem.

          Jesse Glick added a comment - A comment of mine in JENKINS-14538 is related to the cause of this problem.
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-14538 [ JENKINS-14538 ]

            jglick Jesse Glick
            peter_nordquist Peter Nordquist
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: