• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Platform: All, OS: All

      Guest users (when security is enabled) can trigger a new build by using direct URLs.

      Nothing descructive can be done, but anyways,
      guest/anonymous users should not be able to do that.

      The fix is simple:

      Index: src/main/java/hudson/model/Project.java
      ===================================================================
      RCS file: /cvs/hudson/hudson/main/core/src/main/java/hudson/model/Project.java,v
      retrieving revision 1.8
      diff -u -r1.8 Project.java
      — src/main/java/hudson/model/Project.java 20 Nov 2006 14:46:55 -0000 1.8
      +++ src/main/java/hudson/model/Project.java 22 Nov 2006 12:10:52 -0000
      @@ -493,6 +493,9 @@

      • Schedules a new build command.
        */
        public void doBuild( StaplerRequest req, StaplerResponse rsp ) throws
        IOException, ServletException { + if(!Hudson.adminCheck(req,rsp)) + return; + scheduleBuild(); rsp.forwardToPreviousPage(req); }

      Let me know if that's OK and I'll commit.

          [JENKINS-177] Guest users can start builds via direct URLs

          Thanks. This was done intentionally (although it's a bad thing), so that Hudson
          can be triggered from systems outside Hudson.

          But you are probably right that it shouldn't be allowed for guests. Those
          external triggering systems can still provide username/password information.

          The change looks good to me. Please commit it.

          Kohsuke Kawaguchi added a comment - Thanks. This was done intentionally (although it's a bad thing), so that Hudson can be triggered from systems outside Hudson. But you are probably right that it shouldn't be allowed for guests. Those external triggering systems can still provide username/password information. The change looks good to me. Please commit it.

          vsizikov added a comment -

          Ah, interesting note about need to launch builds remotely.

          But it seems with current state of affairs in the Internet, security/safety is
          the most important thing, and since I see that Huston is getting more and more
          used by public sites with security enabled (Netbeans folks, Glassfish folks,
          etc), we'd better make Hudson as protected as possible.

          I enabled security check for "build" action for now. Should be in Hudson 1.65.

          vsizikov added a comment - Ah, interesting note about need to launch builds remotely. But it seems with current state of affairs in the Internet, security/safety is the most important thing, and since I see that Huston is getting more and more used by public sites with security enabled (Netbeans folks, Glassfish folks, etc), we'd better make Hudson as protected as possible. I enabled security check for "build" action for now. Should be in Hudson 1.65.

            Unassigned Unassigned
            vsizikov vsizikov
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: