Critical 1.480.3. Enable security, with whatever security realm (e.g. Unix authentication), and matrix authentication with one user given all permissions and anonymous none. Enable the default crumb issuer. Configure the authenticated user's SSH public keys. Now from a shell try to use the CLI:
$ java -jar jenkins-cli.jar -s http://localhost:8080/ -i ~/.ssh/id_dsa help Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/cli at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1625) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:77) at hudson.cli.CLI.connectViaHttp(CLI.java:155) at hudson.cli.CLI.<init>(CLI.java:139) at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:68) at hudson.cli.CLI._main(CLI.java:438) at hudson.cli.CLI.main(CLI.java:373)
If you disable the crumb issuer, the same command works as expected.
Jenkins.doCli in POST mode would go through CrumbFilter, and the CLI client makes no attempt to send a crumb.
If there is some way a JavaScript form submission could trick a browser into initiating a complete CLI session and sending a destructive command, then the client should be amended to check for /crumbIssuer/api/xml and send a crumb; otherwise CrumbFilter should be amended to exempt /cli.
- is related to
-
JENKINS-22474 Crumb must be sent with POST requests even when using authentication token
-
- Resolved
-
- links to
