1.480.3. Enable security, with whatever security realm (e.g. Unix authentication), and matrix authentication with one user given all permissions and anonymous none. Enable the default crumb issuer. Configure the authenticated user's SSH public keys. Now from a shell try to use the CLI:

      $ java -jar jenkins-cli.jar -s http://localhost:8080/ -i ~/.ssh/id_dsa help
      Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/cli
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1625)
      	at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:77)
      	at hudson.cli.CLI.connectViaHttp(CLI.java:155)
      	at hudson.cli.CLI.<init>(CLI.java:139)
      	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:68)
      	at hudson.cli.CLI._main(CLI.java:438)
      	at hudson.cli.CLI.main(CLI.java:373)
      

      If you disable the crumb issuer, the same command works as expected.

      Jenkins.doCli in POST mode would go through CrumbFilter, and the CLI client makes no attempt to send a crumb.

      If there is some way a JavaScript form submission could trick a browser into initiating a complete CLI session and sending a destructive command, then the client should be amended to check for /crumbIssuer/api/xml and send a crumb; otherwise CrumbFilter should be amended to exempt /cli.

          [JENKINS-18114] Enabling crumb issuer prevents CLI from working

          Jesse Glick created issue -
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-22474 [ JENKINS-22474 ]
          Daniel Beck made changes -
          Assignee New: Daniel Beck [ danielbeck ]
          Daniel Beck made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Daniel Beck made changes -
          Remote Link New: This issue links to "PR 2315 (Web Link)" [ 14273 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 149411 ] New: JNJira + In-Review [ 185460 ]
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
          Daniel Beck made changes -
          Labels Original: cli csrf security New: cli csrf lts-candidate security
          Oliver Gondža made changes -
          Labels Original: cli csrf lts-candidate security New: 2.19.2-fixed cli csrf security
          CloudBees Inc. made changes -
          Remote Link New: This issue links to "CloudBees Internal OSS-1372 (Web Link)" [ 18725 ]
          CloudBees Inc. made changes -
          Remote Link New: This issue links to "CloudBees Internal DEV-1801 (Web Link)" [ 19322 ]

            danielbeck Daniel Beck
            jglick Jesse Glick
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: