[JENKINS-22769] ListView's ItemListener runs with user privileges, might miss affected views - Jenkins JIRA

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Component/s: core
Labels:
Environment:
1.548+

Similar Issues:

Show

Description

https://github.com/jenkinsci/jenkins/commit/6d3c2e0d849dd76b6507daca1cc910f75418e941#commitcomment-6115698

Attachments

Issue Links

is blocking

JENKINS-18680 View.onJobRenamed should be deprecated

Resolved

is related to

JENKINS-20474 getACL methods are too expensive when current ACL is SYSTEM

Resolved

JENKINS-25400 Job owned by SYSTEM instead of creator when 'Setup after creation' used

Resolved

Activity

Ascending order - Click to sort in descending order

6 older comments

Hide

Permalink

Jesse Glick added a comment - 2014-11-07 17:56

If backporting you would need to include the fix of ~~JENKINS-25400~~ as well, which is not “soaked” yet.

Show

Jesse Glick added a comment - 2014-11-07 17:56 If backporting you would need to include the fix of JENKINS-25400 as well, which is not “soaked” yet.

Hide

Permalink

Oleg Nenashev added a comment - 2014-11-07 18:05

Backporting w/o a fix for ~~JENKINS-25400~~ would be a really bad idea.
We don't know the real impact of the issue.

Show

Oleg Nenashev added a comment - 2014-11-07 18:05 Backporting w/o a fix for JENKINS-25400 would be a really bad idea. We don't know the real impact of the issue.

Hide

Permalink

SCM/JIRA link daemon added a comment - 2014-11-08 10:43

Code changed in jenkins
User: Jesse Glick
Path:
core/src/main/java/hudson/model/listeners/ItemListener.java
test/src/test/java/hudson/model/ListViewTest.java
http://jenkins-ci.org/commit/jenkins/0efd811adb89769c8a6180e33e3d06d755bca4b5
Log:
[FIXED JENKINS-22769] ItemListener callbacks should run as SYSTEM since they sometimes do ACL-checked calls.
(cherry picked from commit c04cdcd9f717ddcd3e8c9dbe86cb353c14ae511e)

Conflicts:
changelog.html

Show

SCM/JIRA link daemon added a comment - 2014-11-08 10:43 Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/listeners/ItemListener.java test/src/test/java/hudson/model/ListViewTest.java http://jenkins-ci.org/commit/jenkins/0efd811adb89769c8a6180e33e3d06d755bca4b5 Log: [FIXED JENKINS-22769] ItemListener callbacks should run as SYSTEM since they sometimes do ACL-checked calls. (cherry picked from commit c04cdcd9f717ddcd3e8c9dbe86cb353c14ae511e) Conflicts: changelog.html

Hide

Permalink

SCM/JIRA link daemon added a comment - 2014-11-08 10:43

Code changed in jenkins
User: Jesse Glick
Path:
core/src/main/java/hudson/model/Fingerprint.java
core/src/main/java/hudson/model/ListView.java
core/src/main/java/hudson/model/listeners/ItemListener.java
core/src/main/java/hudson/tasks/BuildTrigger.java
http://jenkins-ci.org/commit/jenkins/8478e24609d407268bd579609bf0ce3ad395a046
Log:
[FIXED JENKINS-25400] Rework fix of ~~JENKINS-22769~~ (c04cdcd) to put the burden on each listener to impersonate ACL.SYSTEM if it needs to.
(cherry picked from commit a6a3d5e1660735edc18d331500f7ce9850fbc724)

Conflicts:
changelog.html

Compare: https://github.com/jenkinsci/jenkins/compare/be835bfcfb17...8478e24609d4

Show

SCM/JIRA link daemon added a comment - 2014-11-08 10:43 Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/Fingerprint.java core/src/main/java/hudson/model/ListView.java core/src/main/java/hudson/model/listeners/ItemListener.java core/src/main/java/hudson/tasks/BuildTrigger.java http://jenkins-ci.org/commit/jenkins/8478e24609d407268bd579609bf0ce3ad395a046 Log: [FIXED JENKINS-25400] Rework fix of JENKINS-22769 (c04cdcd) to put the burden on each listener to impersonate ACL.SYSTEM if it needs to. (cherry picked from commit a6a3d5e1660735edc18d331500f7ce9850fbc724) Conflicts: changelog.html Compare: https://github.com/jenkinsci/jenkins/compare/be835bfcfb17...8478e24609d4

Hide

Permalink

dogfood added a comment - 2015-09-24 18:25

Integrated in jenkins_main_trunk #4292
[FIXED JENKINS-22769] ItemListener callbacks should run as SYSTEM since they sometimes do ACL-checked calls. (Revision 0efd811adb89769c8a6180e33e3d06d755bca4b5)
[FIXED JENKINS-25400] Rework fix of ~~JENKINS-22769~~ (c04cdcd) to put the burden on each listener to impersonate ACL.SYSTEM if it needs to. (Revision 8478e24609d407268bd579609bf0ce3ad395a046)

Result = UNSTABLE
ogondza : 0efd811adb89769c8a6180e33e3d06d755bca4b5
Files :

core/src/main/java/hudson/model/listeners/ItemListener.java
test/src/test/java/hudson/model/ListViewTest.java

ogondza : 8478e24609d407268bd579609bf0ce3ad395a046
Files :

core/src/main/java/hudson/tasks/BuildTrigger.java
core/src/main/java/hudson/model/ListView.java
core/src/main/java/hudson/model/Fingerprint.java
core/src/main/java/hudson/model/listeners/ItemListener.java

Show

dogfood added a comment - 2015-09-24 18:25 Integrated in jenkins_main_trunk #4292 [FIXED JENKINS-22769] ItemListener callbacks should run as SYSTEM since they sometimes do ACL-checked calls. (Revision 0efd811adb89769c8a6180e33e3d06d755bca4b5) [FIXED JENKINS-25400] Rework fix of JENKINS-22769 (c04cdcd) to put the burden on each listener to impersonate ACL.SYSTEM if it needs to. (Revision 8478e24609d407268bd579609bf0ce3ad395a046) Result = UNSTABLE ogondza : 0efd811adb89769c8a6180e33e3d06d755bca4b5 Files : core/src/main/java/hudson/model/listeners/ItemListener.java test/src/test/java/hudson/model/ListViewTest.java ogondza : 8478e24609d407268bd579609bf0ce3ad395a046 Files : core/src/main/java/hudson/tasks/BuildTrigger.java core/src/main/java/hudson/model/ListView.java core/src/main/java/hudson/model/Fingerprint.java core/src/main/java/hudson/model/listeners/ItemListener.java

Jenkins

ListView's ItemListener runs with user privileges, might miss affected views

Details

Description

Attachments

Issue Links

Activity

People

Dates