[JENKINS-23258] Sidebar URL should accept invalid URL

Type: Improvement
Resolution: Won't Do
Priority: Minor
Component/s: sidebar-link-plugin
Labels:
None
Environment:
Jenkins 1.540
Sidebar Link 1.6

Similar Issues:
Powered by SuggestiMate

Show

Tried to enter a URL like the following which resulted in an empty link (no href attr in the anchor tag)

http://perforce.internal.com:5500/@md=d&cd=/&c=5FN@/?ac=107&mx=100&jsf=Job&jsf=Status&jsf=Codeline&jsf=Description&jsf=Owner&jsf=Modified&jsf=Defect_Ref&jsf=Job_control&jsf=WorkItem_Ref&jsf=Job_Ref&jsf=Originator&ft=%28Status=qaready%20|%20%28Status=open%20%26%20Job_control=requested%29%29%20%26%20codeline=main

D Soa added a comment - 2014-05-30 21:00

Looks like it is the '|' that it doesn't like. Changing it to %7C worked.

D Soa added a comment - 2014-05-30 21:00 Looks like it is the '|' that it doesn't like. Changing it to %7C worked.

Kohsuke Kawaguchi added a comment - 2014-05-31 15:28

'|' is not a valid character in URL. See RFC-1738.

Kohsuke Kawaguchi added a comment - 2014-05-31 15:28 '|' is not a valid character in URL. See RFC-1738.

Kohsuke Kawaguchi added a comment - 2014-05-31 15:29

... although come to think of it, it's not clear why the plugin ends up silently dropping it. Reopening.

Kohsuke Kawaguchi added a comment - 2014-05-31 15:29 ... although come to think of it, it's not clear why the plugin ends up silently dropping it. Reopening.

Kohsuke Kawaguchi added a comment - 2014-05-31 15:31

Adjusting priority and summary to reflect the task at hand. Without knowing much about the plugin, there seems to be no reason why the plugin needs to enforce the URL syntax rule. It could just as well treat URLs as strings and let browsers do their things.

Kohsuke Kawaguchi added a comment - 2014-05-31 15:31 Adjusting priority and summary to reflect the task at hand. Without knowing much about the plugin, there seems to be no reason why the plugin needs to enforce the URL syntax rule. It could just as well treat URLs as strings and let browsers do their things.

Kalle Niemitalo added a comment - 2022-02-18 09:25 - edited

Because of the previously fixed Persisted XSS Vulnerability in Sidebar Link Plugin (SECURITY-352 / CVE-2017-1000088), I don't think it would be safe to make the plugin let icon URLs pass through if it cannot understand what they mean.

See https://github.com/jenkinsci/sidebar-link-plugin/commit/0db2a01d0ff250f9ba81929faca4bfce657d2b11.

Kalle Niemitalo added a comment - 2022-02-18 09:25 - edited Because of the previously fixed Persisted XSS Vulnerability in Sidebar Link Plugin (SECURITY-352 / CVE-2017-1000088), I don't think it would be safe to make the plugin let icon URLs pass through if it cannot understand what they mean. See https://github.com/jenkinsci/sidebar-link-plugin/commit/0db2a01d0ff250f9ba81929faca4bfce657d2b11 .

Assignee:: Kalle Niemitalo

Reporter:: D Soa

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2014-05-30 20:01

Updated:: 2022-02-18 09:28

Resolved:: 2022-02-18 09:26

Jenkins

Details

Description

Attachments

Activity

Collapse comment: D Soa added a comment - 2014-05-30 21:00

Expand comment: D Soa added a comment - 2014-05-30 21:00

Collapse comment: Kohsuke Kawaguchi added a comment - 2014-05-31 15:28

Expand comment: Kohsuke Kawaguchi added a comment - 2014-05-31 15:28

Collapse comment: Kohsuke Kawaguchi added a comment - 2014-05-31 15:29

Expand comment: Kohsuke Kawaguchi added a comment - 2014-05-31 15:29

Collapse comment: Kohsuke Kawaguchi added a comment - 2014-05-31 15:31

Expand comment: Kohsuke Kawaguchi added a comment - 2014-05-31 15:31

Collapse comment: Kalle Niemitalo added a comment - 2022-02-18 09:25, Edited by Kalle Niemitalo - 2022-02-18 09:28

Expand comment: Kalle Niemitalo added a comment - 2022-02-18 09:25, Edited by Kalle Niemitalo - 2022-02-18 09:28

People

Dates