[JENKINS-23627] Overall.READ is sufficient to access /administrativeMonitor/hudsonHomeIsFull/

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: core
Labels:
- 1.565.1-fixed
- security

Similar Issues:
Powered by SuggestiMate

Show
URL:
https://github.com/jenkinsci/jenkins/pull/1283

This does not appear to really be an issue by itself, but it might be in the case of carelessly implemented Solution's to this problem that don't check permissions in message.jelly and expose private data on the overview page (even if checking permissions for any associated actions).

Daniel Beck added a comment - 2014-04-27 13:27

It also exposes the path to JENKINS_HOME which will reveal master OS and could reveal configuration details. I don't think this should be public.

Daniel Beck added a comment - 2014-04-27 13:27 It also exposes the path to JENKINS_HOME which will reveal master OS and could reveal configuration details. I don't think this should be public.

Daniel Beck added a comment - 2014-05-10 22:26

Like SECURITY-133, this is fairly harmless and a fix can probably be released in a regular release. Again, let me know if I should not release the fix.

$ git show e7f72e5
commit e7f72e502377138a36e65d52d3c2b7311b07a5ec
Author: Daniel Beck <daniel-beck@github.com>
Date:   Sun May 11 00:19:45 2014 +0200

    [FIX SECURITY-134] Restrict access to admin monitor info page
    
    This could contain sensitive information in the list of solutions
    provided. It also shows the path to JENKINS_HOME, exposing OS and
    configuration information.

diff --git a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly b/core/src/main/resources/hudson/diagnosis/Hudso
index fb29dd5..eb39bea 100644
--- a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly
+++ b/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly
@@ -24,7 +24,7 @@ THE SOFTWARE.
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form
-       <l:layout title="${%JENKINS_HOME is almost full}">
+       <l:layout title="${%JENKINS_HOME is almost full}" permission="${app.ADMINISTER}">
                <l:main-panel>
       <h1>
         <img src="${imagesURL}/48x48/warning.png" height="48" width="48" />

Daniel Beck added a comment - 2014-05-10 22:26 Like SECURITY-133, this is fairly harmless and a fix can probably be released in a regular release. Again, let me know if I should not release the fix. $ git show e7f72e5 commit e7f72e502377138a36e65d52d3c2b7311b07a5ec Author: Daniel Beck <daniel-beck@github.com> Date: Sun May 11 00:19:45 2014 +0200 [FIX SECURITY-134] Restrict access to admin monitor info page This could contain sensitive information in the list of solutions provided. It also shows the path to JENKINS_HOME, exposing OS and configuration information. diff --git a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly b/core/src/main/resources/hudson/diagnosis/Hudso index fb29dd5..eb39bea 100644 --- a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly +++ b/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly @@ -24,7 +24,7 @@ THE SOFTWARE. <?jelly escape-by- default = ' true ' ?> <j:jelly xmlns:j= "jelly:core" xmlns:st= "jelly:stapler" xmlns:d= "jelly:define" xmlns:l= "/lib/layout" xmlns:t= "/lib/hudson" xmlns:f="/lib/form - <l:layout title= "${%JENKINS_HOME is almost full}" > + <l:layout title= "${%JENKINS_HOME is almost full}" permission= "${app.ADMINISTER}" > <l:main-panel> <h1> <img src= "${imagesURL}/48x48/warning.png" height= "48" width= "48" />

Jesse Glick added a comment - 2014-06-26 20:14

Was merged for a regular release.

Jesse Glick added a comment - 2014-06-26 20:14 Was merged for a regular release.

SCM/JIRA link daemon added a comment - 2014-07-03 13:04

Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly
http://jenkins-ci.org/commit/jenkins/6f030c201539027bf0309cee1d58cbfb7434aacf
Log:
~~JENKINS-23627~~ Restrict access to admin monitor info page

This could contain sensitive information in the list of solutions
provided. It also shows the path to JENKINS_HOME, exposing OS and
configuration information.

(cherry picked from commit 97c90ace15964143aa266da23c9c18de704bb3ad)

SCM/JIRA link daemon added a comment - 2014-07-03 13:04 Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly http://jenkins-ci.org/commit/jenkins/6f030c201539027bf0309cee1d58cbfb7434aacf Log: JENKINS-23627 Restrict access to admin monitor info page This could contain sensitive information in the list of solutions provided. It also shows the path to JENKINS_HOME, exposing OS and configuration information. (cherry picked from commit 97c90ace15964143aa266da23c9c18de704bb3ad)

Details

Description

Attachments

Activity

Collapse comment: Daniel Beck added a comment - 2014-04-27 13:27

Expand comment: Daniel Beck added a comment - 2014-04-27 13:27

Collapse comment: Daniel Beck added a comment - 2014-05-10 22:26

Expand comment: Daniel Beck added a comment - 2014-05-10 22:26

Collapse comment: Jesse Glick added a comment - 2014-06-26 20:14

Expand comment: Jesse Glick added a comment - 2014-06-26 20:14

Collapse comment: SCM/JIRA link daemon added a comment - 2014-07-03 13:04

Expand comment: SCM/JIRA link daemon added a comment - 2014-07-03 13:04

People

Dates