Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29280

Chrome browser username autofill adds username as bindName in LDAP

    XMLWordPrintable

Details

    • Bug
    • Status: Reopened (View Workflow)
    • Minor
    • Resolution: Unresolved
    • None
    • Jenkins 1.580 on CentOs
      ActiveDirectory plugin 1.39
      Chrome browser ver 43.0.235

      Jenkins 2.46.1 on Ubuntu 16.04.2 LTS
      ActiveDirectory plugin 2.4
      Chrome browser ver 57.0.2987.133

      Jenkins 2.46.2
      AD plugin 2.4

    Description

      Chromes auto-fill , populates the username and password of any user who has logged in to Jenkins into the 'bindName' , 'bindPassword' field in the Advanced section of 'Active Directory' under Configure Global Security .

      As a result , on saving this ( without noticing ) , no users are able to login .

      The only way to fix this was to manually edit the config.xml to remove the erroneous <bindName> and restart the Jenkins instance .

      Am calling this a bug due to the disruptive nature of the issue ( which called for a restart of the Jenkins service )

      This happens silently as the 'Advanced fields' are not expanded and thus not seen by default .

      Autocomplete/autopopulate should be blocked for the fields in Active Directory plugin to prevent such cases .

      Thanks
      Taher .

      Attachments

        Activity

          taherkf Taher K F created issue -
          dimacus dima kovalenko added a comment - Pull request sent for the fix https://github.com/jenkinsci/active-directory-plugin/pull/14
          madsnielsen Mads Nielsen added a comment -

          This one get my vote as well.

          madsnielsen Mads Nielsen added a comment - This one get my vote as well.

          Code changed in jenkins
          User: Dima Kovalenko
          Path:
          src/main/resources/hudson/plugins/active_directory/ActiveDirectorySecurityRealm/configAdvanced.jelly
          http://jenkins-ci.org/commit/active-directory-plugin/64c7f9db54bbc9a7f90e287595401b25a199ef19
          Log:
          Fixing open issue JENKINS-29280 which autofills AD username/password in browsers

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Dima Kovalenko Path: src/main/resources/hudson/plugins/active_directory/ActiveDirectorySecurityRealm/configAdvanced.jelly http://jenkins-ci.org/commit/active-directory-plugin/64c7f9db54bbc9a7f90e287595401b25a199ef19 Log: Fixing open issue JENKINS-29280 which autofills AD username/password in browsers

          Code changed in jenkins
          User: Alex Earl
          Path:
          src/main/resources/hudson/plugins/active_directory/ActiveDirectorySecurityRealm/configAdvanced.jelly
          http://jenkins-ci.org/commit/active-directory-plugin/8ed46fc74b3fb6347b966b6bec3bcf2a6a3d30e2
          Log:
          Merge pull request #14 from dimacus/JENKINS-29280

          Fixing open issue JENKINS-29280 which autofills passwords

          Compare: https://github.com/jenkinsci/active-directory-plugin/compare/1860bdccd963...8ed46fc74b3f

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Alex Earl Path: src/main/resources/hudson/plugins/active_directory/ActiveDirectorySecurityRealm/configAdvanced.jelly http://jenkins-ci.org/commit/active-directory-plugin/8ed46fc74b3fb6347b966b6bec3bcf2a6a3d30e2 Log: Merge pull request #14 from dimacus/ JENKINS-29280 Fixing open issue JENKINS-29280 which autofills passwords Compare: https://github.com/jenkinsci/active-directory-plugin/compare/1860bdccd963...8ed46fc74b3f
          rtyler R. Tyler Croy made changes -
          Field Original Value New Value
          Workflow JNJira [ 164150 ] JNJira + In-Review [ 181528 ]
          abayer Andrew Bayer made changes -
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]
          mayestril Mayestril added a comment -

          This happened to me on the 20 April 2017. The Bind DN and Bind Password fields were auto-filled without me noticing and I hit save which locked Jenkins up, so I'm reopening this issue.

           

          Jenkins 2.46.1 on Ubuntu 16.04.2 LTS
          ActiveDirectory plugin 2.4 
          Chrome browser ver 57.0.2987.133

          mayestril Mayestril added a comment - This happened to me on the 20 April 2017. The Bind DN and Bind Password fields were auto-filled without me noticing and I hit save which locked Jenkins up, so I'm reopening this issue.   Jenkins 2.46.1 on Ubuntu 16.04.2 LTS ActiveDirectory plugin 2.4  Chrome browser ver 57.0.2987.133
          mayestril Mayestril made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          fabriziocucci Fabrizio Cucci made changes -
          Priority Minor [ 4 ] Major [ 3 ]
          fabriziocucci Fabrizio Cucci made changes -
          Comment [ Unfortunately, it happened to me as well and, in my opinion, the severity of this issue should be raised. It can't be acceptable to being locked out only for having the auto-fill enabled in the browser.

          Jenkins 2.46.2

          Chrome 58.0.3029.110

          LDAP Plugin 1.15 ]
          fabriziocucci Fabrizio Cucci made changes -
          Priority Major [ 3 ] Minor [ 4 ]

          We are also experiencing the same issue. Since we provide Jenkins as a Service for many teams in our company this is quite painful, since our stakeholders lock themselves out this way and we have to manually adjust the config.xml and restart everytime.

          Wouldn't it be possible to validate the input and fail with an error instead of saving the data? This way at least it shouldn't be possible to lock yourself out.

          Jenkins 2.46.2
          AD plugin 2.4

          alx Alexander Link added a comment - We are also experiencing the same issue. Since we provide Jenkins as a Service for many teams in our company this is quite painful, since our stakeholders lock themselves out this way and we have to manually adjust the config.xml and restart everytime. Wouldn't it be possible to validate the input and fail with an error instead of saving the data? This way at least it shouldn't be possible to lock yourself out. Jenkins 2.46.2 AD plugin 2.4

          The necessary fix is probably as easy as setting autofill="nope" instead of autofill="off" which Chrome ignores. This bug can lock people out of Jenkins installations, I think it should be worked around in Jenkins instead of waiting for Chrome to fix their autofill which doesn't seem to be happening any time soon (see https://bugs.chromium.org/p/chromium/issues/detail?id=132135).

          tsniatowski Tomasz Śniatowski added a comment - The necessary fix is probably as easy as setting autofill="nope" instead of autofill="off" which Chrome ignores. This bug can lock people out of Jenkins installations, I think it should be worked around in Jenkins instead of waiting for Chrome to fix their autofill which doesn't seem to be happening any time soon (see  https://bugs.chromium.org/p/chromium/issues/detail?id=132135 ).
          byagan Bahadir Yagan added a comment -

          Same thing happens on the HTTP Proxy Configuration page too.

          byagan Bahadir Yagan added a comment - Same thing happens on the HTTP Proxy Configuration  page too.
          elauphe Laura Phelan made changes -
          Environment Jenkins 1.580 on CentOs
          ActiveDirectory plugin 1.39
          Chrome browser ver 43.0.235
          Jenkins 1.580 on CentOs
          ActiveDirectory plugin 1.39
          Chrome browser ver 43.0.235

          Jenkins 2.46.1 on Ubuntu 16.04.2 LTS
          ActiveDirectory plugin 2.4
          Chrome browser ver 57.0.2987.133

          elauphe Laura Phelan made changes -
          Environment Jenkins 1.580 on CentOs
          ActiveDirectory plugin 1.39
          Chrome browser ver 43.0.235

          Jenkins 2.46.1 on Ubuntu 16.04.2 LTS
          ActiveDirectory plugin 2.4
          Chrome browser ver 57.0.2987.133

          Jenkins 1.580 on CentOs
          ActiveDirectory plugin 1.39
          Chrome browser ver 43.0.235

          Jenkins 2.46.1 on Ubuntu 16.04.2 LTS
          ActiveDirectory plugin 2.4
          Chrome browser ver 57.0.2987.133

          Jenkins 2.46.2
          AD plugin 2.4

          People

            Unassigned Unassigned
            taherkf Taher K F
            Votes:
            13 Vote for this issue
            Watchers:
            17 Start watching this issue

            Dates

              Created:
              Updated: