-
Bug
-
Resolution: Fixed
-
Minor
-
Operating System
-bash-4.1$ cat /etc/oracle-release && uname -a
Oracle Linux Server release 6.5
Linux dsdsesvcai101v 3.8.13-68.2.2.el6uek.x86_64 #2 SMP Tue May 12 15:10:51 PDT 2015 x86_64 x86_64 x86_64 GNU/Linux
Java
-bash-4.1$ /etc/alternatives/java -version
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)
Jenkins & Plugins
System Properties
Name ↓
Value
awt.toolkit sun.awt.X11.XToolkit
executable-war /usr/lib/jenkins/jenkins.war
file.encoding UTF-8
file.encoding.pkg sun.io
file.separator /
hudson.diyChunking true
hudson.DNSMultiCast.disabled true
java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
java.awt.headless true
java.awt.printerjob sun.print.PSPrinterJob
java.class.path /usr/lib/jenkins/jenkins.war
java.class.version 52.0
java.endorsed.dirs /usr/java/jdk1.8.0_40/jre/lib/endorsed
java.ext.dirs /usr/java/jdk1.8.0_40/jre/lib/ext:/usr/java/packages/lib/ext
java.home /usr/java/jdk1.8.0_40/jre
java.io.tmpdir /tmp
java.library.path /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.runtime.name Java(TM) SE Runtime Environment
java.runtime.version 1.8.0_40-b26
java.specification.name Java Platform API Specification
java.specification.vendor Oracle Corporation
java.specification.version 1.8
java.vendor Oracle Corporation
java.vendor.url http://java.oracle.com/
java.vendor.url.bug http://bugreport.sun.com/bugreport/
java.version 1.8.0_40
java.vm.info mixed mode
java.vm.name Java HotSpot(TM) 64-Bit Server VM
java.vm.specification.name Java Virtual Machine Specification
java.vm.specification.vendor Oracle Corporation
java.vm.specification.version 1.8
java.vm.vendor Oracle Corporation
java.vm.version 25.40-b25
JENKINS_HOME /apps/jenkins
jna.platform.library.path /usr/lib64:/lib64:/usr/lib:/lib
jnidispatch.path /tmp/jna--1712433994/jna6000391753915357396.tmp
line.separator
mail.smtp.sendpartial true
mail.smtps.sendpartial true
os.arch amd64
os.name Linux
os.version 3.8.13-68.2.2.el6uek.x86_64
path.separator :
sun.arch.data.model 64
sun.boot.class.path /usr/java/jdk1.8.0_40/jre/lib/resources.jar:/usr/java/jdk1.8.0_40/jre/lib/rt.jar:/usr/java/jdk1.8.0_40/jre/lib/sunrsasign.jar:/usr/java/jdk1.8.0_40/jre/lib/jsse.jar:/usr/java/jdk1.8.0_40/jre/lib/jce.jar:/usr/java/jdk1.8.0_40/jre/lib/charsets.jar:/usr/java/jdk1.8.0_40/jre/lib/jfr.jar:/usr/java/jdk1.8.0_40/jre/classes
sun.boot.library.path /usr/java/jdk1.8.0_40/jre/lib/amd64
sun.cpu.endian little
sun.cpu.isalist
sun.font.fontmanager sun.awt.X11FontManager
sun.io.unicode.encoding UnicodeLittle
sun.java.command /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
sun.java.launcher SUN_STANDARD
sun.jnu.encoding UTF-8
sun.management.compiler HotSpot 64-Bit Tiered Compilers
sun.os.patch.level unknown
user.country US
user.dir /
user.home /var/lib/jenkins
user.language en
user.name jenkins
user.timezone America/Chicago
Environment Variables
Name ↓
Value
_ /etc/alternatives/java
HOME /var/lib/jenkins
LANG en_US.UTF-8
LOGNAME jenkins
NLSPATH /usr/dt/lib/nls/msg/%L/%N.cat
PATH /sbin:/usr/sbin:/bin:/usr/bin
PWD /
SHELL /bin/bash
SHLVL 2
TERM xterm-256color
USER jenkins
XFILESEARCHPATH /usr/dt/app-defaults/%L/Dt
Plugins
Name ↓
Version
Enabled
Pinned
ant 1.2 true false
antisamy-markup-formatter 1.3 true true
cloudbees-folder 4.10 true false
credentials 1.24 true true
credentials-binding 1.6 true false
cvs 2.12 false true
external-monitor-job 1.4 true false
git 2.4.0 true false
git-client 1.19.0 true false
javadoc 1.3 true true
junit 1.9 true true
ldap 1.11 true false
mailer 1.15 true true
matrix-auth 1.2 true true
matrix-project 1.6 true true
maven-plugin 2.12.1 true true
metrics 3.1.2 true false
pam-auth 1.2 true true
plain-credentials 1.1 true false
reverse-proxy-auth-plugin 1.4.0 true false
saml 0.4 false false
scm-api 0.2 true false
script-security 1.15 true true
shiningpanda 0.22 true false
ssh-agent 1.8 true false
ssh-credentials 1.11 true true
ssh-slaves 1.10 true true
suppress-stack-trace 1.4 true false
translation 1.12 false true
windows-slaves 1.1 false true
workflow-step-api 1.10.1 true false
Jenkins running directly (no container)
Jenkins accessed via reverse proxy
Access Control: HTTP Header by reverse proxyOperating System -bash-4.1$ cat /etc/oracle-release && uname -a Oracle Linux Server release 6.5 Linux dsdsesvcai101v 3.8.13-68.2.2.el6uek.x86_64 #2 SMP Tue May 12 15:10:51 PDT 2015 x86_64 x86_64 x86_64 GNU/Linux Java -bash-4.1$ /etc/alternatives/java -version java version "1.8.0_40" Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode) Jenkins & Plugins System Properties Name ↓ Value awt.toolkit sun.awt.X11.XToolkit executable-war /usr/lib/jenkins/jenkins.war file.encoding UTF-8 file.encoding.pkg sun.io file.separator / hudson.diyChunking true hudson.DNSMultiCast.disabled true java.awt.graphicsenv sun.awt.X11GraphicsEnvironment java.awt.headless true java.awt.printerjob sun.print.PSPrinterJob java.class.path /usr/lib/jenkins/jenkins.war java.class.version 52.0 java.endorsed.dirs /usr/java/jdk1.8.0_40/jre/lib/endorsed java.ext.dirs /usr/java/jdk1.8.0_40/jre/lib/ext:/usr/java/packages/lib/ext java.home /usr/java/jdk1.8.0_40/jre java.io.tmpdir /tmp java.library.path /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib java.runtime.name Java(TM) SE Runtime Environment java.runtime.version 1.8.0_40-b26 java.specification.name Java Platform API Specification java.specification.vendor Oracle Corporation java.specification.version 1.8 java.vendor Oracle Corporation java.vendor.url http://java.oracle.com/ java.vendor.url.bug http://bugreport.sun.com/bugreport/ java.version 1.8.0_40 java.vm.info mixed mode java.vm.name Java HotSpot(TM) 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Oracle Corporation java.vm.specification.version 1.8 java.vm.vendor Oracle Corporation java.vm.version 25.40-b25 JENKINS_HOME /apps/jenkins jna.platform.library.path /usr/lib64:/lib64:/usr/lib:/lib jnidispatch.path /tmp/jna--1712433994/jna6000391753915357396.tmp line.separator mail.smtp.sendpartial true mail.smtps.sendpartial true os.arch amd64 os.name Linux os.version 3.8.13-68.2.2.el6uek.x86_64 path.separator : sun.arch.data.model 64 sun.boot.class.path /usr/java/jdk1.8.0_40/jre/lib/resources.jar:/usr/java/jdk1.8.0_40/jre/lib/rt.jar:/usr/java/jdk1.8.0_40/jre/lib/sunrsasign.jar:/usr/java/jdk1.8.0_40/jre/lib/jsse.jar:/usr/java/jdk1.8.0_40/jre/lib/jce.jar:/usr/java/jdk1.8.0_40/jre/lib/charsets.jar:/usr/java/jdk1.8.0_40/jre/lib/jfr.jar:/usr/java/jdk1.8.0_40/jre/classes sun.boot.library.path /usr/java/jdk1.8.0_40/jre/lib/amd64 sun.cpu.endian little sun.cpu.isalist sun.font.fontmanager sun.awt.X11FontManager sun.io.unicode.encoding UnicodeLittle sun.java.command /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20 sun.java.launcher SUN_STANDARD sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Tiered Compilers sun.os.patch.level unknown user.country US user.dir / user.home /var/lib/jenkins user.language en user.name jenkins user.timezone America/Chicago Environment Variables Name ↓ Value _ /etc/alternatives/java HOME /var/lib/jenkins LANG en_US.UTF-8 LOGNAME jenkins NLSPATH /usr/dt/lib/nls/msg/%L/%N.cat PATH /sbin:/usr/sbin:/bin:/usr/bin PWD / SHELL /bin/bash SHLVL 2 TERM xterm-256color USER jenkins XFILESEARCHPATH /usr/dt/app-defaults/%L/Dt Plugins Name ↓ Version Enabled Pinned ant 1.2 true false antisamy-markup-formatter 1.3 true true cloudbees-folder 4.10 true false credentials 1.24 true true credentials-binding 1.6 true false cvs 2.12 false true external-monitor-job 1.4 true false git 2.4.0 true false git-client 1.19.0 true false javadoc 1.3 true true junit 1.9 true true ldap 1.11 true false mailer 1.15 true true matrix-auth 1.2 true true matrix-project 1.6 true true maven-plugin 2.12.1 true true metrics 3.1.2 true false pam-auth 1.2 true true plain-credentials 1.1 true false reverse-proxy-auth-plugin 1.4.0 true false saml 0.4 false false scm-api 0.2 true false script-security 1.15 true true shiningpanda 0.22 true false ssh-agent 1.8 true false ssh-credentials 1.11 true true ssh-slaves 1.10 true true suppress-stack-trace 1.4 true false translation 1.12 false true windows-slaves 1.1 false true workflow-step-api 1.10.1 true false Jenkins running directly (no container) Jenkins accessed via reverse proxy Access Control: HTTP Header by reverse proxy
With "safe html" enabled for user text entry, a form with an external action URI is scrubbed. However, is it possible to write a form having a protocol-relative action URI that could be used to leak sensitive data to an external service.
For example, this HTML is scrubbed correctly with the form action removed:
<form action="https://malicious.com">
<input type="submit">
</form>
The form action in this example is not scrubbed and it is possible for a user to create a form that directs to an external site:
<form action="//malicious.com">
<input type="submit">
</form>
- links to
[JENKINS-31616] "Safe HTML" vulnerable to protocol-relative form action
Josh Cook
created issue -
| Component/s | New: antisamy-markup-formatter-plugin [ 18424 ] | |
| Component/s | Original: security [ 15508 ] | |
| Priority | Original: Critical [ 2 ] | New: Minor [ 4 ] |
| Assignee | New: Daniel Beck [ danielbeck ] |
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
| Remote Link | New: This issue links to "PR 4 (Web Link)" [ 13700 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: In Progress [ 3 ] | New: Resolved [ 5 ] |
| Workflow | Original: JNJira [ 167048 ] | New: JNJira + In-Review [ 198104 ] |
| Remote Link | New: This issue links to "CloudBees Internal OSS-769 (Web Link)" [ 18833 ] |