Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33304

LegacySecurityRealm does not handle "special" characters in usernames



    • Bug
    • Resolution: Duplicate
    • Minor
    • core
    • None


      Depending on your environment Jenkins could be passed usernames such as EXAMPLE\joe if the underlying container is doing SSO in a windows domain.

      This causes several things not to work correctly.

      the link in the top right goes to a user that is not the logged in user (example_joe vs example\joe")
      my views does not work correctly - similar to above.

      Jenkins will store the users config.xml as ${JENKINS_HOME}\users\example\joe which seems like an accident waiting to happen.

      There are several other things where this is not quite right.

      Rather than trying to chase down everything that doesn't work the LegacySecurityRealm should sanitize the passed in username to make sure it is actually safe to use first.

      steps to reproduce.

      1. install tomcat 8 on a machine conencted to a windows domain.
      2. install Jenkins in the root of tomcat
      3. install waffle Waffle
        1. Download waffle 1.7
        2. unpack waffle-distro-1.7.4-distro.zip to a temporary location
        3. copy the following files to ${TOMCAT_INSTALL_DIR}\lib
          1. guava-18.0.jar
          2. jna-4.2.1.jar
          3. jna-platform-4.2.1.jar
          4. slf4j-api-1.7.12.jar
          5. waffle-jna-1.7.5.jar
          6. waffle-tomcat8-1.7.5.jar
        4. Create ${TOMCAT_INSTALL_DIR}\conf\Catalina\localhost\ROOT.xml with the following content:
          <?xml version='1.0' encoding='utf-8'?> 
              <Valve className="waffle.apache.NegotiateAuthenticator" principalFormat="fqn" roleFormat="both" /> 
              <Realm className="waffle.apache.WindowsRealm" /> 
      4. start Jenkins
      5. login to jenkins and try to create things like views etc

      Expected results

      it all works.

      Actual results

      you get a mix of things that work, don;t quite work, and just plain blow up in your face with 404 errors etc.


        Issue Links



              Unassigned Unassigned
              teilo James Nord
              0 Vote for this issue
              2 Start watching this issue