-
Bug
-
Resolution: Fixed
-
Blocker
The /securityRealm/firstUser is accessible and allows creating an account while the setup wizard is active, but nobody has logged in so far.
Also, really weird UI brokenness since / is still the setup wizard. 
- links to
[JENKINS-33770] Setup wizard login trivial to circumvent
You're still required to enter a security token, yes?
No.
In fact, I discovered this because some weird forward brought me right from "Jenkins is loading" to that page. Unfortunately I haven't been able to reproduce it since.
gus reiber
added a comment - I am reproducing this bug testing 33828. Possibly you have a fix on a different branch, but if not, I can repro easily on the 33828 branch.
gus reiber
added a comment - I am reproducing this bug testing 33828. Possibly you have a fix on a different branch, but if not, I can repro easily on the 33828 branch. gusreiber I have different branches for each of these tickets, the fix for this is on branch: JENKINS-33770-security-token-not-always-required
gusreiber Please also note that the form is always available, the critical bit is whether a submission works.
All URLs appear to be by-passable (after entering the password).
For example I can very easily create a new job at view/All/newJob (only a FreeStyle project but still....)
- you should intercept all URLs as the setup wizard until that is completed or dismissed IMO.
FWIW reproduced creating a user without entering a password on 2.0-beta-1
teilo right, the fix hasn't been merged in beta-1, still only in the PR. I had originally forced the setup wizard for all URLs, but there was opposition to that approach. I don't really want to implement it again only to have to undo it again. If a user has verified access to Jenkins, and intentionally navigates away from the setup wizard, I don't really see that as a severe problem.
Yep – First approach had a different Stapler root object (no Jenkins), but that quickly became a mess as Jenkins was needed e.g. for integrating the security configuration into the initial setup.
The comment thread on this starts around https://github.com/jenkinsci/jenkins/pull/2042#issuecomment-191396954 in the initial PR.
Code changed in jenkins
User: kzantow
Path:
core/src/main/java/jenkins/install/SetupWizard.java
http://jenkins-ci.org/commit/jenkins/2968285d9a2158747bfc5fc2c93b8217bfff7702
Log:
JENKINS-33770 - not all paths restricted during SetupWizard
Code changed in jenkins
User: kzantow
Path:
core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
core/src/main/java/jenkins/install/SetupWizard.java
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly
war/src/main/js/api/securityConfig.js
war/src/main/js/templates/firstUserPanel.hbs
http://jenkins-ci.org/commit/jenkins/3cf8de04a9fae00dabcec4c3888903afda4336df
Log:
JENKINS-33770 - fix issue directly submitting firstUser page
Code changed in jenkins
User: kzantow
Path:
.mvn/jvm.config
changelog.html
core/pom.xml
core/src/main/java/hudson/ExtensionFinder.java
core/src/main/java/hudson/init/impl/InstallUncaughtExceptionHandler.java
core/src/main/java/hudson/model/Fingerprint.java
core/src/main/java/hudson/model/ItemGroupMixIn.java
core/src/main/java/hudson/model/View.java
core/src/main/java/hudson/model/ViewDescriptor.java
core/src/main/java/jenkins/install/InstallUtil.java
core/src/main/java/jenkins/install/SetupWizard.java
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/resources/hudson/model/AllView/noJob.jelly
core/src/main/resources/hudson/tools/label.jelly
core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly
core/src/main/resources/jenkins/install/UpgradeWizard/footer.jelly
core/src/main/resources/jenkins/install/UpgradeWizard/footer.properties
core/src/main/resources/jenkins/install/pluginSetupWizard.properties
core/src/main/resources/lib/form/repeatableDeleteButton.jelly
core/src/main/resources/lib/hudson/ballColorTd.jelly
core/src/main/resources/lib/layout/html.jelly
test/src/test/java/hudson/jobs/CreateItemTest.java
test/src/test/java/hudson/model/ViewDescriptorTest.java
test/src/test/java/hudson/model/ViewTest.java
war/src/main/js/api/pluginManager.js
war/src/main/js/pluginSetupWizardGui.js
war/src/main/js/templates/errorPanel.hbs
war/src/main/less/pluginSetupWizard.less
war/src/main/webapp/css/style.css
http://jenkins-ci.org/commit/jenkins/f06ee0fef4632c7f0994f8d5ebee086240348e80
Log:
Merge remote-tracking branch 'primary/2.0' into JENKINS-33770-security-token-not-always-required
Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
core/src/main/java/jenkins/install/SetupWizard.java
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly
war/src/main/js/api/securityConfig.js
war/src/main/js/templates/firstUserPanel.hbs
http://jenkins-ci.org/commit/jenkins/360cfcdcc87f8f10c9041e3fedfbee522fc035ed
Log:
Merge pull request #2170 from kzantow/JENKINS-33770-security-token-not-always-required
[FIX JENKINS-33770] Prevent unauthenticated user registration
Compare: https://github.com/jenkinsci/jenkins/compare/a9f12093debe...360cfcdcc87f
You're still required to enter a security token, yes?
After entering the security token, you're logged in as an admin user. Navigating away is something we're not restricting, really (recall, it was... until the approach was changed significantly after the initial implementation).