Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34254

Shutdown of jenkins via the /exit URL doesn't work in 2.0 b/c of 403

      1) Start jenkins from WAR, giving a JENKINS_HOME directory
      2) Install initial plugins and create an admin user (probably not needed), then restart and log in
      3) Try to exit jenkins the "right" way by visiting http://localhost:8080/exit
      4) Click the "try POST" button
      5) See attached 403 error message:

          [JENKINS-34254] Shutdown of jenkins via the /exit URL doesn't work in 2.0 b/c of 403

          Daniel Beck added a comment -

          Yes. CSRF protection breaks the 'Use POST' workaround. Looks like it needs to have a GET based UI, like /restart and /safeRestart have.

          /safeExit is also affected. I never understood this inconsistency, it's time we clean it up.

          Not a 2.0 specific thing, it's just that we default the CSRF option to on in 2.0.

          Daniel Beck added a comment - Yes. CSRF protection breaks the 'Use POST' workaround. Looks like it needs to have a GET based UI, like /restart and /safeRestart have. /safeExit is also affected. I never understood this inconsistency, it's time we clean it up. Not a 2.0 specific thing, it's just that we default the CSRF option to on in 2.0.

          Keith Zantow added a comment -

          danielbeck I don't think this is critical for 2.0, but the change in the PR is pretty isolated and could fairly easily be cherry-picked, if needed.

          Keith Zantow added a comment - danielbeck I don't think this is critical for 2.0, but the change in the PR is pretty isolated and could fairly easily be cherry-picked, if needed.

          Daniel Beck added a comment -

          Not a regression in 2.0, and I don't expect this is an often used feature. Therefore 2.1+ should be good enough.

          Daniel Beck added a comment - Not a regression in 2.0, and I don't expect this is an often used feature. Therefore 2.1+ should be good enough.

          Oleg Nenashev added a comment -

          Or maybe 2.51

          Oleg Nenashev added a comment - Or maybe 2.51

          Brian Wilson added a comment -

          I use this all the time with start/stop scripts. This really should not have been allowed to slip through the cracks and needs to be fixed asap.

          Brian Wilson added a comment - I use this all the time with start/stop scripts. This really should not have been allowed to slip through the cracks and needs to be fixed asap.

          Jesse Glick added a comment -

          Scripts need merely send a POST request. Or you can use the CLI.

          Jesse Glick added a comment - Scripts need merely send a POST request. Or you can use the CLI.

          Daniel Beck added a comment - - edited

          jglick Well, there's a difference between RequirePOST and POST in that the former offers a workaround to enable interactive use, but it's clearly broken.

          Daniel Beck added a comment - - edited jglick Well, there's a difference between RequirePOST and POST in that the former offers a workaround to enable interactive use, but it's clearly broken.

          Jesse Glick added a comment -

          Not disagreeing, just responding to wilson_ds_net’s comment, which was about scripts rather than interactive use if I understand it correctly.

          Jesse Glick added a comment - Not disagreeing, just responding to wilson_ds_net ’s comment, which was about scripts rather than interactive use if I understand it correctly.

          Alon Bar-Lev added a comment -

          Please fix, it is the only way to restart jenkins if running under systemd.

          Alon Bar-Lev added a comment - Please fix, it is the only way to restart jenkins if running under systemd.

          Daniel Beck added a comment -

          Not sure whether this qualifies as lts-candidate given the age, but it's annoying and might get some users to choose insecurity over inconvenience.

          Daniel Beck added a comment - Not sure whether this qualifies as lts-candidate given the age, but it's annoying and might get some users to choose insecurity over inconvenience.

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/pom.xml
          core/src/main/java/hudson/security/csrf/CrumbFilter.java
          core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
          core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties
          http://jenkins-ci.org/commit/jenkins/e20b0496149669f3a0f05cabd1a06eb3a469e935
          Log:
          JENKINS-34254 Fix RequirePOST form

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/pom.xml core/src/main/java/hudson/security/csrf/CrumbFilter.java core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties http://jenkins-ci.org/commit/jenkins/e20b0496149669f3a0f05cabd1a06eb3a469e935 Log: JENKINS-34254 Fix RequirePOST form

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
          http://jenkins-ci.org/commit/jenkins/b27bb928a28ee578122eb4b076c8a3d8d68d878c
          Log:
          JENKINS-34254 Set HTTP status code for view

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly http://jenkins-ci.org/commit/jenkins/b27bb928a28ee578122eb4b076c8a3d8d68d878c Log: JENKINS-34254 Set HTTP status code for view

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/security/csrf/CrumbFilter.java
          http://jenkins-ci.org/commit/jenkins/2f45a2332b96a133ef269e2b621617016c98fdfa
          Log:
          JENKINS-34254 Adapt to upstream change using ServiceLoader

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/security/csrf/CrumbFilter.java http://jenkins-ci.org/commit/jenkins/2f45a2332b96a133ef269e2b621617016c98fdfa Log: JENKINS-34254 Adapt to upstream change using ServiceLoader

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/pom.xml
          http://jenkins-ci.org/commit/jenkins/3c695a3ed6836abce19c0c71eeca418f0fe9fd66
          Log:
          JENKINS-34254 Use released Stapler 1.254

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/pom.xml http://jenkins-ci.org/commit/jenkins/3c695a3ed6836abce19c0c71eeca418f0fe9fd66 Log: JENKINS-34254 Use released Stapler 1.254

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
          test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
          http://jenkins-ci.org/commit/jenkins/f0efdbab087ea26342a034da198d055bd7141b8a
          Log:
          JENKINS-34254 Add test

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/jenkins/f0efdbab087ea26342a034da198d055bd7141b8a Log: JENKINS-34254 Add test

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/pom.xml
          core/src/main/java/hudson/security/csrf/CrumbFilter.java
          core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
          core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties
          test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
          http://jenkins-ci.org/commit/jenkins/76c9f8beacc681663571c925b5ee090222407e34
          Log:
          Merge pull request #3187 from daniel-beck/JENKINS-34254-v2

          JENKINS-34254 Fix RequirePOST form

          Compare: https://github.com/jenkinsci/jenkins/compare/814d202716a6...76c9f8beacc6

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/pom.xml core/src/main/java/hudson/security/csrf/CrumbFilter.java core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/jenkins/76c9f8beacc681663571c925b5ee090222407e34 Log: Merge pull request #3187 from daniel-beck/ JENKINS-34254 -v2 JENKINS-34254 Fix RequirePOST form Compare: https://github.com/jenkinsci/jenkins/compare/814d202716a6...76c9f8beacc6

          Daniel Beck added a comment -

          Fixed towards 2.96.

          Daniel Beck added a comment - Fixed towards 2.96.

          Given how long was it broken, there is no rush in expediting this into LTS. Will not be in .3.

          Oliver Gondža added a comment - Given how long was it broken, there is no rush in expediting this into LTS. Will not be in .3.

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/pom.xml
          core/src/main/java/hudson/security/csrf/CrumbFilter.java
          core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
          core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties
          test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
          http://jenkins-ci.org/commit/jenkins/bed6ccd71921c9321919f7a042864dbbbf63243a
          Log:
          Merge pull request #3187 from daniel-beck/JENKINS-34254-v2

          JENKINS-34254 Fix RequirePOST form

          (cherry picked from commit 76c9f8beacc681663571c925b5ee090222407e34)

          Compare: https://github.com/jenkinsci/jenkins/compare/2904044e5105...bed6ccd71921

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/pom.xml core/src/main/java/hudson/security/csrf/CrumbFilter.java core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/jenkins/bed6ccd71921c9321919f7a042864dbbbf63243a Log: Merge pull request #3187 from daniel-beck/ JENKINS-34254 -v2 JENKINS-34254 Fix RequirePOST form (cherry picked from commit 76c9f8beacc681663571c925b5ee090222407e34) Compare: https://github.com/jenkinsci/jenkins/compare/2904044e5105...bed6ccd71921

            danielbeck Daniel Beck
            svanoort Sam Van Oort
            Votes:
            4 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: