Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34350

CSRF protection breaks POST to notifyCommit URL (GET is OK)

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Fixed
    • git-plugin
    • None
    • Jenkins LTS 1.651.1

    Description

      CSRF breaks general commit hook actions, not just for Plugins. Since Kohsuke added the http://jenkins/git/notifyCommit?url= action to trigger a polling event, this kind of action is used generically outside of Github Plugin, e.g. projects using something other than Github. In my case, Gitlab, which has push hooks to generically trigger remote URLs.

      CSRF should have an exclusion for /git/notifyCommit

      See http://kohsuke.org/2011/12/01/polling-must-die-triggering-jenkins-builds-from-a-git-hook/
      See JENKINS-20140
      See JENKINS-10263

      Attachments

        Activity

          People

            Unassigned Unassigned
            jieryn jieryn
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: