Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Blocker
-
Resolution: Fixed
-
Component/s: release-plugin
-
Labels:
-
Environment:1.651.2+ and Jenkins 2.3+
-
Similar Issues:
Description
Injecting arbitrary parameters is now forbidden, so the plugin should declare them to the jobs.
See https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
Major impacts:
Undeclared vars are not present anymore
Release Plugin was listed on the page: https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 and no issue was yet created for this.
Attachments
Issue Links
- is related to
-
-
- Resolved
-
- links to
Activity
I think this merits an advisory in the documentation, "Jenkins 2.3+ requires GHPRB plugin version X.Y.Z or later"
Johnny Shields
added a comment - I think this merits an advisory in the documentation, "Jenkins 2.3+ requires GHPRB plugin version X.Y.Z or later" Plugin is currently useless. Can't even do basic variable substitution in shell.
Michael Templeton
added a comment - Plugin is currently useless. Can't even do basic variable substitution in shell. Proposed fix: https://github.com/jenkinsci/release-plugin/pull/17
Code changed in jenkins
User: Antonio Muñiz
Path:
pom.xml
src/main/java/hudson/plugins/release/ReleaseWrapper.java
src/main/java/hudson/plugins/release/SafeParametersAction.java
src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseAction/index.jelly
src/test/java/hudson/plugins/release/TestReleasePluginParameters.java
http://jenkins-ci.org/commit/release-plugin/98f1c2f8fbd10c5a2a029c466a00c94a48f3063f
Log:
JENKINS-34996 Acknoledge SECURITY-170
Code changed in jenkins
User: Oleg Nenashev
Path:
pom.xml
src/main/java/hudson/plugins/release/ReleaseWrapper.java
src/main/java/hudson/plugins/release/SafeParametersAction.java
src/main/java/hudson/plugins/release/dashboard/RecentReleasesPortlet.java
src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseAction/index.jelly
src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseBuildBadgeAction/badge.jelly
src/main/resources/hudson/plugins/release/ReleaseWrapper/config.jelly
src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/config.jelly
src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/main.jelly
src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/portlet.jelly
src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/Badge/index.jelly
src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/config.jelly
src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/index.jelly
src/main/resources/index.jelly
src/test/java/hudson/plugins/release/TestReleasePluginJob.java
src/test/java/hudson/plugins/release/TestReleasePluginMatrixJob.java
src/test/java/hudson/plugins/release/TestReleasePluginParameters.java
http://jenkins-ci.org/commit/release-plugin/ab68ac9ce267e658ff1662253a3726a7d040a509
Log:
Merge pull request #17 from amuniz/JENKINS-34996
JENKINS-34996 Release parameters visibility
Compare: https://github.com/jenkinsci/release-plugin/compare/3a0e033135cb...ab68ac9ce267
Released it in 2.6
This renders this plugin entirely unusable, unfortunately. Even simple variable substitution in an Execute Shell is not possible, as the variables are now undefined.