• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Platform: All, OS: All

      Hudson: 1.310-SNAPSHOT (svn trunk)

      I checked "Prevent Cross Site Request Forgery exploits", then ajax request like
      ajaxBuildQueue returned "HTTP/1.1 430 Forbidden".

      I use Hudson installation behind some proxies.

      In hudson.security.csrf.DefaultCrumbIssuer L58, "Request#getRemoteAddr()" is
      used to update MessageDigest. but it will return diffrent IP behind proxies each
      request.

          [JENKINS-3854] Crumb breaks ajax request behind proxies.

          sogabe added a comment -

          s/"HTTP/1.1 430 Forbidden/"HTTP/1.1 403 Forbidden/

          sogabe added a comment - s/"HTTP/1.1 430 Forbidden/"HTTP/1.1 403 Forbidden/

          Forwarding it to Dean.

          Kohsuke Kawaguchi added a comment - Forwarding it to Dean.

          Dean Yu added a comment -

          I'll add some additional code to the default crumb issuer to check some standard HTTP headers that
          usually get filled in with the real client IP address. This is not a 100% guaranteed solution. If I have time,
          I'll also create a new crumb issuer that uses different information to calculate the crumb that should be
          stable behind a proxy.

          I'll shoot to have this completed for 1.312

          Dean Yu added a comment - I'll add some additional code to the default crumb issuer to check some standard HTTP headers that usually get filled in with the real client IP address. This is not a 100% guaranteed solution. If I have time, I'll also create a new crumb issuer that uses different information to calculate the crumb that should be stable behind a proxy. I'll shoot to have this completed for 1.312

          Dean Yu added a comment -

          Got the commit message format wrong to post the diffs here.

          http://fisheye4.atlassian.com/changelog/hudson/trunk/hudson/main?cs=19132

          Looks like Kohsuke released 1.312 from the 3.11 RC branch, so this will be in 1.313.

          Dean Yu added a comment - Got the commit message format wrong to post the diffs here. http://fisheye4.atlassian.com/changelog/hudson/trunk/hudson/main?cs=19132 Looks like Kohsuke released 1.312 from the 3.11 RC branch, so this will be in 1.313.

            dty Dean Yu
            sogabe sogabe
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: