Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-39402

Jenkins creates massive HTTP headers that blows up proxies

      When Jenkins serves an access denied for a page it includes in the HTTP headers ever group that the current user is a member of.

      In a large corporate environment this can be hundreds of groups which causes many KBs of headers.
      nginx, HAProxy, Apache HTTPd and other proxies limit the maximum size and number of HTTP headers - so in this case instead of the access denied the user would see a 502 error from the proxy which hides the underlying issue. (FWIW HAProxy limits the number of headers to 101 - and classes an application that uses more than this amount of headers as buggy)

      There is no reason to send all the list of groups by default - it perhaps could be enabled by a property but default to disabled, but in reality exposing what permission you need to the end user and what permissions they have is rarely (if ever) used.

      This is the code in question that needs fixing.

          [JENKINS-39402] Jenkins creates massive HTTP headers that blows up proxies

          Jesse Glick added a comment -

          Some plugins have similar issues; JENKINS-38720 offhand. Query in case someone wants to do a proactive search.

          Jesse Glick added a comment - Some plugins have similar issues; JENKINS-38720 offhand. Query in case someone wants to do a proactive search.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/security/AccessDeniedException2.java
          test/src/test/java/hudson/security/AccessDeniedException2Test.java
          http://jenkins-ci.org/commit/jenkins/d6f7e4101f055e14009bc4407b508fe5457e69c0
          Log:
          [FIXED JENKINS-39402] Cap the number of group headers printed by AccessDeniedException2.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/security/AccessDeniedException2.java test/src/test/java/hudson/security/AccessDeniedException2Test.java http://jenkins-ci.org/commit/jenkins/d6f7e4101f055e14009bc4407b508fe5457e69c0 Log: [FIXED JENKINS-39402] Cap the number of group headers printed by AccessDeniedException2.

          Jesse Glick added a comment -

          olivergondza was this supposed to be 2.32.3-fixed?

          Jesse Glick added a comment - olivergondza was this supposed to be 2.32.3-fixed ?

          jglick, fixed.

          Oliver Gondža added a comment - jglick , fixed.

          Alok Joshi added a comment -

          olivergondza Can we have this fix included in the one of the LTS Jenkins Docker images? Preferably 2.32.2, which is the latest one.

          Alok Joshi added a comment - olivergondza Can we have this fix included in the one of the LTS Jenkins Docker images? Preferably 2.32.2, which is the latest one.

          U presume the image 2.32.3 will pick it up without any additional action.

          Oliver Gondža added a comment - U presume the image 2.32.3 will pick it up without any additional action.

          Alok Joshi added a comment -

          Thanks olivergondza, just curious what will be the ETA for 2.32.3 and will it be a LTS version? Since we run Jenkins at pretty big scale in our organization, we want to go out with a LTS version.

          Alok Joshi added a comment - Thanks olivergondza , just curious what will be the ETA for 2.32.3 and will it be a LTS version? Since we run Jenkins at pretty big scale in our organization, we want to go out with a LTS version.

          All double dot releases provided by upstream are LTS ones. See the wiki[1] and calendar[2] for more details. The release is today, btw.

          [1] https://wiki.jenkins-ci.org/display/JENKINS/LTS+Release+Line
          [2] https://jenkins.io/content/event-calendar/

          Oliver Gondža added a comment - All double dot releases provided by upstream are LTS ones. See the wiki [1] and calendar [2] for more details. The release is today, btw. [1] https://wiki.jenkins-ci.org/display/JENKINS/LTS+Release+Line [2] https://jenkins.io/content/event-calendar/

          Alok Joshi added a comment -

          This is wonderful! Thanks a lot.

          Alok Joshi added a comment - This is wonderful! Thanks a lot.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/security/AccessDeniedException2.java
          test/src/test/java/hudson/security/AccessDeniedException2Test.java
          http://jenkins-ci.org/commit/jenkins/cf78e48b446f34379e2a988d086693e5ca53e251
          Log:
          [FIXED JENKINS-39402] Cap the number of group headers printed by AccessDeniedException2.
          (cherry picked from commit d6f7e4101f055e14009bc4407b508fe5457e69c0)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/security/AccessDeniedException2.java test/src/test/java/hudson/security/AccessDeniedException2Test.java http://jenkins-ci.org/commit/jenkins/cf78e48b446f34379e2a988d086693e5ca53e251 Log: [FIXED JENKINS-39402] Cap the number of group headers printed by AccessDeniedException2. (cherry picked from commit d6f7e4101f055e14009bc4407b508fe5457e69c0)

            jglick Jesse Glick
            teilo James Nord
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: