Details
-
Bug
-
Resolution: Fixed
-
Critical
Description
When Jenkins serves an access denied for a page it includes in the HTTP headers ever group that the current user is a member of.
In a large corporate environment this can be hundreds of groups which causes many KBs of headers.
nginx, HAProxy, Apache HTTPd and other proxies limit the maximum size and number of HTTP headers - so in this case instead of the access denied the user would see a 502 error from the proxy which hides the underlying issue. (FWIW HAProxy limits the number of headers to 101 - and classes an application that uses more than this amount of headers as buggy)
There is no reason to send all the list of groups by default - it perhaps could be enabled by a property but default to disabled, but in reality exposing what permission you need to the end user and what permissions they have is rarely (if ever) used.
This is the code in question that needs fixing.
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- In Review
-
-
-
- Closed
-
- links to
