Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-39402

Jenkins creates massive HTTP headers that blows up proxies

      When Jenkins serves an access denied for a page it includes in the HTTP headers ever group that the current user is a member of.

      In a large corporate environment this can be hundreds of groups which causes many KBs of headers.
      nginx, HAProxy, Apache HTTPd and other proxies limit the maximum size and number of HTTP headers - so in this case instead of the access denied the user would see a 502 error from the proxy which hides the underlying issue. (FWIW HAProxy limits the number of headers to 101 - and classes an application that uses more than this amount of headers as buggy)

      There is no reason to send all the list of groups by default - it perhaps could be enabled by a property but default to disabled, but in reality exposing what permission you need to the end user and what permissions they have is rarely (if ever) used.

      This is the code in question that needs fixing.

          [JENKINS-39402] Jenkins creates massive HTTP headers that blows up proxies

          James Nord created issue -
          James Nord made changes -
          Description Original: When Jenkins serves an access denied for a page it includes in the HTTP headers ever group that the current user is a member of.

          In a large corporate environment this can be hundreds of groups which causes many KBs of headers.
          HAProxy and other proxies limit the maximum size and number of HTTP headers - so in this case instead of the access denied the user would see a 502 error from the proxy which hides the underlying issue.

          There is no reason to send all the list of groups by default - it perhaps could be enabled by a property but default to disabled, but in reality exposing what permission you need to the end user and what permissions they have is rarely (if ever) used.

          This is the [code in question | https://github.com/jenkinsci/jenkins/blob/b62ad15fef4790444af746ac4ae9149c37e89e07/core/src/main/java/hudson/security/AccessDeniedException2.java#L39-L48] that needs fixing.
          New: When Jenkins serves an access denied for a page it includes in the HTTP headers ever group that the current user is a member of.

          In a large corporate environment this can be hundreds of groups which causes many KBs of headers.
          nginx, HAProxy, Apache HTTPd and other proxies limit the maximum size and number of HTTP headers - so in this case instead of the access denied the user would see a 502 error from the proxy which hides the underlying issue. (FWIW HAProxy limits the number of [headers to 101 | http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#tune.http.maxhdr] - and classes an application that uses more than this amount of headers as buggy)

          There is no reason to send all the list of groups by default - it perhaps could be enabled by a property but default to disabled, but in reality exposing what permission you need to the end user and what permissions they have is rarely (if ever) used.

          This is the [code in question | https://github.com/jenkinsci/jenkins/blob/b62ad15fef4790444af746ac4ae9149c37e89e07/core/src/main/java/hudson/security/AccessDeniedException2.java#L39-L48] that needs fixing.
          Jesse Glick made changes -
          Link New: This issue relates to JENKINS-38720 [ JENKINS-38720 ]
          Jesse Glick made changes -
          Assignee New: Jesse Glick [ jglick ]
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Jesse Glick made changes -
          Remote Link New: This issue links to "PR 2727 (Web Link)" [ 15352 ]
          Jesse Glick made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]
          Jesse Glick made changes -
          Labels New: http lts-candidate robustness
          Jesse Glick made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Review [ 10005 ] New: Resolved [ 5 ]
          Oliver Gondža made changes -
          Labels Original: http lts-candidate robustness New: 2.32.2-fixed http robustness
          Oliver Gondža made changes -
          Labels Original: 2.32.2-fixed http robustness New: 2.32.3-fixed http robustness

            jglick Jesse Glick
            teilo James Nord
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: