Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59229

csrf protection too strict?

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Major Major
    • core
    • jenkins 2.176.3 lts docker image

      tested as follows with 2.176.2 successfully:

      wget -q --auth-no-challenge --user jheylen --password XXXXXX --output-document - 'http://jenkins/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'

       crumb=Jenkins-Crumb:1e7fe08f74e2ad6814e309af63986292

      curl -X POST -H Jenkins-Crumb:1e7fe08f74e2ad6814e309af63986292 --silent --basic -u jheylen:XXXXXXX 'http://jenkins/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken?newTokenName=temp'

      API_token=1103e007f9659c28d25ee...

      But with 2.176.3, we get:

      Sep 04, 2019 3:51:40 PM hudson.security.csrf.CrumbFilter doFilter
      WARNING: Found invalid crumb 22bdf12008e1ee08ae29a897a00f669d. Will check remaining parameters for a valid one...
      Sep 04, 2019 3:51:40 PM hudson.security.csrf.CrumbFilter doFilter
      WARNING: No valid crumb was included in request for /descriptorByName/hudson.security.LDAPSecurityRealm$CacheConfiguration/fillTtlItems by jheylen. Returning 403.

      for every crumb retrieved with above workflow.

      Is this an issue in 2.176.3, or are we using the api/crumb in a wrong way?

       

            Unassigned Unassigned
            heyleke Jan Heylen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: