Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-7518

CLONE -Crumb breaks ajax request behind proxies. -- Still broken behind nginx proxies

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • core
    • None
    • Platform: All, OS: All

      Hudson: 1.310-SNAPSHOT (svn trunk)

      I checked "Prevent Cross Site Request Forgery exploits", then ajax request like
      ajaxBuildQueue returned "HTTP/1.1 430 Forbidden".

      I use Hudson installation behind some proxies.

      In hudson.security.csrf.DefaultCrumbIssuer L58, "Request#getRemoteAddr()" is
      used to update MessageDigest. but it will return diffrent IP behind proxies each
      request.

          [JENKINS-7518] CLONE -Crumb breaks ajax request behind proxies. -- Still broken behind nginx proxies

          cap10morgan added a comment -

          I didn't immediately see any way to edit / comment on the cloned issue. Sorry.

          This was on version 1.377, the latest version of Hudson as of 9/20/2010.

          All ajax requests get a 403 response. When I turn off the cross-site request forgery feature, they work again.

          cap10morgan added a comment - I didn't immediately see any way to edit / comment on the cloned issue. Sorry. This was on version 1.377, the latest version of Hudson as of 9/20/2010. All ajax requests get a 403 response. When I turn off the cross-site request forgery feature, they work again.

          Code changed in hudson
          User: : dty
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
          trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly
          trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/help-excludeClientIPFromCrumb.html
          trunk/hudson/main/test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
          http://jenkins-ci.org/commit/35570
          Log:
          JENKINS-7518 Add an option to allow exclusion of HTTP client information from
          the crumb calculation. This can be enabled for users who sit behind a proxy
          that strips this information off, resulting in crumbs varying across requests.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : dty Path: trunk/hudson/main/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/help-excludeClientIPFromCrumb.html trunk/hudson/main/test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/35570 Log: JENKINS-7518 Add an option to allow exclusion of HTTP client information from the crumb calculation. This can be enabled for users who sit behind a proxy that strips this information off, resulting in crumbs varying across requests.

          dogfood added a comment -

          Integrated in hudson_main_trunk #314

          dogfood added a comment - Integrated in hudson_main_trunk #314

          Dean Yu added a comment -

          I added an option to the configuration UI to allow certain aspects of the crumb algorithm to be turned off. This was released in 1.380. Go to Manage Hudson | Configure System and, when you enable CSRF protection, you'll see a new checkbox underneath the Default Crumb Issuer, labeled "Proxy compatibility". Check this and try it again from your proxy.

          Dean Yu added a comment - I added an option to the configuration UI to allow certain aspects of the crumb algorithm to be turned off. This was released in 1.380. Go to Manage Hudson | Configure System and, when you enable CSRF protection, you'll see a new checkbox underneath the Default Crumb Issuer, labeled "Proxy compatibility". Check this and try it again from your proxy.

          I'm still seeing the behavior described here, even in 1.420, that is:

          • with CSRF enabled, I get 403s for ajax postbacks.
          • with CSRF enabled and "proxy compatibility" enabled, I get 403s for postbacks.
          • only with CSRF disabled do I see 200s for postbacks.

          I'm behind nginx-1.0.4

          are you sure this was fixed?

          nicholas harteau added a comment - I'm still seeing the behavior described here, even in 1.420, that is: with CSRF enabled, I get 403s for ajax postbacks. with CSRF enabled and "proxy compatibility" enabled, I get 403s for postbacks. only with CSRF disabled do I see 200s for postbacks. I'm behind nginx-1.0.4 are you sure this was fixed?

          mdp added a comment -

          nginx by default disallows some characters in header names that the HTTP specification allows: http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers
          '.' is one of them, so the .crumb header gets filtered out.

          This can be turned off as per the linked page - worth noting in documentation (in crumb issuer configuration help?).
          But maybe switching to a more compatible header (x-jenkins-crumb?) would be a safer choice?

          mdp added a comment - nginx by default disallows some characters in header names that the HTTP specification allows: http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers '.' is one of them, so the .crumb header gets filtered out. This can be turned off as per the linked page - worth noting in documentation (in crumb issuer configuration help?). But maybe switching to a more compatible header (x-jenkins-crumb?) would be a safer choice?

          Derek E added a comment - - edited

          I agree with the comment about switching to a more compatible header like "x-jenkins-crumb".

          Derek E added a comment - - edited I agree with the comment about switching to a more compatible header like "x-jenkins-crumb".

          Dr. Kibitz added a comment - - edited

          +1, this effects everyone who uses reverse proxy services such as CloudFlare, as they're using nginx, with default settings.

          Dr. Kibitz added a comment - - edited +1, this effects everyone who uses reverse proxy services such as CloudFlare, as they're using nginx, with default settings.

          Jesse Glick added a comment -

          Careful and see DefaultCrumbIssuerTest.testApiXml; there are subtle security issues surrounding crumb names that could potentially be interpreted as JavaScript identifiers (or otherwise the start of a legal JavaScript statement).

          Jesse Glick added a comment - Careful and see DefaultCrumbIssuerTest.testApiXml ; there are subtle security issues surrounding crumb names that could potentially be interpreted as JavaScript identifiers (or otherwise the start of a legal JavaScript statement).

          Daniel Beck added a comment -

          This duplicates JENKINS-12875, which also discusses nginx reverse proxies.

          As the number of watchers there is greater, marking this one as resolved.

          Daniel Beck added a comment - This duplicates JENKINS-12875 , which also discusses nginx reverse proxies. As the number of watchers there is greater, marking this one as resolved.

            dty Dean Yu
            cap10morgan cap10morgan
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: