Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-7518

CLONE -Crumb breaks ajax request behind proxies. -- Still broken behind nginx proxies

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • core
    • None
    • Platform: All, OS: All

      Hudson: 1.310-SNAPSHOT (svn trunk)

      I checked "Prevent Cross Site Request Forgery exploits", then ajax request like
      ajaxBuildQueue returned "HTTP/1.1 430 Forbidden".

      I use Hudson installation behind some proxies.

      In hudson.security.csrf.DefaultCrumbIssuer L58, "Request#getRemoteAddr()" is
      used to update MessageDigest. but it will return diffrent IP behind proxies each
      request.

          [JENKINS-7518] CLONE -Crumb breaks ajax request behind proxies. -- Still broken behind nginx proxies

          cap10morgan created issue -

          Dean Yu added a comment - - edited

          It looks like you've cloned this issue from JENKINS-3854, but you've failed to include what version of Hudson you're seeing this with. As mentioned in the other issue, Hudson 1.313 included a fix for the original report.

          Dean Yu added a comment - - edited It looks like you've cloned this issue from JENKINS-3854 , but you've failed to include what version of Hudson you're seeing this with. As mentioned in the other issue, Hudson 1.313 included a fix for the original report.

          cap10morgan added a comment -

          I didn't immediately see any way to edit / comment on the cloned issue. Sorry.

          This was on version 1.377, the latest version of Hudson as of 9/20/2010.

          All ajax requests get a 403 response. When I turn off the cross-site request forgery feature, they work again.

          cap10morgan added a comment - I didn't immediately see any way to edit / comment on the cloned issue. Sorry. This was on version 1.377, the latest version of Hudson as of 9/20/2010. All ajax requests get a 403 response. When I turn off the cross-site request forgery feature, they work again.

          Code changed in hudson
          User: : dty
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
          trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly
          trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/help-excludeClientIPFromCrumb.html
          trunk/hudson/main/test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
          http://jenkins-ci.org/commit/35570
          Log:
          JENKINS-7518 Add an option to allow exclusion of HTTP client information from
          the crumb calculation. This can be enabled for users who sit behind a proxy
          that strips this information off, resulting in crumbs varying across requests.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : dty Path: trunk/hudson/main/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/help-excludeClientIPFromCrumb.html trunk/hudson/main/test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/35570 Log: JENKINS-7518 Add an option to allow exclusion of HTTP client information from the crumb calculation. This can be enabled for users who sit behind a proxy that strips this information off, resulting in crumbs varying across requests.

          dogfood added a comment -

          Integrated in hudson_main_trunk #314

          dogfood added a comment - Integrated in hudson_main_trunk #314

          Dean Yu added a comment -

          I added an option to the configuration UI to allow certain aspects of the crumb algorithm to be turned off. This was released in 1.380. Go to Manage Hudson | Configure System and, when you enable CSRF protection, you'll see a new checkbox underneath the Default Crumb Issuer, labeled "Proxy compatibility". Check this and try it again from your proxy.

          Dean Yu added a comment - I added an option to the configuration UI to allow certain aspects of the crumb algorithm to be turned off. This was released in 1.380. Go to Manage Hudson | Configure System and, when you enable CSRF protection, you'll see a new checkbox underneath the Default Crumb Issuer, labeled "Proxy compatibility". Check this and try it again from your proxy.
          Dean Yu made changes -
          Fix Version/s New: current [ 10162 ]
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]

          I'm still seeing the behavior described here, even in 1.420, that is:

          • with CSRF enabled, I get 403s for ajax postbacks.
          • with CSRF enabled and "proxy compatibility" enabled, I get 403s for postbacks.
          • only with CSRF disabled do I see 200s for postbacks.

          I'm behind nginx-1.0.4

          are you sure this was fixed?

          nicholas harteau added a comment - I'm still seeing the behavior described here, even in 1.420, that is: with CSRF enabled, I get 403s for ajax postbacks. with CSRF enabled and "proxy compatibility" enabled, I get 403s for postbacks. only with CSRF disabled do I see 200s for postbacks. I'm behind nginx-1.0.4 are you sure this was fixed?
          nicholas harteau made changes -
          Resolution Original: Fixed [ 1 ]
          Status Original: Resolved [ 5 ] New: Reopened [ 4 ]
          OHTAKE Tomohiro made changes -
          Link New: This issue is related to JENKINS-3854 [ JENKINS-3854 ]

            dty Dean Yu
            cap10morgan cap10morgan
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: