Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34996

Sec-170-related: Release plugin needs to declare parameters

    XMLWordPrintable

Details

    Description

      Injecting arbitrary parameters is now forbidden, so the plugin should declare them to the jobs.
      See https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

      Major impacts:

      Undeclared vars are not present anymore

      Release Plugin was listed on the page: https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 and no issue was yet created for this.

      Attachments

        Issue Links

          Activity

            This renders this plugin entirely unusable, unfortunately. Even simple variable substitution in an Execute Shell is not possible, as the variables are now undefined.

            mattg987 Matthew Griffin added a comment - This renders this plugin entirely unusable, unfortunately. Even simple variable substitution in an Execute Shell is not possible, as the variables are now undefined.

            I think this merits an advisory in the documentation, "Jenkins 2.3+ requires GHPRB plugin version X.Y.Z or later"

            johnny_shields Johnny Shields added a comment - I think this merits an advisory in the documentation, "Jenkins 2.3+ requires GHPRB plugin version X.Y.Z or later"

            Plugin is currently useless. Can't even do basic variable substitution in shell.

            templeton Michael Templeton added a comment - Plugin is currently useless. Can't even do basic variable substitution in shell.
            amuniz Antonio Muñiz added a comment - Proposed fix: https://github.com/jenkinsci/release-plugin/pull/17

            Code changed in jenkins
            User: Antonio Muñiz
            Path:
            pom.xml
            src/main/java/hudson/plugins/release/ReleaseWrapper.java
            src/main/java/hudson/plugins/release/SafeParametersAction.java
            src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseAction/index.jelly
            src/test/java/hudson/plugins/release/TestReleasePluginParameters.java
            http://jenkins-ci.org/commit/release-plugin/98f1c2f8fbd10c5a2a029c466a00c94a48f3063f
            Log:
            JENKINS-34996 Acknoledge SECURITY-170

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Antonio Muñiz Path: pom.xml src/main/java/hudson/plugins/release/ReleaseWrapper.java src/main/java/hudson/plugins/release/SafeParametersAction.java src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseAction/index.jelly src/test/java/hudson/plugins/release/TestReleasePluginParameters.java http://jenkins-ci.org/commit/release-plugin/98f1c2f8fbd10c5a2a029c466a00c94a48f3063f Log: JENKINS-34996 Acknoledge SECURITY-170

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            pom.xml
            src/main/java/hudson/plugins/release/ReleaseWrapper.java
            src/main/java/hudson/plugins/release/SafeParametersAction.java
            src/main/java/hudson/plugins/release/dashboard/RecentReleasesPortlet.java
            src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseAction/index.jelly
            src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseBuildBadgeAction/badge.jelly
            src/main/resources/hudson/plugins/release/ReleaseWrapper/config.jelly
            src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/config.jelly
            src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/main.jelly
            src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/portlet.jelly
            src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/Badge/index.jelly
            src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/config.jelly
            src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/index.jelly
            src/main/resources/index.jelly
            src/test/java/hudson/plugins/release/TestReleasePluginJob.java
            src/test/java/hudson/plugins/release/TestReleasePluginMatrixJob.java
            src/test/java/hudson/plugins/release/TestReleasePluginParameters.java
            http://jenkins-ci.org/commit/release-plugin/ab68ac9ce267e658ff1662253a3726a7d040a509
            Log:
            Merge pull request #17 from amuniz/JENKINS-34996

            JENKINS-34996 Release parameters visibility

            Compare: https://github.com/jenkinsci/release-plugin/compare/3a0e033135cb...ab68ac9ce267

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml src/main/java/hudson/plugins/release/ReleaseWrapper.java src/main/java/hudson/plugins/release/SafeParametersAction.java src/main/java/hudson/plugins/release/dashboard/RecentReleasesPortlet.java src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseAction/index.jelly src/main/resources/hudson/plugins/release/ReleaseWrapper/ReleaseBuildBadgeAction/badge.jelly src/main/resources/hudson/plugins/release/ReleaseWrapper/config.jelly src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/config.jelly src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/main.jelly src/main/resources/hudson/plugins/release/dashboard/RecentReleasesPortlet/portlet.jelly src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/Badge/index.jelly src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/config.jelly src/main/resources/hudson/plugins/release/promotion/ReleasePromotionCondition/index.jelly src/main/resources/index.jelly src/test/java/hudson/plugins/release/TestReleasePluginJob.java src/test/java/hudson/plugins/release/TestReleasePluginMatrixJob.java src/test/java/hudson/plugins/release/TestReleasePluginParameters.java http://jenkins-ci.org/commit/release-plugin/ab68ac9ce267e658ff1662253a3726a7d040a509 Log: Merge pull request #17 from amuniz/ JENKINS-34996 JENKINS-34996 Release parameters visibility Compare: https://github.com/jenkinsci/release-plugin/compare/3a0e033135cb...ab68ac9ce267
            oleg_nenashev Oleg Nenashev added a comment -

            Released it in 2.6

            oleg_nenashev Oleg Nenashev added a comment - Released it in 2.6

            People

              amuniz Antonio Muñiz
              jmf10024 Justin Fiore
              Votes:
              7 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: