[JIRA] [cli] (JENKINS-18114) Enabling crumb issuer prevents CLI from working

Tue, 28 May 2013 07:07:15 -0700

Issue Type: Bug Bug
Assignee: Unassigned
Components: cli, core
Created: 28/May/13 2:06 PM
Description:

1.480.3. Enable security, with whatever security realm (e.g. Unix authentication), and matrix authentication with one user given all permissions and anonymous none. Enable the default crumb issuer. Configure the authenticated user's SSH public keys. Now from a shell try to use the CLI:

$ java -jar jenkins-cli.jar -s http://localhost:8080/ -i ~/.ssh/id_dsa help
Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/cli
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1625)
	at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:77)
	at hudson.cli.CLI.connectViaHttp(CLI.java:155)
	at hudson.cli.CLI.<init>(CLI.java:139)
	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:68)
	at hudson.cli.CLI._main(CLI.java:438)
	at hudson.cli.CLI.main(CLI.java:373)


If you disable the crumb issuer, the same command works as expected.



Jenkins.doCli in POST mode would go through CrumbFilter, and the CLI client makes no attempt to send a crumb.



If there is some way a _javascript_ form submission could trick a browser into initiating a complete CLI session and sending a destructive command, then the client should be amended to check for /crumbIssuer/api/xml and send a crumb; otherwise CrumbFilter should be amended to exempt /cli.
Project: Jenkins
Labels: security cli csrf
Priority: Critical Critical
Reporter: Jesse Glick
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Reply via email to