Not sure what the problem is with text() either, but both were changed in the same commit -- the advisories are probably just incomplete regarding impact on API users:
https://github.com/jenkinsci/jenkins/commit/0de3e9b14ed75f70279435e78eb9f6a3a1a179df Unfortunately JENKINS-16936 is still open, so you either don't get these features, or are running in a completely vulnerable mode. On 16.08.2013, at 12:42, teilo <teilo+goo...@teilo.net> wrote: > Hi all, > > After a lot of head scratching[1] I found that you can no longer (by default) > use "text()" in an xpath in api/xml/xpath=blah. > > The associated commit references SECURITY-47 - which I can't see but from the > other commit would seem to be related only to jsonp[2]? > > What I'm finding hard to work out is what the attack vector is for xpath > primatives? the content is returned as text/plain so should not be > interpreted by any browser. Anyone any pointers? > > enabling hudson.model.Api.INSECURE=true to get xpath primatives would expose > jsonp which is not something that I would want to do as the attack vector > there is well understood. > > Regards, > > /James > > [1] https://issues.jenkins-ci.org/browse/JENKINS-19221 > [2] > http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-02-16.cb > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
