[JIRA] [core] (JENKINS-23259) userContent can been browsed by anoymous users when security is enabled and discovery is disabled
Kohsuke Kawaguchi resolved JENKINS-23259 as Not A Defect userContent can been browsed by anoymous users when security is enabled and discovery is disabled This is by design, as these files are logical extension of static files in the war file. Just like favicon.ico is accessible without permission check, userContent files are accessible anonymously. I've added https://wiki.jenkins-ci.org/display/JENKINS/User+Content to call attention to that. Files that require access control should be placed under job, build, etc., which provides the ACL for access control. Change By: Kohsuke Kawaguchi (31/May/14 3:25 PM) Status: Open Resolved Assignee: KohsukeKawaguchi Resolution: NotADefect This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-23259) userContent can been browsed by anoymous users when security is enabled and discovery is disabled
Joseph Hughes created JENKINS-23259 userContent can been browsed by anoymous users when security is enabled and discovery is disabled Issue Type: Bug Affects Versions: current Assignee: Unassigned Components: core Created: 30/May/14 8:09 PM Description: With security enabled and discovery disabled an unauthenticated user can browse any files in the userContent directory by going to http://server/userContent This can be a big security risk for those who use the copy_to_slave plugin and store sensitive files in the userContent directory. Environment: Ubuntu 14.04 Project: Jenkins Priority: Critical Reporter: Joseph Hughes This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.