Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

request #12618: Jenkins webhook might fail when the server URL ends with /

Download Browse

If a user gives an URL ending with a / Tuleap will try to to notify the Jenkins instance via an URL looking like https://jenkins.example.com//git/notifyCommit. Due to the // in the URL, Jenkins will not apply the same CSRF checks than for https://jenkins.example.com/git/notifyCommit and the notification request can be rejected with a forbidden error due to incorrect CSRF token. The issue can be reproduced with a Jenkins instance not accessible to anonymous users with the CSRF checks enabled. Change-Id: I6241e81c5fbea1337c85023dc806baa4ca2743ea

+77 −52
Thomas Gerbet (tgerbet) 2018-12-12 14:01
Thomas Gerbet (tgerbet) 2018-12-12 14:04
ad67e7501308eb58e0401bbd6a147f1d4b252f11
013cdb90bf7641734e6019b645e4df78849c928a
git #tuleap/stable/ad67e7501308eb58e0401bbd6a147f1d4b252f11

Modified Files

Side by side diff
Inline diff
Name
M plugins/hudson_git/include/HudsonGit/Hook/JenkinsClient.php +3 −0 Go to diff View file
M src/common/Jenkins/Client.class.php +5 −1 Go to diff View file
M src/common/Jenkins/JenkinsCSRFCrumbRetriever.php +4 −0 Go to diff View file
A tests/phpunit/common/Jenkins/JenkinsCSRFCrumbRetrieverTest.php +65 −0 Go to diff View file
D tests/simpletest/common/Jenkins/JenkinsCSRFCrumbRetrieverTest.php +0 −51 Go to diff View file