CLONE -Crumb breaks ajax request behind proxies. -- Still broken behind nginx proxies

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: None
  • Component/s: core
  • Labels:
    None
  • Environment:
    Platform: All, OS: All

Description

Hudson: 1.310-SNAPSHOT (svn trunk)

I checked "Prevent Cross Site Request Forgery exploits", then ajax request like
ajaxBuildQueue returned "HTTP/1.1 430 Forbidden".

I use Hudson installation behind some proxies.

In hudson.security.csrf.DefaultCrumbIssuer L58, "Request#getRemoteAddr()" is
used to update MessageDigest. but it will return diffrent IP behind proxies each
request.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
dty added a comment - - edited

It looks like you've cloned this issue from HUDSON-3854, but you've failed to include what version of Hudson you're seeing this with. As mentioned in the other issue, Hudson 1.313 included a fix for the original report.

Show
dty added a comment - - edited It looks like you've cloned this issue from HUDSON-3854, but you've failed to include what version of Hudson you're seeing this with. As mentioned in the other issue, Hudson 1.313 included a fix for the original report.
Hide
Permalink
cap10morgan added a comment -

I didn't immediately see any way to edit / comment on the cloned issue. Sorry.

This was on version 1.377, the latest version of Hudson as of 9/20/2010.

All ajax requests get a 403 response. When I turn off the cross-site request forgery feature, they work again.

Show
cap10morgan added a comment - I didn't immediately see any way to edit / comment on the cloned issue. Sorry. This was on version 1.377, the latest version of Hudson as of 9/20/2010. All ajax requests get a 403 response. When I turn off the cross-site request forgery feature, they work again.
Hide
Permalink
scm_issue_link added a comment -

Code changed in hudson
User: : dty
Path:
trunk/hudson/main/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly
trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/help-excludeClientIPFromCrumb.html
trunk/hudson/main/test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
http://hudson-ci.org/commit/35570
Log:
HUDSON-7518 Add an option to allow exclusion of HTTP client information from
the crumb calculation. This can be enabled for users who sit behind a proxy
that strips this information off, resulting in crumbs varying across requests.

Show
scm_issue_link added a comment - Code changed in hudson User: : dty Path: trunk/hudson/main/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/help-excludeClientIPFromCrumb.html trunk/hudson/main/test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://hudson-ci.org/commit/35570 Log: HUDSON-7518 Add an option to allow exclusion of HTTP client information from the crumb calculation. This can be enabled for users who sit behind a proxy that strips this information off, resulting in crumbs varying across requests.
Hide
Permalink
dogfood added a comment -

Integrated in hudson_main_trunk #314

Show
dogfood added a comment - Integrated in hudson_main_trunk #314
Hide
Permalink
dty added a comment -

I added an option to the configuration UI to allow certain aspects of the crumb algorithm to be turned off. This was released in 1.380. Go to Manage Hudson | Configure System and, when you enable CSRF protection, you'll see a new checkbox underneath the Default Crumb Issuer, labeled "Proxy compatibility". Check this and try it again from your proxy.

Show
dty added a comment - I added an option to the configuration UI to allow certain aspects of the crumb algorithm to be turned off. This was released in 1.380. Go to Manage Hudson | Configure System and, when you enable CSRF protection, you'll see a new checkbox underneath the Default Crumb Issuer, labeled "Proxy compatibility". Check this and try it again from your proxy.

People

  • Assignee:
    dty
    Reporter:
    cap10morgan
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: