[JIRA] [github-oauth] (JENKINS-20883) Can't publish arbitrary URLs

[dan...@beckweb.net (JIRA)]

Daniel Beck commented on JENKINS-20883 Can't publish arbitrary URLs Is this actually about github-oauth? Looks more like a core issue to me... That being said, this is a horrible idea, and here's why: Admins don't usually know the security implications of making arbitrary URLs accessible Admins don't even know all URLs provided by core and plugins (or did you know /descriptor/hudson.triggers.SCMTrigger?) Changes in configuration might lead to accidental exposure of newly added URLs because of some carelessly written regex. To the best of my knowledge, there's no way to reliably enumerate all possible URLs. The sensible approach is to implement UnprotectedRootAction in plugins where the authors considers the security implementations. FWIW a plugin could probably manage to add this functionality by acting as an internal proxy of sorts (Build Token Root plugin on steroids). But this should never be part of the default configuration, and should have come with warnings regarding its use (similar to Anything Goes Markup Formatter).

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.