Hi all, After a lot of head scratching[1] I found that you can no longer (by default) use "text()" in an xpath in api/xml/xpath=blah.
The associated commit references SECURITY-47 - which I can't see but from the other commit would seem to be related only to jsonp[2]? What I'm finding hard to work out is what the attack vector is for xpath primatives? the content is returned as text/plain so should not be interpreted by any browser. Anyone any pointers? enabling hudson.model.Api.INSECURE=true to get xpath primatives would expose jsonp which is not something that I would want to do as the attack vector there is well understood. Regards, /James [1] https://issues.jenkins-ci.org/browse/JENKINS-19221 [2] http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-02-16.cb -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
