Not sure what the problem is with text() either, but both were changed in the same commit -- the advisories are probably just incomplete regarding impact on API users:
https://github.com/jenkinsci/jenkins/commit/0de3e9b14ed75f70279435e78eb9f6a3a1a179df Unfortunately JENKINS-16936 is still open, so you either don't get these features, or are running in a completely vulnerable mode. On 16.08.2013, at 12:42, teilo <[email protected]> wrote: > Hi all, > > After a lot of head scratching[1] I found that you can no longer (by default) > use "text()" in an xpath in api/xml/xpath=blah. > > The associated commit references SECURITY-47 - which I can't see but from the > other commit would seem to be related only to jsonp[2]? > > What I'm finding hard to work out is what the attack vector is for xpath > primatives? the content is returned as text/plain so should not be > interpreted by any browser. Anyone any pointers? > > enabling hudson.model.Api.INSECURE=true to get xpath primatives would expose > jsonp which is not something that I would want to do as the attack vector > there is well understood. > > Regards, > > /James > > [1] https://issues.jenkins-ci.org/browse/JENKINS-19221 > [2] > http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-02-16.cb > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
