I used curl to request the crumb and the session ID and then passed that crumb and session ID to a later curl call which performed the work I needed to do.
Refer to https://github.com/MarkEWaite/jenkins-bugs/blob/6db4ea8ef277dbe496346d8ceaebdb12029d870c/reportScanLogResults#L56 for the "cookie jar" that remembers the session ID. Refer to https://github.com/MarkEWaite/jenkins-bugs/blob/6db4ea8ef277dbe496346d8ceaebdb12029d870c/reportScanLogResults#L89 for a use of that "cookie jar". I think the topic of API use (including cookie use and various alternatives to call the API) deserves a future topic for a "How-To Guide" to be added to https://jenkins.io/doc/developer/guides/ . On Mon, Sep 2, 2019 at 4:09 AM James Telfer <[email protected]> wrote: > Hi, > > I've been bitten by the security fix in Jenkins LTS 2.176.3 to the CSRF > protection, specifically the tying of a crumb to the session ID it was > generated in. > > There is a note in the upgrade guide > <https://jenkins.io/doc/upgrade-guide/2.176/#SECURITY-626> which suggests > I can trigger builds using an API token without requiring a crumb, which is > pretty much what I want to be able to do. It appears that I should be able > to do this by sending a POST of the form: http://<username>:<API > Token>@<Jenkins job URL>/build > > But I always get back a 403 No valid crumb was included in the request, > which while 100% accurate was not what I expected. > > Any idea how I can do this? > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/97c3ff89-83ab-42f9-bb89-72922a940383%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-users/97c3ff89-83ab-42f9-bb89-72922a940383%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Thanks! Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGgKFcEcEgLwGe9iZW0%3Dq79S4JKQhBFJrnNObbH6W4uGQ%40mail.gmail.com.
