I used curl to request the crumb and the session ID and then passed that crumb and session ID to a later curl call which performed the work I needed to do.
Refer to https://github.com/MarkEWaite/jenkins-bugs/blob/6db4ea8ef277dbe496346d8ceaebdb12029d870c/reportScanLogResults#L56 for the "cookie jar" that remembers the session ID. Refer to https://github.com/MarkEWaite/jenkins-bugs/blob/6db4ea8ef277dbe496346d8ceaebdb12029d870c/reportScanLogResults#L89 for a use of that "cookie jar". I think the topic of API use (including cookie use and various alternatives to call the API) deserves a future topic for a "How-To Guide" to be added to https://jenkins.io/doc/developer/guides/ . On Mon, Sep 2, 2019 at 4:09 AM James Telfer <jameswtel...@gmail.com> wrote: > Hi, > > I've been bitten by the security fix in Jenkins LTS 2.176.3 to the CSRF > protection, specifically the tying of a crumb to the session ID it was > generated in. > > There is a note in the upgrade guide > <https://jenkins.io/doc/upgrade-guide/2.176/#SECURITY-626> which suggests > I can trigger builds using an API token without requiring a crumb, which is > pretty much what I want to be able to do. It appears that I should be able > to do this by sending a POST of the form: http://<username>:<API > Token>@<Jenkins job URL>/build > > But I always get back a 403 No valid crumb was included in the request, > which while 100% accurate was not what I expected. > > Any idea how I can do this? > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/97c3ff89-83ab-42f9-bb89-72922a940383%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-users/97c3ff89-83ab-42f9-bb89-72922a940383%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Thanks! Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGgKFcEcEgLwGe9iZW0%3Dq79S4JKQhBFJrnNObbH6W4uGQ%40mail.gmail.com.
