Muehlenhoff has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/351608 )
Change subject: 0.1.1-wmf6: force jenkins queries to use POST
......................................................................
0.1.1-wmf6: force jenkins queries to use POST
Antoine Musso (1):
WMF: force Jenkins queries to use POST
Bug: T144106
Change-Id: I063f1f009f8a75948491e866a246c1cf0e9ddb00
---
M debian/changelog
A debian/patches/0009-WMF-force-Jenkins-queries-to-use-POST.patch
M debian/patches/series
3 files changed, 61 insertions(+), 0 deletions(-)
Approvals:
Muehlenhoff: Looks good to me, approved
jenkins-bot: Verified
diff --git a/debian/changelog b/debian/changelog
index 2365efd..2e53812 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+nodepool (0.1.1-wmf6) jessie-wikimedia; urgency=medium
+
+ * Jenkins 2.46.2 that requires POST for some operations
+
+ 0009-WMF-force-Jenkins-queries-to-use-POST.patch
+ [3e7da57] WMF: force Jenkins queries to use POST
+ Antoine Musso <[email protected]>
+ Fix https://phabricator.wikimedia.org/T144106
+
+ -- Antoine Musso <[email protected]> Wed, 03 May 2017 11:56:39 +0200
+
nodepool (0.1.1-wmf5) jessie-wikimedia; urgency=medium
* debian/gbp.conf upstream-tag = %(version)s
diff --git a/debian/patches/0009-WMF-force-Jenkins-queries-to-use-POST.patch
b/debian/patches/0009-WMF-force-Jenkins-queries-to-use-POST.patch
new file mode 100644
index 0000000..e9f8549
--- /dev/null
+++ b/debian/patches/0009-WMF-force-Jenkins-queries-to-use-POST.patch
@@ -0,0 +1,49 @@
+From: Antoine Musso <[email protected]>
+Date: Wed, 3 May 2017 11:48:07 +0200
+Subject: WMF: force Jenkins queries to use POST
+
+To protect against Cross-Site Request Forgery vulnerabilities, Jenkins
+2.46.2 now requires requests to be POST when creating/deleting nodes:
+https://jenkins.io/security/advisory/2017-04-26/
+
+That can be done by passing some empty data to a Request() which trick
+urlopen in using a POST instead of a GET. Since Nodepool extends
+Jenkins class, do it in myjenkins.py instead of python-jenkins.
+
+Bug: T144106
+Change-Id: I62b18d856b7a61e6a301f233848a9c4d620a9ab3
+---
+ nodepool/myjenkins.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/nodepool/myjenkins.py b/nodepool/myjenkins.py
+index 5434614..0f5d7c5 100644
+--- a/nodepool/myjenkins.py
++++ b/nodepool/myjenkins.py
+@@ -39,7 +39,7 @@ class Jenkins(jenkins.Jenkins):
+ if info['offline']:
+ return
+ self.jenkins_open(
+- urlrequest.Request(self.server + TOGGLE_OFFLINE % locals()))
++ urlrequest.Request(self.server + TOGGLE_OFFLINE % locals(), b''))
+
+ def enable_node(self, name):
+ '''
+@@ -53,7 +53,7 @@ class Jenkins(jenkins.Jenkins):
+ return
+ msg = ''
+ self.jenkins_open(
+- urlrequest.Request(self.server + TOGGLE_OFFLINE % locals()))
++ urlrequest.Request(self.server + TOGGLE_OFFLINE % locals(), b''))
+
+ def get_node_config(self, name):
+ '''
+@@ -130,7 +130,7 @@ class Jenkins(jenkins.Jenkins):
+ }
+
+ self.jenkins_open(urlrequest.Request(
+- self.server + CREATE_NODE % urlparse.urlencode(params)))
++ self.server + CREATE_NODE % urlparse.urlencode(params), b''))
+
+ if not self.node_exists(name):
+ raise JenkinsException('create[%s] failed' % (name))
diff --git a/debian/patches/series b/debian/patches/series
index 77bd0b7..8ce45db 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@
0006-Continue-image-refresh-if-etc-nodepool-exists.patch
0007-node-deletion-delay-is-now-configurable.patch
0008-WMF-stop-triggering-ListFloatingIPsTask-entirely.patch
+0009-WMF-force-Jenkins-queries-to-use-POST.patch
--
To view, visit https://gerrit.wikimedia.org/r/351608
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I063f1f009f8a75948491e866a246c1cf0e9ddb00
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/nodepool
Gerrit-Branch: debian
Gerrit-Owner: Hashar <[email protected]>
Gerrit-Reviewer: Muehlenhoff <[email protected]>
Gerrit-Reviewer: Paladox <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
