On 13/05/16 00:02, James E. Blair wrote:
Yes, we assume the parameters passed in via gearman are safe, as they
are provided either by zuul directly, or indirectly by custom functions
in zuul's configuration managed by the zuul system administrator. So
this was a feature in Jenkins on which we relied. I think it makes the
most sense for the gearman plugin to be updated to autowhitelist them if
that is possible. Is someone interested in working on that?
In the mean time, assuming that your system is entirely driven by
Zuul+gearman and you do not have jobs that are triggered by other
plugins where this behavior might not be desirable, I think the command
line option you mentioned should be safe.
-Jim
Hello,
I have ended up enabling all parameters as documented upstream.
To have Gearman plugin to autowhitelist parameters, I have filled the
issue: https://issues.jenkins-ci.org/browse/JENKINS-34885
And I have added the plugin to the list of plugins affected:
https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170
Not much I can do myself, I am really java illiterate :(
Antoine Musso
_______________________________________________
OpenStack-Infra mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
