[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Jesse Glick updated an issue Jenkins / JENKINS-29962 Found invalid crumb Change By: Jesse Glick Labels: crumb gui jenkins Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Daniel Beck commented on JENKINS-29962 Re: Found invalid crumb Michael Warkentin No idea. Maybe a plugin you installed? A user-script in your browser? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title
Michael Warkentin commented on JENKINS-29962
Re: Found invalid crumb
I used Ajax.Responders.register to peek into the AJAX requests being sent, and noticed that there are actually two separate crumb headers in the options: crumb and Crumb. They both contain the same crumb value.
Using this hacky, hopefully temporary snippet, fixed the issue by deleting one of those crumb headers and allowed me to configure the job:
Ajax.Responders.register({
onCreate: function(a){
delete a.options.requestHeaders.Crumb;
}
});
Add Comment
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
--
You received this message because you are subscribed to the Google Groups Jenkins Issues group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Daniel Beck commented on JENKINS-29962 Re: Found invalid crumb Could this be related to your customizing the crumb name? It's .crumb by default. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Michael Warkentin commented on JENKINS-29962 Re: Found invalid crumb Daniel Beck We'll try removing our custom crumb name and see if that fixes things. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Michael Warkentin commented on JENKINS-29962 Re: Found invalid crumb Hey Daniel Beck, looks like things are working without the custom crumb name, however I took a look at the request headers, and we're still sending the extra Crumb header - just that Jenkins isn't using it anymore. Let me know if you have any ideas for figuring out where that's coming from. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title
Michael Warkentin commented on JENKINS-29962
Re: Found invalid crumb
I noticed that there seems to be two scripts in the page source which are calling appendToForm:
scriptfunction confirmPOST_id1957(post, href, message) {
if (confirm(message)) {
var form = document.createElement('form');
form.setAttribute('method', post ? 'POST' : 'GET');
form.setAttribute('action', href);
if (post) {
crumb.appendToForm(form);
}
document.body.appendChild(form);
form.submit();
}
return false;
}/script a _onclick_=confirmPOST_id1958(true, '/jenkins/job/test/doDelete', 'Are you sure about deleting the Project ‘test’?') class=task-link href="" class="code-quote" style="color: #009100">#Delete Project/ascriptfunction confirmPOST_id1958(post, href, message) {
if (confirm(message)) {
var form = document.createElement('form');
form.setAttribute('method', post ? 'POST' : 'GET');
form.setAttribute('action', href);
if (post) {
crumb.appendToForm(form);
}
document.body.appendChild(form);
form.submit();
}
return false;
}/script
Add Comment
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
--
You received this message because you are subscribed to the Google Groups Jenkins Issues group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Daniel Beck commented on JENKINS-29962 Re: Found invalid crumb In the HTML header of the page should be a script section that initializes the crumb value. What value gets set there? Look for crumb.init. Could you set up a JS break point at appendToForm in hudson-behavior.js to see whether it's called repeatedly? Are you using plugins such as Simple Theme Plugin and are customizing the UI? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Michael Warkentin commented on JENKINS-29962 Re: Found invalid crumb Looks like it's initialized with a single value: scriptcrumb.init(crumb, 3a19f039c1048c7144cb4412f5cc87f6); crumb.appendToForm appears to be called twice on page load. I don't believe that we have any UI customization plugins installed here are screenshots showing what plugins we've got installed / enabled: http://snaps.michaelwarkentin.com.s3.amazonaws.com/Update_Center_Jenkins_2015-08-17_10-02-36.png http://snaps.michaelwarkentin.com.s3.amazonaws.com/Update_Center_Jenkins_2015-08-17_10-02-53.png http://snaps.michaelwarkentin.com.s3.amazonaws.com/Update_Center_Jenkins_2015-08-17_10-03-07.png Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title
Michael Warkentin commented on JENKINS-29962
Re: Found invalid crumb
Based on the js call stack, it's being called twice from behavior.js.
startNode._each(function (node) {
var list = findElementsBySelector(node, registration.selector, includeSelf);
if (list.length 0) {
//console.log(registration.id + ':' + registration.selector + ' @' + registration.priority + ' on ' + list.length + ' elements');
list._each(registration.behavior);
}
});
list is an array with 2 elements: form and form.no-json
Add Comment
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
--
You received this message because you are subscribed to the Google Groups Jenkins Issues group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Michael Warkentin commented on JENKINS-29962 Re: Found invalid crumb Never mind, those appear to be functions which get called when clicking on various links. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Michael Warkentin commented on JENKINS-29962 Re: Found invalid crumb Here's an example AJAX request when trying to add a new parameter to a job (removed cookies): Accept:text/_javascript_, text/html, application/xml, text/xml, */* Accept-Encoding:gzip, deflate Accept-Language:en-US,en;q=0.8 Connection:keep-alive Content-Length:2 Content-type:application/x-stapler-method-invocation;charset=UTF-8 Crumb:3a19f039c1048c7144cb4412f5cc87f6, 3a19f039c1048c7144cb4412f5cc87f6 Host:ci.hostname.com Origin:https://ci.hostname.com Referer:https://ci.hostname.com/jenkins/job/test/configure User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 X-Prototype-Version:1.7 X-Requested-With:XMLHttpRequest POST payload was empty: http://snaps.michaelwarkentin.com.s3.amazonaws.com/test_Config_Jenkins_2015-08-17_09-29-11.png Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title
Michael Warkentin edited a comment on JENKINS-29962
Re: Found invalid crumb
Lookslikeit'sinitializedwithasinglevalue:{{scriptcrumb.init(crumb,3a19f039c1048c7144cb4412f5cc87f6);}}{{crumb.appendToForm}}appearstobecalledtwiceonpageload.Idon'tbelievethatwehaveanyUIcustomizationpluginsinstalled here .Here arescreenshotsshowingwhatpluginswe'vegotinstalled/enabled:*http://snaps.michaelwarkentin.com.s3.amazonaws.com/Update_Center_Jenkins_2015-08-17_10-02-36.png*http://snaps.michaelwarkentin.com.s3.amazonaws.com/Update_Center_Jenkins_2015-08-17_10-02-53.png*http://snaps.michaelwarkentin.com.s3.amazonaws.com/Update_Center_Jenkins_2015-08-17_10-03-07.png
Add Comment
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
--
You received this message because you are subscribed to the Google Groups Jenkins Issues group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Daniel Beck commented on JENKINS-29962 Re: Found invalid crumb Could you provide the headers and POST parameters sent by your browser for some request that gets rejected? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Hany Fahim commented on JENKINS-29962 Re: Found invalid crumb Hi there, When navigating to /manage, there is no warning or other notice about reverse proxies. I've attached a screenshot of the relevant section about Prevent Cross Site Request Forgery exploits here. Unable to render embedded object: File (attachment-name.jpg) not found. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Daniel Beck commented on JENKINS-29962 Re: Found invalid crumb All instances of this issue I've seen are related to broken config – my apologies for being too quick. Does the /manage URL show a reverse proxy configuration warning? Could you provide a screenshot of the security configuration screen? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Hany Fahim edited a comment on JENKINS-29962 Re: Found invalid crumb Hithere,Whennavigatingto/manage,thereisnowarningorothernoticeaboutreverseproxies.I'veattachedascreenshotoftherelevantsectionaboutPreventCrossSiteRequestForgeryexploitshere. Arethereanyotherrelevantsectionsyouneedtosee?Obviouslythereissensitiveinformationonthispage,soletmeknowwhatyouneed. !ScreenShot2015-08-15at9.55.10AM.png|thumbnail! Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Hany Fahim edited a comment on JENKINS-29962 Re: Found invalid crumb Hithere,Whennavigatingto/manage,thereisnowarningorothernoticeaboutreverseproxies.I'veattachedascreenshotoftherelevantsectionaboutPreventCrossSiteRequestForgeryexploitshere.! attachment ScreenShot2015 - name 08-15at9 . jpg 55.10AM.png |thumbnail! Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Hany Fahim updated an issue Jenkins / JENKINS-29962 Found invalid crumb Change By: Hany Fahim Attachment: ScreenShot2015-08-15at9.55.10AM.png Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Michael Warkentin commented on JENKINS-29962 Re: Found invalid crumb Hi Daniel Beck, I have access to the same Jenkins instance as Hany Fahim. I don't see any warnings about the reverse proxy in /jenkins/manage: https://s3.amazonaws.com/snaps.michaelwarkentin.com/Manage_Jenkins_Jenkins_2015-08-15_09-53-04.png Here's a screenshot of the CSRF section of the security page: https://s3.amazonaws.com/snaps.michaelwarkentin.com/Configure_Global_Security_Jenkins_2015-08-15_09-55-45.png Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Daniel Beck updated JENKINS-29962 Jenkins / JENKINS-29962 Found invalid crumb Change By: Daniel Beck Status: Reopened Open Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Daniel Beck resolved as Not A Defect Access Jenkins using the URL you specified in its global configuration. Jenkins / JENKINS-29962 Found invalid crumb Change By: Daniel Beck Status: Open Resolved Resolution: NotADefect Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Hany Fahim created an issue Jenkins / JENKINS-29962 Found invalid crumb Issue Type: Bug Assignee: Unassigned Components: core Created: 14/Aug/15 9:53 PM Environment: Jenkins 1.620 with nginx as proxy, SSL enabled. Labels: jenkins gui Priority: Blocker Reporter: Hany Fahim When trying to configure a new job, adding a new parameter using the drop-down results in a 403 error message being returned: 403 No valid crumb was included in the request The logs show: WARNING: Found invalid crumb CRUMB_ID, CRUMB_ID. Will check remaining parameters for a valid one... Aug 14, 2015 5:32:06 PM hudson.security.csrf.CrumbFilter doFilter WARNING: No valid crumb was included in request for /jenkins//$stapler/bound/dd7670cf-db32-481d-b6f3-6fcdfde6e658/render. Returning 403. Curiously, when examining the request headers, the crumb is
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Hany Fahim reopened an issue Hi, I'm not sure why this was closed so quickly, but we are accessing it from the same URL. Under Jenkins URL in the Jenkins Location header, we have: https://ci.hostname.com/jenkins/ And the server is being accessed from this URL. We are still getting the same error. Can you clarify what you mean? Jenkins / JENKINS-29962 Found invalid crumb Change By: Hany Fahim Resolution: NotADefect Status: Resolved Reopened Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-29962) Found invalid crumb
Title: Message Title Hany Fahim commented on JENKINS-29962 Re: Found invalid crumb I've confirmed via developer tools that the request is being made to the right URL: https://ci.hostname.com/jenkins/$stapler/bound/8a619a33-bce4-4c9f-81fb-5c98ddd556c7/render Any ideas? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
