Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JENKINS-34254 - RequirePOST form not including crumb #2268

Closed

Conversation

@kzantow
Copy link
Contributor

kzantow commented Apr 16, 2016

Stapler generates a form for methods annotated with @RequirePOST but they do not work with CSRF enabled. This alters the form to include a valid crumb, so they function as expected.

This fixes: https://issues.jenkins-ci.org/browse/JENKINS-34254

@kzantow kzantow closed this Apr 18, 2016
@kzantow kzantow reopened this Apr 18, 2016
@kzantow

This comment has been minimized.

Copy link
Contributor Author

kzantow commented Apr 22, 2016

@reviewbybees

This comment has been minimized.

Copy link

reviewbybees commented Apr 22, 2016

This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation.

Class<?> c = response.getClass();
// The only response with enclosing class of RequirePOST.Processor is the 'try post'
// response, which we need ot modify to be crumb-aware
if (RequirePOST.Processor.class.equals(c.getEnclosingClass())) {

This comment has been minimized.

Copy link
@jglick

jglick Apr 22, 2016

Member

Better to check c.getName().equals("…") I think.

*
* FIXME: move to Stapler core
*
* @since TODO

This comment has been minimized.

Copy link
@jglick

jglick Apr 22, 2016

Member

Make this package-private please, so it does not become an API.

@jglick

This comment has been minimized.

Copy link
Member

jglick commented Apr 22, 2016

Works, but it would seem a lot cleaner to have an API in Stapler which allows the application to customize the behavior in this way.

@kzantow

This comment has been minimized.

Copy link
Contributor Author

kzantow commented Apr 22, 2016

@jglick Yes, hence the FIXME ; I'll be happy to file a patch against stapler and update the dependencies, if you prefer and we can get it incorporated quickly (this was originally going to be a 2.0 patch, which would have not been able to bump the stapler version, I think)

@jglick

This comment has been minimized.

Copy link
Member

jglick commented Apr 22, 2016

if […] we can get it incorporated quickly

If an upstream PR passes review, cutting a release is easy enough.

@kzantow

This comment has been minimized.

Copy link
Contributor Author

kzantow commented Apr 22, 2016

@jglick agreed this is the correct thing to do, here's the stapler PR: stapler/stapler#73

@daniel-beck

This comment has been minimized.

Copy link
Member

daniel-beck commented May 1, 2016

Assuming this is work in progress and will be adapted after the change in Stapler makes it in.

@kzantow

This comment has been minimized.

Copy link
Contributor Author

kzantow commented May 2, 2016

@daniel-beck well, it works fine as-is, but yes the better change is in stapler, then adapt this PR

@andresrc

This comment has been minimized.

Copy link
Contributor

andresrc commented May 12, 2016

🐝 though if we can get stapler/stapler#73 in better

@oleg-nenashev

This comment has been minimized.

Copy link
Member

oleg-nenashev commented Jun 10, 2016

@kzantow Any plans to update it?

@kzantow

This comment has been minimized.

Copy link
Contributor Author

kzantow commented Jul 10, 2016

@oleg-nenashev updated to latest Stapler that contains stapler/stapler#73 , addressed @jglick 's comment checking c.getName().equals(...

@oleg-nenashev

This comment has been minimized.

Copy link
Member

oleg-nenashev commented Jul 11, 2016

Looks good to me

@kzantow kzantow closed this Jul 11, 2016
@kzantow kzantow reopened this Jul 11, 2016
@kzantow kzantow mentioned this pull request Jul 11, 2016
@kzantow

This comment has been minimized.

Copy link
Contributor Author

kzantow commented Jul 11, 2016

Looks like the stapler upgrade might have introduced a regression, unclear to me; will try to debug the issue in the near future...

@daniel-beck

This comment has been minimized.

Copy link
Member

daniel-beck commented Sep 22, 2016

@kzantow What is the status of this PR?

@oleg-nenashev

This comment has been minimized.

Copy link
Member

oleg-nenashev commented Oct 21, 2016

@kzantow ping

@reviewbybees

This comment has been minimized.

Copy link

reviewbybees commented Nov 14, 2016

This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation.

@oleg-nenashev

This comment has been minimized.

Copy link
Member

oleg-nenashev commented Jan 8, 2017

any updates?

@daniel-beck

This comment has been minimized.

Copy link
Member

daniel-beck commented Jan 12, 2017

This would be so awesome.

@daniel-beck

This comment has been minimized.

Copy link
Member

daniel-beck commented Feb 23, 2017

@oleg-nenashev @jglick @andresrc PR has been updated. Please re-review.

@jglick

This comment has been minimized.

Copy link
Member

jglick commented Feb 24, 2017

I think it would be better to handle this directly in Stapler with a proper extension point, rather than monkeypatching the HTTP response.

@daniel-beck

This comment has been minimized.

Copy link
Member

daniel-beck commented Feb 24, 2017

@jglick This is already in Stapler for months, so that comment is a bit late, no?

@jglick

This comment has been minimized.

Copy link
Member

jglick commented Feb 24, 2017

This is already in Stapler for months

No a generic response wrapper is in Stapler. I meant for the actual POST handler to allow the WebApp to specify a custom form.

@daniel-beck

This comment has been minimized.

Copy link
Member

daniel-beck commented Mar 16, 2017

In any case, we need a solution for this. Otherwise @RequirePOST is pointless and we could just use @POST.

@reviewbybees

This comment has been minimized.

Copy link

reviewbybees commented Sep 15, 2017

This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation.

@kzantow kzantow closed this Oct 11, 2017
@daniel-beck daniel-beck mentioned this pull request Dec 9, 2017
2 of 3 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.