[JIRA] (JENKINS-61133) Github webhook override breaks CSRF exclusion

3 views
Skip to first unread message

enwiner@gmail.com (JIRA)

unread,
Feb 18, 2020, 1:42:03 PM2/18/20
to jenkinsc...@googlegroups.com
Eric Winer created an issue
 
Jenkins / Bug JENKINS-61133
Github webhook override breaks CSRF exclusion
Issue Type: Bug Bug
Assignee: Kirill Merkushev
Attachments: image-2020-02-18-13-35-59-338.png, image-2020-02-18-13-36-51-430.png, image-2020-02-18-13-38-47-192.png
Components: github-plugin
Created: 2020-02-18 18:41
Environment: Jenkins 2.204.1 on Linux, Github plugin 1.29.5
Priority: Minor Minor
Reporter: Eric Winer

If you have CSRF checking turned on in Global Security Settings:

 

And you have the Github webhook URL overridden in Jenkins Settings:

Then each webhook payload will hit a CSRF error:

I believe this is because the url /github-webhook is hardcoded in GitHubWebHookCrumbExclusion.java.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages