[JIRA] (JENKINS-61885) setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true is no use to disable csrf

[zhaoying1258@qq.com (JIRA)]

zhao ying created an issue

Jenkins / JENKINS-61885 setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true is no use to disable csrf Issue Type: Bug Assignee: Unassigned Components: _unsorted Created: 2020-04-13 16:26 Environment: centos 7.x jenkins 2.230 Priority: Critical Reporter: zhao ying http request show ``` Error 403 No valid crumb was included in the request ``` and following https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774 to disable this security fix by setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true.  but  still show Error 403 No valid crumb was included in the request   Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[dbeck@cloudbees.com (JIRA)]

Daniel Beck closed an issue as Not A Defect

The security fix is unrelated to the now forced enablement of CSRF protection. For the latter, see https://jenkins.io/doc/upgrade-guide/2.222/#always-enabled-csrf-protection As the documentation indicates, this option will go away in the future. If you rely on it, make sure all components that rely on CSRF protection being disabled adapt to work with it enabled.

Jenkins / JENKINS-61885 setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true is no use to disable csrf

Change By: Daniel Beck Status: Open Closed Resolution: Not A Defect

Add Comment