Skip to content

Commit

Permalink
[FIXED JENKINS-12875] Change default crumb name to Jenkins-Crumb
Browse files Browse the repository at this point in the history
  • Loading branch information
@daniel-beck
daniel-beck committed Mar 31, 2016
1 parent e322322 commit ed0ea63
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 13 deletions.
27 changes: 18 additions & 9 deletions core/src/main/java/hudson/security/csrf/CrumbFilter.java
View file
Expand Up @@ -62,17 +62,11 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
String crumbFieldName = crumbIssuer.getDescriptor().getCrumbRequestField();
String crumbSalt = crumbIssuer.getDescriptor().getCrumbSalt();

String crumb = httpRequest.getHeader(crumbFieldName);
boolean valid = false;
String crumb = extractCrumbFromRequest(httpRequest, crumbFieldName);
if (crumb == null) {
Enumeration<?> paramNames = request.getParameterNames();
while (paramNames.hasMoreElements()) {
String paramName = (String) paramNames.nextElement();
if (crumbFieldName.equals(paramName)) {
crumb = request.getParameter(paramName);
break;
}
}
// compatibility for clients that hard-code the default crumb name up to Jenkins 1.TODO
extractCrumbFromRequest(httpRequest, ".crumb");
}
if (crumb != null) {
if (crumbIssuer.validateCrumb(httpRequest, crumbSalt, crumb)) {
Expand All @@ -93,6 +87,21 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
}
}

private String extractCrumbFromRequest(HttpServletRequest httpRequest, String crumbFieldName) {
String crumb = httpRequest.getHeader(crumbFieldName);
if (crumb == null) {
Enumeration<?> paramNames = httpRequest.getParameterNames();
while (paramNames.hasMoreElements()) {
String paramName = (String) paramNames.nextElement();
if (crumbFieldName.equals(paramName)) {
crumb = httpRequest.getParameter(paramName);

This comment has been minimized.

Sign in to view

Copy link
@Blaisorblade

Blaisorblade Apr 30, 2016

@daniel-beck Why not just httpRequest.getParameter(crumbFieldName), since the code ensures that crumbFieldName.equals(paramName) are equal so the getParameter result should be the same? That's less code, and has better worst-case performance.

JavaDocs for getParameter don't suggest anything else strange going on.

If there's a valid reason I'm missing, I'd suggest to explain it in a comment, lest somebody like me miss that, refactor the code like I'm proposing and introduce a bug.

This comment has been minimized.

Sign in to view

Copy link
@Blaisorblade

Blaisorblade Apr 30, 2016

My comment stands, but this code comes from earlier — the code in ed0ea63#diff-5d3fd678dc669432db5c7c444cbb25a0L68, introduced earlier in 8c4e97d#diff-5d3fd678dc669432db5c7c444cbb25a0R74. The current commit includes however no explanation for this strange algorithm.
break;
}
}
}
return crumb;
}

protected static boolean isMultipart(HttpServletRequest request) {
if (request == null) {
return false;
Expand Down
3 changes: 2 additions & 1 deletion core/src/main/java/hudson/security/csrf/CrumbIssuer.java
View file
Expand Up @@ -43,6 +43,7 @@
public abstract class CrumbIssuer implements Describable<CrumbIssuer>, ExtensionPoint {

private static final String CRUMB_ATTRIBUTE = CrumbIssuer.class.getName() + "_crumb";
public static final String DEFAULT_CRUMB_NAME = "Jenkins-Crumb";

/**
* Get the name of the request parameter the crumb will be stored in. Exposed
Expand Down Expand Up @@ -199,7 +200,7 @@ public static class RestrictedApi extends Api {
} else if ("concat(//crumbRequestField,\":\",//crumb)".equals(xpath)) { // new FullDuplexHttpStream; Main
text = ci.getCrumbRequestField() + ':' + ci.getCrumb();
} else if ("concat(//crumbRequestField,'=',//crumb)".equals(xpath)) { // NetBeans
if (ci.getCrumbRequestField().startsWith(".")) {
if (ci.getCrumbRequestField().startsWith(".") || ci.getCrumbRequestField().contains("-")) {
text = ci.getCrumbRequestField() + '=' + ci.getCrumb();
} else {
text = null;
Expand Down
2 changes: 1 addition & 1 deletion core/src/main/java/hudson/security/csrf/CrumbIssuerDescriptor.java
View file
Expand Up @@ -64,7 +64,7 @@ public String getCrumbRequestField() {
*/
public void setCrumbRequestField(String requestField) {
if (Util.fixEmptyAndTrim(requestField) == null) {
crumbRequestField = ".crumb";
crumbRequestField = CrumbIssuer.DEFAULT_CRUMB_NAME;
} else {
crumbRequestField = requestField;
}
Expand Down
2 changes: 1 addition & 1 deletion core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
View file
Expand Up @@ -124,7 +124,7 @@ public static final class DescriptorImpl extends CrumbIssuerDescriptor<DefaultCr
private final static HexStringConfidentialKey CRUMB_SALT = new HexStringConfidentialKey(Jenkins.class,"crumbSalt",16);

public DescriptorImpl() {
super(CRUMB_SALT.get(), System.getProperty("hudson.security.csrf.requestfield", ".crumb"));
super(CRUMB_SALT.get(), System.getProperty("hudson.security.csrf.requestfield", CrumbIssuer.DEFAULT_CRUMB_NAME));
load();
}

Expand Down
3 changes: 2 additions & 1 deletion test/src/test/groovy/hudson/model/SlaveTest.groovy
View file
Expand Up @@ -28,6 +28,7 @@ import static hudson.util.FormValidation.Kind.WARNING
import static org.junit.Assert.assertNotNull
import static org.junit.Assert.assertEquals

import hudson.security.csrf.CrumbIssuer
import hudson.slaves.DumbSlave
import hudson.slaves.JNLPLauncher
import hudson.util.FormValidation
Expand Down Expand Up @@ -84,7 +85,7 @@ class SlaveTest {
HttpURLConnection con = new URL(j.getURL(),url).openConnection();
con.requestMethod = "POST"
con.setRequestProperty("Content-Type","application/xml;charset=UTF-8")
con.setRequestProperty(".crumb","test")
con.setRequestProperty(CrumbIssuer.DEFAULT_CRUMB_NAME,"test")
con.doOutput = true;
con.outputStream.write(xml.getBytes("UTF-8"))
con.outputStream.close();
Expand Down

0 comments on commit ed0ea63

Please sign in to comment.