[JENKINS-7518] CLONE -Crumb breaks ajax request behind proxies. -- Still broken behind nginx proxies

[timja]

Hudson: 1.310-SNAPSHOT (svn trunk)

I checked "Prevent Cross Site Request Forgery exploits", then ajax request like
ajaxBuildQueue returned "HTTP/1.1 430 Forbidden".

I use Hudson installation behind some proxies.

In hudson.security.csrf.DefaultCrumbIssuer L58, "Request#getRemoteAddr()" is
used to update MessageDigest. but it will return diffrent IP behind proxies each
request.

---

Originally reported by cap10morgan, imported from: CLONE -Crumb breaks ajax request behind proxies. -- Still broken behind nginx proxies

• assignee: dty
• status: Resolved
• priority: Major
• resolution: Duplicate
• resolved: 2014-05-18T19:53:04+00:00
• imported: 2022/01/10

[timja]

dty:

It looks like you've cloned this issue from JENKINS-3854, but you've failed to include what version of Hudson you're seeing this with. As mentioned in the other issue, Hudson 1.313 included a fix for the original report.

[timja]

cap10morgan:

I didn't immediately see any way to edit / comment on the cloned issue. Sorry.

This was on version 1.377, the latest version of Hudson as of 9/20/2010.

All ajax requests get a 403 response. When I turn off the cross-site request forgery feature, they work again.

[timja]

scm_issue_link:

Code changed in hudson
User: : dty
Path:
trunk/hudson/main/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly
trunk/hudson/main/core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/help-excludeClientIPFromCrumb.html
trunk/hudson/main/test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
http://jenkins-ci.org/commit/35570
Log:
JENKINS-7518 Add an option to allow exclusion of HTTP client information from
the crumb calculation. This can be enabled for users who sit behind a proxy
that strips this information off, resulting in crumbs varying across requests.

[timja]

dogfood:

Integrated in hudson_main_trunk #314

[timja]

dty:

I added an option to the configuration UI to allow certain aspects of the crumb algorithm to be turned off. This was released in 1.380. Go to Manage Hudson | Configure System and, when you enable CSRF protection, you'll see a new checkbox underneath the Default Crumb Issuer, labeled "Proxy compatibility". Check this and try it again from your proxy.

[timja]

nrh:

I'm still seeing the behavior described here, even in 1.420, that is:

• with CSRF enabled, I get 403s for ajax postbacks.
• with CSRF enabled and "proxy compatibility" enabled, I get 403s for postbacks.
• only with CSRF disabled do I see 200s for postbacks.

I'm behind nginx-1.0.4

are you sure this was fixed?

[timja]

mdp:

nginx by default disallows some characters in header names that the HTTP specification allows: http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers
'.' is one of them, so the .crumb header gets filtered out.

This can be turned off as per the linked page - worth noting in documentation (in crumb issuer configuration help?).
But maybe switching to a more compatible header (x-jenkins-crumb?) would be a safer choice?

[timja]

snekse:

I agree with the comment about switching to a more compatible header like "x-jenkins-crumb".

[timja]

drkibitz:

+1, this effects everyone who uses reverse proxy services such as CloudFlare, as they're using nginx, with default settings.

[timja]

jglick:

Careful and see DefaultCrumbIssuerTest.testApiXml; there are subtle security issues surrounding crumb names that could potentially be interpreted as JavaScript identifiers (or otherwise the start of a legal JavaScript statement).

[timja]

danielbeck:

This duplicates JENKINS-12875, which also discusses nginx reverse proxies.

As the number of watchers there is greater, marking this one as resolved.

[timja]

[Originally related to: JENKINS-12875]

[timja]

[Originally related to: JENKINS-3854]