[OpenStack-Infra] Jenkins 1.651.2 strips Zuul emitted parameters
Antoine Musso
hashar at free.fr
Tue May 17 14:47:22 UTC 2016
On 13/05/16 00:02, James E. Blair wrote:
> Yes, we assume the parameters passed in via gearman are safe, as they
> are provided either by zuul directly, or indirectly by custom functions
> in zuul's configuration managed by the zuul system administrator. So
> this was a feature in Jenkins on which we relied. I think it makes the
> most sense for the gearman plugin to be updated to autowhitelist them if
> that is possible. Is someone interested in working on that?
>
> In the mean time, assuming that your system is entirely driven by
> Zuul+gearman and you do not have jobs that are triggered by other
> plugins where this behavior might not be desirable, I think the command
> line option you mentioned should be safe.
>
> -Jim
Hello,
I have ended up enabling all parameters as documented upstream.
To have Gearman plugin to autowhitelist parameters, I have filled the
issue: https://issues.jenkins-ci.org/browse/JENKINS-34885
And I have added the plugin to the list of plugins affected:
https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170
Not much I can do myself, I am really java illiterate :(
Antoine Musso
More information about the OpenStack-Infra
mailing list