-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Low
-
Affects Version/s: 4.8.15
-
Component/s: Integrations
-
Severity 3 - Minor
-
28
Issue Summary
When accessing Fecru through a context path <base_url>/context, XSRF checks when performing oauth dance with application links fail.
Steps to Reproduce
- Setup Jira (latest version)
- Setup Fisheye 4.8.15 with a context path
- Create an application link
- Attempt to authenticate
- Click "Allow"
Expected Results
The Oauth token is created and application link features are accessible to the user
Actual Results
The popup changes into
XSRF Validation Failed
Workaround
Reconfigure network routing and Fisheye to not use a web context.
or
Use the following Byteman script to whitelist the jira base url:
RULE url-whitelist CLASS com.atlassian.sal.fisheye.xsrf.FisheyeXsrfTokenAccessor METHOD foundValidCsrfEntry AT ENTRY BIND # <base_url> -> replace with jira domain for the client eg. https://my.jira.com:8080 IF TRUE DO return $3.startsWith("<base_url>") || $1.urlMatches($2) && $1.referrerMatches($3) && $1.tokenMatches($4); ENDRULE
