Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Won't Fix
Priority: Medium
Fix Version/s: Bugfix Release
Affects Version/s: 4.4
Component/s: None
Labels:
- affects-server
- security

Introduced in Version:
4.04
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

We do this for XSRF protection. Basically you should be able to subvert the web sudo mechanism via a HTTP header.

This posts shows the use case

https://answers.atlassian.com/questions/1273/jira-jelly-runner-via-cron-in-v4-3-4

I believe it just as secure since web sudo is really design to stop some one using your browser (directly or via XSRF) to perform admin actions as you.

Scripts don't suffer this problem. The need your username and password to run at all.

Attachments

Activity

People

Assignee:: metapoint

Reporter:: ɹǝʞɐq pɐɹq

Votes:: 4 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 01/Jul/2011 10:40 AM

Updated:: 28/Mar/2019 12:02 AM

Resolved:: 15/Dec/2011 3:41 AM