-
Bug
-
Resolution: Won't Fix
-
Low
-
None
-
5.2.11, 6.0.5, 6.4.11
-
5.02
-
When disable the xsrf through the property in jira.xsrf.enabled=false in jira-config.properties according to the page, it doesn't stop the xsrf checking when using JIRA REST API. However, the property took effect when you try some operation in the form of the browser.
Steps to Reproduce:
- Set jira.xsrf.enabled=false in jira-config.properties
- Startup JIRA
- Double check the system info and verify that the property is pick up by JIRA
- Try to run the following cURL command without the "X-Atlassian-Token: nocheck" header:
curl -D- -u admin:admin -X POST -F "file=@data.json" http://localhost:8605/rest/api/2/issue/TEST-10/attachments
- The POST request will failed due to XSRF check:
HTTP/1.1 100 Continue HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 X-AREQUESTID: 930x34x1 Set-Cookie: JSESSIONID=A0C11B22160D0CD729FF185C4BD54513; Path=/; HttpOnly X-Seraph-LoginReason: OK Set-Cookie: atlassian.xsrf.token=BJIT-YH5P-D3D6-OSCL|f436cd5126041ca4a65e8fda582a808e2866a8f4|lin; Path=/ X-ASESSIONID: ill5f2 X-AUSERNAME: admin Cache-Control: no-cache, no-store, no-transform Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Date: Wed, 11 Sep 2013 07:30:43 GMT XSRF check failed
Expected Result:
The POST request should work and attachment succesfully add to the issue as the XSRF check has been disabled in JIRA.
Actual Result:
The POST request failed with 404 error due to XSRF check failed.
Note:
The POST will works right after you add in the token header:
curl -D- -u admin:admin -X POST -H "X-Atlassian-Token: nocheck" -F "file=@data.json" http://localhost:8605/rest/api/2/issue/TEST-10/attachments
On recent versions of Jira the header should be X-Atlassian-Token: no-check
- is related to
-
CONFSERVER-26485 Turning off Anti-XSRF protection for comments has no effect
- Closed
- relates to
-
REST-263 Loading...