Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#10690 closed defect (fixed)

Trac error on password change

Reported by: GITNE Owned by: erinn
Priority: Very High Milestone:
Component: Internal Services/Service - trac Version:
Severity: Keywords: trac password change SQL error python security
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Trac causes this error when trying to change my password:

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/trac/web/api.py", line 514, in send_error
    data, 'text/html')
  File "/usr/lib/python2.7/dist-packages/trac/web/chrome.py", line 976, in render_template
    data = self.populate_data(req, data)
  File "/usr/lib/python2.7/dist-packages/trac/web/chrome.py", line 882, in populate_data
    'context': web_context(req) if req else None,
  File "/usr/lib/python2.7/dist-packages/trac/web/chrome.py", line 292, in web_context
    perm = req.perm
  File "/usr/lib/python2.7/dist-packages/trac/web/api.py", line 316, in __getattr__
    value = self.callbacks[name](self)
  File "/usr/lib/python2.7/dist-packages/trac/web/main.py", line 264, in _get_perm
    return PermissionCache(self.env, self.authenticate(req))
  File "/usr/lib/python2.7/dist-packages/trac/web/main.py", line 135, in authenticate
    authname = authenticator.authenticate(req)
  File "build/bdist.linux-x86_64/egg/acct_mgr/util.py", line 82, in wrap
    return func(self, *args, **kwds)
  File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 374, in authenticate
    return auth.LoginModule.authenticate(self, req)
  File "/usr/lib/python2.7/dist-packages/trac/web/auth.py", line 91, in authenticate
    req.incookie['trac_auth'])
  File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 448, in _get_name_for_cookie
    name = auth.LoginModule._get_name_for_cookie(self, req, cookie)
  File "/usr/lib/python2.7/dist-packages/trac/web/auth.py", line 238, in _get_name_for_cookie
    name = self._cookie_to_name(req, cookie)
  File "/usr/lib/python2.7/dist-packages/trac/web/auth.py", line 234, in _cookie_to_name
    for name, in self.env.db_query(sql, args):
  File "/usr/lib/python2.7/dist-packages/trac/db/api.py", line 122, in execute
    return db.execute(query, params)
  File "/usr/lib/python2.7/dist-packages/trac/db/util.py", line 121, in execute
    cursor.execute(query, params)
  File "/usr/lib/python2.7/dist-packages/trac/db/util.py", line 65, in execute
    return self.cursor.execute(sql_escape_percent(sql), args)
InternalError: current transaction is aborted, commands ignored until end of transaction block

Supposedly, some characters in the new password are trickling down to the SQL level where the SQL statement responsible for setting the password has not been authored correctly. This may pose a potential security hole.

Child Tickets

Change History (10)

comment:1 Changed 6 years ago by nickm

A little googling suggests that this could also be a schema migration issue or a schema/plugin compatibility issue. Nonetheless, we should treat it as most urgent until we know for sure.

comment:2 Changed 6 years ago by nickm

In http://trac.edgewall.org/browser/trunk/trac/web/auth.py#L231 , the query does indeed look like it's using a proper escaping mechanism, assuming that the underlying Python DB module is working. More investigation is warranted.

comment:3 Changed 6 years ago by nickm

Also, I appear to get the same error when I try to change my password, no matter what I try to change my password to, even if I try an old password and a new password with no SQL-breaking characters.

comment:4 in reply to:  3 Changed 6 years ago by GITNE

Replying to nickm:

Also, I appear to get the same error when I try to change my password, no matter what I try to change my password to, even if I try an old password and a new password with no SQL-breaking characters.

Well, then I guess it should be addressed asap anyways. ;-)
Thank you for responding to this.

comment:5 Changed 6 years ago by GITNE

Is this even addressed? I mean not being able to change one's password is a serious problem. It has been a week since the report has been filed!

comment:6 Changed 6 years ago by arma

Be patient -- we have no trac developers. Would you prefer we shut it down?

This part of the bug is related to the "with the new version of trac, we can't load the user list on the admin page" issue too.

comment:7 in reply to:  6 Changed 6 years ago by GITNE

Replying to arma:

Be patient -- we have no trac developers. Would you prefer we shut it down?

Well, patience is a relative term. 6 weeks since filing this serious problem and
not fixing it is definitely beyond anybody's time period for graciousness.

Apperently, the trac admins are either incompetent or lazy. Ether way, they suck!

Indeed, there is a quick solution to this problem, even while not being a trac
developer: Downgrade to a previous version where this obvious regression did not
exist. Aside form that, I am speechless and with me probably meany other users
are either.

comment:8 Changed 6 years ago by erinn

Resolution: fixed
Status: newclosed

The problem seems to just have been some improperly set and confusingly named trac.ini options. I've fixed those and password reset seems possible now. Closing, please re-open if you encounter further problems.

comment:9 in reply to:  8 Changed 6 years ago by GITNE

Replying to erinn:

The problem seems to just have been some improperly set and confusingly named trac.ini options. I've fixed those and password reset seems possible now. Closing, please re-open if you encounter further problems.

Pheew, thank you! :)

comment:10 Changed 4 years ago by qbi

Component: TracService - trac

Move all tickets from trac to "Service - trac" component.

Note: See TracTickets for help on using tickets.