Modify

Opened 5 years ago

Closed 3 years ago

#4891 closed defect (fixed)

Login credentials are inserted into trac.ini

Reported by: xqhu@… Owned by: rjollos
Priority: highest Component: IniAdminPlugin
Severity: normal Keywords: password autofill
Cc: alec@…, martin_s Trac Release: 0.11

Description (last modified by rjollos)

It is an emergent case. I installed IniAdminPlugin for trac 0.11 today. I used this plugin to change the item order in mainnav. After I applied the changes, I got these errors:

Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 367, in send_error
    'text/html')
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 708, in render_template
    data = self.populate_data(req, data)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 618, in populate_data
    d['chrome'].update(req.chrome)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 194, in __getattr__
    value = self.callbacks[name](self)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 476, in prepare_request
    for category, name, text in contributor.get_navigation_items(req):
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/ticket/web_ui.py", line 163, in get_navigation_items
    if 'TICKET_CREATE' in req.perm:
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 194, in __getattr__
    value = self.callbacks[name](self)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/main.py", line 264, in _get_perm
    return PermissionCache(self.env, self.authenticate(req))
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/main.py", line 133, in authenticate
    authname = authenticator.authenticate(req)
  File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 429, in wrap
  File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 440, in authenticate
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/auth.py", line 70, in authenticate
    authname = self._get_name_for_cookie(req, req.incookie['trac_auth'])
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/auth.py", line 184, in _get_name_for_cookie
    db = self.env.get_db_cnx()
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/env.py", line 273, in get_db_cnx
    return DatabaseManager(self).get_connection()
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 74, in get_connection
    connector, args = self._get_connector()
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 85, in _get_connector
    scheme, args = _parse_db_str(self.connection_uri)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 111, in _parse_db_str
    scheme, rest = db_str.split(':', 1)
ValueError: need more than 1 value to unpack

I really don't know what is wrong here. Could anyone help me ASAP?

Thank you very much.

Attachments (1)

iniadmin_autocomplete_off.patch (542 bytes) - added by martin_s 4 years ago.
This patch adds javascript code which adds the non-standard 'autocomplete="off"' attribute to the HTML form created by IniAdminPlugin in order to avoid the isse.

Download all attachments as: .zip

Change History (12)

comment:1 in reply to: ↑ description Changed 5 years ago by xqhu@…

I solved the problem by myself. I'm sure the error was caused by IniAdminPlugin. After I applied the changes I did, the "Database Connection Strings" was screwed up and the "database" value in trac.in was set my user's password! Since I used SQLSite, I changed it back to "sqlite:db/trac.db". Then trac works again!

comment:2 Changed 5 years ago by olaf.meeuwissen@…

I've seen the same thing happen. When loading the page for the [trac] section, the browser automatically inserted my logon credentials in the base_url and database fields. The logon credentials used were those I use to login to our Trac environments.

I had to get the server admin (me) to fix the mess in trac.ini with his favourite text editor.

In case it matters, the browser used was Epiphany on a client running up-to-date Debian testing.
The server runs Debian stable and hosts multiple Trac environments, each served via separate Apache processing using WSGI. The server setup uses a single htdigest file to store the authentication credentials for all environments. Installed plugins that just might be remotely(?) related to the problem are AccountManagerPlugin, NoAnonymousPlugin and SuperUserPlugin.

comment:3 Changed 4 years ago by rjollos

  • Owner changed from athomas to rjollos
  • Summary changed from iniadmin casues trac crashed to Login credentials are inserted into trac.ini

comment:4 Changed 4 years ago by rjollos

  • Description modified (diff)

comment:5 Changed 4 years ago by martin_s

  • Keywords password autofill added

I had a quick look into this. This seems to be caused because the database string is rendered as password input field. Then under some circumstances the browser seems to autofill the user password into this field! So there is a client side to this defect.

A fix for this would be to remove trac:database from the passwords option of IniAdminPlugin itself. Alternative watch the autofill function of your browser.

comment:6 Changed 4 years ago by martin_s

  • Cc martin_s added

comment:7 Changed 4 years ago by rjollos

Thanks for doing some research on this. I haven't had time to dig into the source code ... its one of those things that requires a full day to spend on, so I might not get to it for a couple of weeks or months. I'll gladly apply any patches you create or think are up to far (there are several open tickets with patches).

comment:8 Changed 4 years ago by martin_s

I can create a small patch for it, but as stated it's a client side thing. There is the trade-off between avoiding this issue and potentially revealing the DB username and password to someone which has TRAC_ADMIN rights (or anyone looking over this guys shoulder).

As stated any user can fix this for himself by changing the passwords option of IniAdminPlugin. Please note that by default the plugin does not show its own options, so the trac.ini file must be added manually.

Changed 4 years ago by martin_s

This patch adds javascript code which adds the non-standard 'autocomplete="off"' attribute to the HTML form created by IniAdminPlugin in order to avoid the isse.

comment:9 Changed 4 years ago by martin_s

The attached patch should avoid the issue with all most modern browsers. Unfortunatly this HTML attribute isn't part of the standard, so there is no guarantee (ok, there wouldn't be one if it were). I'm using javascript to apply it to keep the generated XHTML code within the standard. Genshi might filter it out otherwise.

comment:10 Changed 3 years ago by rjollos

  • Status changed from new to assigned

I see to have forgotten about this one. Will apply the patch now ...

comment:11 Changed 3 years ago by rjollos

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [9465]) Try to avoid auto-fill of user's password into the database string field. Patch by martin_s. Fixes #4891.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from rjollos. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.