Modify

Opened 4 years ago

Closed 22 months ago

Last modified 16 months ago

#8558 closed defect (fixed)

Authentication Failure returns invalid HTTP Response (content-length incorrect)

Reported by: kubes@… Owned by: jun66j5
Priority: normal Component: HttpAuthPlugin
Severity: normal Keywords: XmlRpc authentication content-length
Cc: olemis Trac Release: 0.12

Description (last modified by osimons)

I have install XmlRpcPlugin and HttpAuthPlugin, I am not sure, where exactly is the error. when I connect by my .NET client to the XmlRpc, I get this exception from request.GetResponse() (.NET method)

I debugged it by fiddler HTTP debugger and I have found, that trac send wrong Content-Length (23bytes). It sends text "Authentication required" which is exactly 23bytes. But there is small HTML block appended, which cause, that content length is wrong. I can reproduce it with python 2.5 and python 2.7 as well. I have attached the output of fiddler, please see bellow. I find interesting, that the request is made via HTTP 1.1, but in repsonse HTTP 0.9 is mentioned.

POST http://10.250.10.55/mew/login/xmlrpc HTTP/1.1
Content-Type: text/xml
User-Agent: XML-RPC.NET
Host: 10.250.10.55
Cookie: trac_session=2a1a01b9d7d8bcb3db9afc27
Content-Length: 229

<?xml version="1.0"?>
<methodCall>
  <methodName>system.methodHelp</methodName>
  <params>
    <param>
      <value>
        <string>ticket.getRecentChanges</string>
      </value>
    </param>
  </params>
</methodCall>
HTTP/1.1 401 Unauthorized
Server: tracd/0.12.2 Python/2.7
Date: Wed, 02 Mar 2011 14:07:38 GMT
WWW-Authenticate: Basic realm="Control Panel"
Content-Type: text/plain
Pragma: no-cache
Cache-control: no-cache
Expires: Fri, 01 Jan 1999 00:00:00 GMT
Content-Length: 23

Authentication required<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 400.
<p>Message: Bad HTTP/0.9 request type ('&lt;?xml').
<p>Error code explanation: 400 = Bad request syntax or unsupported method.
</body>

Attachments (1)

t8558-close-conn-trac-0.12-r11474.diff (1.8 KB) - added by jun66j5 22 months ago.
[PATCH] Adding Connection: close when sending errors for Trac 0.12-stable

Download all attachments as: .zip

Change History (14)

comment:1 Changed 4 years ago by osimons

  • Component changed from XmlRpcPlugin to HttpAuthPlugin
  • Description modified (diff)
  • Owner changed from osimons to coderanger

XmlRpcPlugin is not involved in authentication at all, so moving it to that other plugin.

Hint: Use {{{ .... }}} blocks when pasting pre-formatted text.

comment:2 Changed 3 years ago by aussiealf

I am also seeing this behavior, however I will add that if you keep retrying, it does eventually spit out the right response, but only every very rarely.

I am using a similar setup, i am running trac 0.13dev-r10668 (this was not intentional, I installed from trunk and didn't realise I would end up with 0.13 oops), tracxmlrpc 1.1.2-r9970, trachttpauth 1.1, tracaccountmanager 0.3dev-r9929.

Any suggestions would be greatly appreciated

comment:3 Changed 3 years ago by aussiealf

OK I think I just fixed it for myself :)

I changed this section (starting line 57) from

        if req.method != 'HEAD':
            req.write(auth_req_msg)

to (added a line)

        if req.method != 'HEAD':
            req.write(auth_req_msg)
        req.end_response()

This seems to have fixed my issue, hope it helps someone else.

comment:4 Changed 3 years ago by aussiealf

Ignore my last post, didn't get any time to check it. end_response isn't even a method ;)

Python is new to me ;)

So I have checked through the API, and the wierd thing is what coderanger has put in seems to be correct, the process_request method sends the valid response then raises the RequestDone exception which is a notification that the request has been sent and to stop processing.

However Trac seems to be still processing after the exception is raised.

However this is just a "side effect" ultimately if you want to authenticate with XML-RPC.NET you will need to manually add the header yourself, you will even note in your issue that the Request header doesn't include the Authorization header, hence HTTPAuth is trying to tell you that it is invalid.

So do this when you setup your proxy

Trac.Headers("Authorization") = "Basic " & Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(Username & ":" & Password))

Where "Trac" is the "proxy" you have created using the XmlRpcProxyGen.Create method and "Username" and "Password" are variables holding the credentials.

This should work for you, but this ticket is still valid on the grounds that if you have a "invalid" login you will receive a malformed HTTP Response. (ie. content-length not being correct)

comment:5 Changed 3 years ago by anonymous

  • Summary changed from The server committed a protocol violation. Section=ResponseStatusLine to Authentication Failure returns invalid HTTP Response (content-length incorrect)

comment:6 follow-up: Changed 2 years ago by cboos

Note that you'll get a similar issue when you try the xmlrpclib client example snippet:

>>> from xmlrpclib import ServerProxy
>>> p = ServerProxy("http://user:pass@localhost:port/trac/login/rpc")
>>> p.system.getAPIVersion()
Traceback (most recent call last):
  ...
xmlrpclib.ProtocolError: <ProtocolError for user:pass@localhost:port/trac/login/rpc: 401 Unauthorized>

And the Trac log shows:

127.0.0.1 - - [26/May/2012 10:37:35] "POST /cblaptop-trac/login/rpc HTTP/1.1" 401 -
127.0.0.1 - - [26/May/2012 10:37:35] code 400, message Bad HTTP/0.9 request type ('<?xml')
127.0.0.1 - - [26/May/2012 10:37:35] "<?xml version='1.0'?>" 400 -

This will happen if you use Digest authentication on the Trac side (with tracd), as xmlrpclib only supports Basic authentication.

Likewise, when using curl for testing, don't forget to add the --digest flag.

I haven't investigated yet if this is really a problem in Trac (more specifically tracd and the way it handles digest auth with clients which don't support it). To find out, it would be interesting to know how this behaves with the same clients but another web front-end like Apache and mod_auth_digest.

Changed 22 months ago by jun66j5

[PATCH] Adding Connection: close when sending errors for Trac 0.12-stable

comment:7 in reply to: ↑ 6 Changed 22 months ago by jun66j5

And the Trac log shows:
...
127.0.0.1 - - [26/May/2012 10:37:35] code 400, message Bad HTTP/0.9 request type ('<?xml')
...

I've gotten the same problem during development of fulmo.

I think that is the Trac issue. That happens if the client send POST request to tracd with authentication using HTTP/1.1. Because tracd does not read the body of POST request from the client, or close the connection, before it sends 401 Authentication Required. Therefore, it wrongly reads the body as the next request.

Here is the proposal patch, t8558-close-conn-trac-0.12-r11474.diff, for Trac 0.12-stable. It works well for me.

comment:8 Changed 22 months ago by rjollos

Jun: I don't think this plugin is being maintainer, so if you'd like commit access to push your change, just let me know.

comment:9 follow-up: Changed 22 months ago by jun66j5

Sorry, the patch in comment:6 is for similar issue of Trac core. I'll create a new ticket on t.e.o later.

Also, I reproduced the original issue on Trac 0.12-stable, acct_mgr 0.3.2 and httpauthplugin latest. I created the following patch to solve and confirmed the fix.

Ryan: I would like to push it. Could you please grant the commit right?

  • httpauth/filter.py

     
    5252        req.send_header('Cache-control', 'no-cache') 
    5353        req.send_header('Expires', 'Fri, 01 Jan 1999 00:00:00 GMT') 
    5454        req.send_header('Content-Length', str(len(auth_req_msg))) 
     55        if req.get_header('Content-Length'): 
     56            req.send_header('Connection', 'close') 
    5557        req.end_headers() 
    5658 
    5759        if req.method != 'HEAD': 

comment:10 in reply to: ↑ 9 ; follow-up: Changed 22 months ago by rjollos

  • Owner changed from coderanger to jun66j5

Replying to jun66j5:

[...]
Ryan: I would like to push it. Could you please grant the commit right?

You should be all set now.

comment:11 Changed 22 months ago by jun66j5

  • Resolution set to fixed
  • Status changed from new to closed

(In [12394]) Fixed broken communication between client on tracd using HTTP/1.1 if sending 401 Unauthorized. Sends Connection: close header in this case.

Closes #8558.

comment:12 in reply to: ↑ 10 Changed 22 months ago by jun66j5

Replying to rjollos:

Ryan: I would like to push it. Could you please grant the commit right?

You should be all set now.

Thanks, Ryan! I just applied the patch.

comment:13 Changed 16 months ago by rjollos

  • Keywords authentication added; Authentication removed

Normalizing tag names.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.