Modify

Opened 16 years ago

Closed 14 years ago

#4891 closed defect (fixed)

Login credentials are inserted into trac.ini

Reported by: xqhu@… Owned by: Ryan J Ollos
Priority: highest Component: IniAdminPlugin
Severity: normal Keywords: password autofill
Cc: Alec Thomas, Martin Scharrer Trac Release: 0.11

Description (last modified by Ryan J Ollos)

It is an emergent case. I installed IniAdminPlugin for trac 0.11 today. I used this plugin to change the item order in mainnav. After I applied the changes, I got these errors:

Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 367, in send_error
    'text/html')
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 708, in render_template
    data = self.populate_data(req, data)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 618, in populate_data
    d['chrome'].update(req.chrome)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 194, in __getattr__
    value = self.callbacks[name](self)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 476, in prepare_request
    for category, name, text in contributor.get_navigation_items(req):
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/ticket/web_ui.py", line 163, in get_navigation_items
    if 'TICKET_CREATE' in req.perm:
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 194, in __getattr__
    value = self.callbacks[name](self)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/main.py", line 264, in _get_perm
    return PermissionCache(self.env, self.authenticate(req))
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/main.py", line 133, in authenticate
    authname = authenticator.authenticate(req)
  File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 429, in wrap
  File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 440, in authenticate
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/auth.py", line 70, in authenticate
    authname = self._get_name_for_cookie(req, req.incookie['trac_auth'])
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/auth.py", line 184, in _get_name_for_cookie
    db = self.env.get_db_cnx()
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/env.py", line 273, in get_db_cnx
    return DatabaseManager(self).get_connection()
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 74, in get_connection
    connector, args = self._get_connector()
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 85, in _get_connector
    scheme, args = _parse_db_str(self.connection_uri)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 111, in _parse_db_str
    scheme, rest = db_str.split(':', 1)
ValueError: need more than 1 value to unpack

I really don't know what is wrong here. Could anyone help me ASAP?

Thank you very much.

Attachments (1)

iniadmin_autocomplete_off.patch (542 bytes) - added by Martin Scharrer 14 years ago.
This patch adds javascript code which adds the non-standard 'autocomplete="off"' attribute to the HTML form created by IniAdminPlugin in order to avoid the isse.

Download all attachments as: .zip

Change History (12)

comment:1 in reply to:  description Changed 16 years ago by xqhu@…

I solved the problem by myself. I'm sure the error was caused by IniAdminPlugin. After I applied the changes I did, the "Database Connection Strings" was screwed up and the "database" value in trac.in was set my user's password! Since I used SQLSite, I changed it back to "sqlite:db/trac.db". Then trac works again!

comment:2 Changed 15 years ago by olaf.meeuwissen@…

I've seen the same thing happen. When loading the page for the [trac] section, the browser automatically inserted my logon credentials in the base_url and database fields. The logon credentials used were those I use to login to our Trac environments.

I had to get the server admin (me) to fix the mess in trac.ini with his favourite text editor.

In case it matters, the browser used was Epiphany on a client running up-to-date Debian testing. The server runs Debian stable and hosts multiple Trac environments, each served via separate Apache processing using WSGI. The server setup uses a single htdigest file to store the authentication credentials for all environments. Installed plugins that just might be remotely(?) related to the problem are AccountManagerPlugin, NoAnonymousPlugin and SuperUserPlugin.

comment:3 Changed 14 years ago by Ryan J Ollos

Owner: changed from Alec Thomas to Ryan J Ollos
Summary: iniadmin casues trac crashedLogin credentials are inserted into trac.ini

comment:4 Changed 14 years ago by Ryan J Ollos

Description: modified (diff)

comment:5 Changed 14 years ago by Martin Scharrer

Keywords: password autofill added

I had a quick look into this. This seems to be caused because the database string is rendered as password input field. Then under some circumstances the browser seems to autofill the user password into this field! So there is a client side to this defect.

A fix for this would be to remove trac:database from the passwords option of IniAdminPlugin itself. Alternative watch the autofill function of your browser.

comment:6 Changed 14 years ago by Martin Scharrer

Cc: Martin Scharrer added

comment:7 Changed 14 years ago by Ryan J Ollos

Thanks for doing some research on this. I haven't had time to dig into the source code ... its one of those things that requires a full day to spend on, so I might not get to it for a couple of weeks or months. I'll gladly apply any patches you create or think are up to far (there are several open tickets with patches).

comment:8 Changed 14 years ago by Martin Scharrer

I can create a small patch for it, but as stated it's a client side thing. There is the trade-off between avoiding this issue and potentially revealing the DB username and password to someone which has TRAC_ADMIN rights (or anyone looking over this guys shoulder).

As stated any user can fix this for himself by changing the passwords option of IniAdminPlugin. Please note that by default the plugin does not show its own options, so the trac.ini file must be added manually.

Changed 14 years ago by Martin Scharrer

This patch adds javascript code which adds the non-standard 'autocomplete="off"' attribute to the HTML form created by IniAdminPlugin in order to avoid the isse.

comment:9 Changed 14 years ago by Martin Scharrer

The attached patch should avoid the issue with all most modern browsers. Unfortunatly this HTML attribute isn't part of the standard, so there is no guarantee (ok, there wouldn't be one if it were). I'm using javascript to apply it to keep the generated XHTML code within the standard. Genshi might filter it out otherwise.

comment:10 Changed 14 years ago by Ryan J Ollos

Status: newassigned

I see to have forgotten about this one. Will apply the patch now ...

comment:11 Changed 14 years ago by Ryan J Ollos

Resolution: fixed
Status: assignedclosed

(In [9465]) Try to avoid auto-fill of user's password into the database string field. Patch by martin_s. Fixes #4891.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.