Opened 16 years ago
Closed 14 years ago
#4891 closed defect (fixed)
Login credentials are inserted into trac.ini
Reported by: | Owned by: | Ryan J Ollos | |
---|---|---|---|
Priority: | highest | Component: | IniAdminPlugin |
Severity: | normal | Keywords: | password autofill |
Cc: | Alec Thomas, Martin Scharrer | Trac Release: | 0.11 |
Description (last modified by )
It is an emergent case. I installed IniAdminPlugin for trac 0.11 today. I used this plugin to change the item order in mainnav. After I applied the changes, I got these errors:
Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 367, in send_error 'text/html') File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 708, in render_template data = self.populate_data(req, data) File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 618, in populate_data d['chrome'].update(req.chrome) File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 194, in __getattr__ value = self.callbacks[name](self) File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 476, in prepare_request for category, name, text in contributor.get_navigation_items(req): File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/ticket/web_ui.py", line 163, in get_navigation_items if 'TICKET_CREATE' in req.perm: File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 194, in __getattr__ value = self.callbacks[name](self) File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/main.py", line 264, in _get_perm return PermissionCache(self.env, self.authenticate(req)) File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/main.py", line 133, in authenticate authname = authenticator.authenticate(req) File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 429, in wrap File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 440, in authenticate File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/auth.py", line 70, in authenticate authname = self._get_name_for_cookie(req, req.incookie['trac_auth']) File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/auth.py", line 184, in _get_name_for_cookie db = self.env.get_db_cnx() File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/env.py", line 273, in get_db_cnx return DatabaseManager(self).get_connection() File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 74, in get_connection connector, args = self._get_connector() File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 85, in _get_connector scheme, args = _parse_db_str(self.connection_uri) File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 111, in _parse_db_str scheme, rest = db_str.split(':', 1) ValueError: need more than 1 value to unpack
I really don't know what is wrong here. Could anyone help me ASAP?
Thank you very much.
Attachments (1)
Change History (12)
comment:1 Changed 16 years ago by
comment:2 Changed 15 years ago by
I've seen the same thing happen. When loading the page for the [trac]
section, the browser automatically inserted my logon credentials in the base_url
and database
fields. The logon credentials used were those I use to login to our Trac environments.
I had to get the server admin (me) to fix the mess in trac.ini
with his favourite text editor.
In case it matters, the browser used was Epiphany on a client running up-to-date Debian testing. The server runs Debian stable and hosts multiple Trac environments, each served via separate Apache processing using WSGI. The server setup uses a single htdigest file to store the authentication credentials for all environments. Installed plugins that just might be remotely(?) related to the problem are AccountManagerPlugin, NoAnonymousPlugin and SuperUserPlugin.
comment:3 Changed 14 years ago by
Owner: | changed from Alec Thomas to Ryan J Ollos |
---|---|
Summary: | iniadmin casues trac crashed → Login credentials are inserted into trac.ini |
comment:4 Changed 14 years ago by
Description: | modified (diff) |
---|
comment:5 Changed 14 years ago by
Keywords: | password autofill added |
---|
I had a quick look into this. This seems to be caused because the database
string is rendered as password input field. Then under some circumstances the browser seems to autofill the user password into this field! So there is a client side to this defect.
A fix for this would be to remove trac:database
from the passwords
option of IniAdminPlugin itself. Alternative watch the autofill function of your browser.
comment:6 Changed 14 years ago by
Cc: | Martin Scharrer added |
---|
comment:7 Changed 14 years ago by
Thanks for doing some research on this. I haven't had time to dig into the source code ... its one of those things that requires a full day to spend on, so I might not get to it for a couple of weeks or months. I'll gladly apply any patches you create or think are up to far (there are several open tickets with patches).
comment:8 Changed 14 years ago by
I can create a small patch for it, but as stated it's a client side thing. There is the trade-off between avoiding this issue and potentially revealing the DB username and password to someone which has TRAC_ADMIN rights (or anyone looking over this guys shoulder).
As stated any user can fix this for himself by changing the passwords
option of IniAdminPlugin. Please note that by default the plugin does not show its own options, so the trac.ini
file must be added manually.
Changed 14 years ago by
Attachment: | iniadmin_autocomplete_off.patch added |
---|
This patch adds javascript code which adds the non-standard 'autocomplete="off"' attribute to the HTML form created by IniAdminPlugin in order to avoid the isse.
comment:9 Changed 14 years ago by
The attached patch should avoid the issue with all most modern browsers. Unfortunatly this HTML attribute isn't part of the standard, so there is no guarantee (ok, there wouldn't be one if it were). I'm using javascript to apply it to keep the generated XHTML code within the standard. Genshi might filter it out otherwise.
comment:10 Changed 14 years ago by
Status: | new → assigned |
---|
I see to have forgotten about this one. Will apply the patch now ...
comment:11 Changed 14 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
I solved the problem by myself. I'm sure the error was caused by IniAdminPlugin. After I applied the changes I did, the "Database Connection Strings" was screwed up and the "database" value in trac.in was set my user's password! Since I used SQLSite, I changed it back to "sqlite:db/trac.db". Then trac works again!