Login credentials are inserted into trac.ini

[xqhu@…]

It is an emergent case. I installed IniAdminPlugin for trac 0.11 today. I used this plugin to change the item order in mainnav. After I applied the changes, I got these errors:

Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 367, in send_error
    'text/html')
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 708, in render_template
    data = self.populate_data(req, data)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 618, in populate_data
    d['chrome'].update(req.chrome)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 194, in __getattr__
    value = self.callbacks[name](self)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/chrome.py", line 476, in prepare_request
    for category, name, text in contributor.get_navigation_items(req):
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/ticket/web_ui.py", line 163, in get_navigation_items
    if 'TICKET_CREATE' in req.perm:
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/api.py", line 194, in __getattr__
    value = self.callbacks[name](self)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/main.py", line 264, in _get_perm
    return PermissionCache(self.env, self.authenticate(req))
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/main.py", line 133, in authenticate
    authname = authenticator.authenticate(req)
  File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 429, in wrap
  File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 440, in authenticate
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/auth.py", line 70, in authenticate
    authname = self._get_name_for_cookie(req, req.incookie['trac_auth'])
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/web/auth.py", line 184, in _get_name_for_cookie
    db = self.env.get_db_cnx()
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/env.py", line 273, in get_db_cnx
    return DatabaseManager(self).get_connection()
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 74, in get_connection
    connector, args = self._get_connector()
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 85, in _get_connector
    scheme, args = _parse_db_str(self.connection_uri)
  File "/usr/lib/python2.4/site-packages/Trac-0.11.3-py2.4.egg/trac/db/api.py", line 111, in _parse_db_str
    scheme, rest = db_str.split(':', 1)
ValueError: need more than 1 value to unpack

I really don't know what is wrong here. Could anyone help me ASAP?

Thank you very much.

[xqhu@…]

I solved the problem by myself. I'm sure the error was caused by IniAdminPlugin. After I applied the changes I did, the "Database Connection Strings" was screwed up and the "database" value in trac.in was set my user's password! Since I used SQLSite, I changed it back to "sqlite:db/trac.db". Then trac works again!

[olaf.meeuwissen@…]

I've seen the same thing happen. When loading the page for the [trac] section, the browser automatically inserted my logon credentials in the base_url and database fields. The logon credentials used were those I use to login to our Trac environments.

I had to get the server admin (me) to fix the mess in trac.ini with his favourite text editor.

In case it matters, the browser used was Epiphany on a client running up-to-date Debian testing. The server runs Debian stable and hosts multiple Trac environments, each served via separate Apache processing using WSGI. The server setup uses a single htdigest file to store the authentication credentials for all environments. Installed plugins that just might be remotely(?) related to the problem are AccountManagerPlugin, NoAnonymousPlugin and SuperUserPlugin.

[Martin Scharrer]

I had a quick look into this. This seems to be caused because the database string is rendered as password input field. Then under some circumstances the browser seems to autofill the user password into this field! So there is a client side to this defect.

A fix for this would be to remove trac:database from the passwords option of IniAdminPlugin itself. Alternative watch the autofill function of your browser.

[Ryan J Ollos]

Thanks for doing some research on this. I haven't had time to dig into the source code ... its one of those things that requires a full day to spend on, so I might not get to it for a couple of weeks or months. I'll gladly apply any patches you create or think are up to far (there are several open tickets with patches).

[Martin Scharrer]

I can create a small patch for it, but as stated it's a client side thing. There is the trade-off between avoiding this issue and potentially revealing the DB username and password to someone which has TRAC_ADMIN rights (or anyone looking over this guys shoulder).

As stated any user can fix this for himself by changing the passwords option of IniAdminPlugin. Please note that by default the plugin does not show its own options, so the trac.ini file must be added manually.

[Martin Scharrer]

This patch adds javascript code which adds the non-standard 'autocomplete="off"' attribute to the HTML form created by IniAdminPlugin in order to avoid the isse.

[Martin Scharrer]

The attached patch should avoid the issue with all most modern browsers. Unfortunatly this HTML attribute isn't part of the standard, so there is no guarantee (ok, there wouldn't be one if it were). I'm using javascript to apply it to keep the generated XHTML code within the standard. Genshi might filter it out otherwise.

[Ryan J Ollos]

I see to have forgotten about this one. Will apply the patch now ...

[Ryan J Ollos]

(In [9465]) Try to avoid auto-fill of user's password into the database string field. Patch by martin_s. Fixes #4891.