Modify

Opened 6 years ago

Closed 4 years ago

Last modified 4 years ago

#8558 closed defect (fixed)

Authentication Failure returns invalid HTTP Response (content-length incorrect)

Reported by: kubes@… Owned by: Jun Omae
Priority: normal Component: HttpAuthPlugin
Severity: normal Keywords: XmlRpc authentication content-length
Cc: Olemis Lang Trac Release: 0.12

Description (last modified by Odd Simon Simonsen)

I have install XmlRpcPlugin and HttpAuthPlugin, I am not sure, where exactly is the error. when I connect by my .NET client to the XmlRpc, I get this exception from request.GetResponse() (.NET method)

I debugged it by fiddler HTTP debugger and I have found, that trac send wrong Content-Length (23bytes). It sends text "Authentication required" which is exactly 23bytes. But there is small HTML block appended, which cause, that content length is wrong. I can reproduce it with python 2.5 and python 2.7 as well. I have attached the output of fiddler, please see bellow. I find interesting, that the request is made via HTTP 1.1, but in repsonse HTTP 0.9 is mentioned.

POST http://10.250.10.55/mew/login/xmlrpc HTTP/1.1
Content-Type: text/xml
User-Agent: XML-RPC.NET
Host: 10.250.10.55
Cookie: trac_session=2a1a01b9d7d8bcb3db9afc27
Content-Length: 229

<?xml version="1.0"?>
<methodCall>
  <methodName>system.methodHelp</methodName>
  <params>
    <param>
      <value>
        <string>ticket.getRecentChanges</string>
      </value>
    </param>
  </params>
</methodCall>
HTTP/1.1 401 Unauthorized
Server: tracd/0.12.2 Python/2.7
Date: Wed, 02 Mar 2011 14:07:38 GMT
WWW-Authenticate: Basic realm="Control Panel"
Content-Type: text/plain
Pragma: no-cache
Cache-control: no-cache
Expires: Fri, 01 Jan 1999 00:00:00 GMT
Content-Length: 23

Authentication required<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 400.
<p>Message: Bad HTTP/0.9 request type ('&lt;?xml').
<p>Error code explanation: 400 = Bad request syntax or unsupported method.
</body>

Attachments (1)

t8558-close-conn-trac-0.12-r11474.diff (1.8 KB) - added by Jun Omae 4 years ago.
[PATCH] Adding Connection: close when sending errors for Trac 0.12-stable

Download all attachments as: .zip

Change History (14)

comment:1 Changed 6 years ago by Odd Simon Simonsen

Component: XmlRpcPluginHttpAuthPlugin
Description: modified (diff)
Owner: changed from Odd Simon Simonsen to Noah Kantrowitz

XmlRpcPlugin is not involved in authentication at all, so moving it to that other plugin.

Hint: Use {{{ .... }}} blocks when pasting pre-formatted text.

comment:2 Changed 6 years ago by Michael Proctor

I am also seeing this behavior, however I will add that if you keep retrying, it does eventually spit out the right response, but only every very rarely.

I am using a similar setup, i am running trac 0.13dev-r10668 (this was not intentional, I installed from trunk and didn't realise I would end up with 0.13 oops), tracxmlrpc 1.1.2-r9970, trachttpauth 1.1, tracaccountmanager 0.3dev-r9929.

Any suggestions would be greatly appreciated

comment:3 Changed 6 years ago by Michael Proctor

OK I think I just fixed it for myself :)

I changed this section (starting line 57) from

        if req.method != 'HEAD':
            req.write(auth_req_msg)

to (added a line)

        if req.method != 'HEAD':
            req.write(auth_req_msg)
        req.end_response()

This seems to have fixed my issue, hope it helps someone else.

comment:4 Changed 6 years ago by Michael Proctor

Ignore my last post, didn't get any time to check it. end_response isn't even a method ;)

Python is new to me ;)

So I have checked through the API, and the wierd thing is what coderanger has put in seems to be correct, the process_request method sends the valid response then raises the RequestDone exception which is a notification that the request has been sent and to stop processing.

However Trac seems to be still processing after the exception is raised.

However this is just a "side effect" ultimately if you want to authenticate with XML-RPC.NET you will need to manually add the header yourself, you will even note in your issue that the Request header doesn't include the Authorization header, hence HTTPAuth is trying to tell you that it is invalid.

So do this when you setup your proxy

Trac.Headers("Authorization") = "Basic " & Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(Username & ":" & Password))

Where "Trac" is the "proxy" you have created using the XmlRpcProxyGen.Create method and "Username" and "Password" are variables holding the credentials.

This should work for you, but this ticket is still valid on the grounds that if you have a "invalid" login you will receive a malformed HTTP Response. (ie. content-length not being correct)

comment:5 Changed 6 years ago by anonymous

Summary: The server committed a protocol violation. Section=ResponseStatusLineAuthentication Failure returns invalid HTTP Response (content-length incorrect)

comment:6 Changed 5 years ago by Christian Boos

Note that you'll get a similar issue when you try the xmlrpclib client example snippet:

>>> from xmlrpclib import ServerProxy
>>> p = ServerProxy("http://user:pass@localhost:port/trac/login/rpc")
>>> p.system.getAPIVersion()
Traceback (most recent call last):
  ...
xmlrpclib.ProtocolError: <ProtocolError for user:pass@localhost:port/trac/login/rpc: 401 Unauthorized>

And the Trac log shows:

127.0.0.1 - - [26/May/2012 10:37:35] "POST /cblaptop-trac/login/rpc HTTP/1.1" 401 -
127.0.0.1 - - [26/May/2012 10:37:35] code 400, message Bad HTTP/0.9 request type ('<?xml')
127.0.0.1 - - [26/May/2012 10:37:35] "<?xml version='1.0'?>" 400 -

This will happen if you use Digest authentication on the Trac side (with tracd), as xmlrpclib only supports Basic authentication.

Likewise, when using curl for testing, don't forget to add the --digest flag.

I haven't investigated yet if this is really a problem in Trac (more specifically tracd and the way it handles digest auth with clients which don't support it). To find out, it would be interesting to know how this behaves with the same clients but another web front-end like Apache and mod_auth_digest.

Changed 4 years ago by Jun Omae

[PATCH] Adding Connection: close when sending errors for Trac 0.12-stable

comment:7 in reply to:  6 Changed 4 years ago by Jun Omae

And the Trac log shows: ... 127.0.0.1 - - [26/May/2012 10:37:35] code 400, message Bad HTTP/0.9 request type ('<?xml') ...

I've gotten the same problem during development of fulmo.

I think that is the Trac issue. That happens if the client send POST request to tracd with authentication using HTTP/1.1. Because tracd does not read the body of POST request from the client, or close the connection, before it sends 401 Authentication Required. Therefore, it wrongly reads the body as the next request.

Here is the proposal patch, t8558-close-conn-trac-0.12-r11474.diff, for Trac 0.12-stable. It works well for me.

comment:8 Changed 4 years ago by Ryan J Ollos

Jun: I don't think this plugin is being maintainer, so if you'd like commit access to push your change, just let me know.

comment:9 Changed 4 years ago by Jun Omae

Sorry, the patch in comment:6 is for similar issue of Trac core. I'll create a new ticket on t.e.o later.

Also, I reproduced the original issue on Trac 0.12-stable, acct_mgr 0.3.2 and httpauthplugin latest. I created the following patch to solve and confirmed the fix.

Ryan: I would like to push it. Could you please grant the commit right?

  • httpauth/filter.py

     
    5252        req.send_header('Cache-control', 'no-cache')
    5353        req.send_header('Expires', 'Fri, 01 Jan 1999 00:00:00 GMT')
    5454        req.send_header('Content-Length', str(len(auth_req_msg)))
     55        if req.get_header('Content-Length'):
     56            req.send_header('Connection', 'close')
    5557        req.end_headers()
    5658
    5759        if req.method != 'HEAD':

comment:10 in reply to:  9 ; Changed 4 years ago by Ryan J Ollos

Owner: changed from Noah Kantrowitz to Jun Omae

Replying to jun66j5:

[...] Ryan: I would like to push it. Could you please grant the commit right?

You should be all set now.

comment:11 Changed 4 years ago by Jun Omae

Resolution: fixed
Status: newclosed

(In [12394]) Fixed broken communication between client on tracd using HTTP/1.1 if sending 401 Unauthorized. Sends Connection: close header in this case.

Closes #8558.

comment:12 in reply to:  10 Changed 4 years ago by Jun Omae

Replying to rjollos:

Ryan: I would like to push it. Could you please grant the commit right?

You should be all set now.

Thanks, Ryan! I just applied the patch.

comment:13 Changed 4 years ago by Ryan J Ollos

Keywords: authentication added; Authentication removed

Normalizing tag names.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jun Omae.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.