Defect #14446
open
Public project and Redmine.pm "Use of use of uninitialized value $salt" error for empty username access via TortoiseSVN
0%
Description
I installed new version of Redmine on my Ubuntu server a couple days ago. I properly configured Apache for correct working Subversion with Redmine. I created public project. But when I try to commit some files in this project without entering username (it is simply empty) in TortoiseSVN dialog on local machine I get the following error:
Error: Commit failed (details follow):
Error: Server sent unexpected return value (500 Internal Server Error) in response to
Error: MKACTIVITY request for '/svn/mmm/!svn/act/008182d9-97ee-2740-9a75-5c734c292d4c' ".
The following string in error.log of Apache:
Use of uninitialized value $salt in concatenation (.) or string at line 471 Redmine.pm.
This line from Redmine.pm is:
my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest);
If I uncheck "Public" to this project everything is ok. In this case TortoiseSVN let me authenticate repeatedly in SVN from one dialog window (if I enter empty or incorrect credentials)
What is the problem?
Files
Updated by Johannes Wienke about 10 years ago
This bug still exists in recent redmine versions and can also be triggered with git.
In case you use a .netrc file for authentication and omit the login fragment for the host, you end up in the exact same situations.
Redmine.pm source code, I see two things:
authen_handlerneeds to ensure that$r->useris not emptyis_memberneeds to shield against empty values
Updated by Wim Bertels over 9 years ago
Feedback, redmine version 1.4.4
Anonymous checkouts of public projects over http(s):- svn: ok
- git: nok
- client error message
error: RPC failed; result=22, HTTP code = 500 fatal: The remote end hung up unexpectedly
- server error message
Use of uninitialized value $salt in concatenation (.) or string at /usr/lib/perl5/Apache/Redmine.pm line 358
- client error message
Updated by Florian Schmidt over 9 years ago
I ran into the same issue recently.
While the bug could be fixed by catching unintialized return values in is_member(), I agree with what Johannes said: authen_handler() should already ensure that $r->user is not empty, and furthermore, it should probably also ensure $redmine_pass isn't empty, either. This is also strongly suggested by the authors of this O'Reilly book:
If the user has not yet authenticated, or pressed the submit button without filling out the dialog completely, one or both of these fields may be empty. In this case, we have to force the user to (re)authenticate
I just assumed they knew what they were talking about, and applied their approach to authen_handler in Redmine.pm, and attached a patch. This fixes the crashing of Redmine.pm, the resulting 500 Internal Server Error (on Apache), and simply re-requests credentials.
Caveat: I have a bit of experience with Perl, but no experience whatsoever with writing mod_perl modules. The patch seems quite straightforward, though.