Defect #14446

Public project and Redmine.pm "Use of use of uninitialized value $salt" error for empty username access via TortoiseSVN

Added by Иван Бухтияров about 9 years ago. Updated over 7 years ago.

Status:NewStart date:
Priority:HighDue date:
Assignee:-% Done:

0%

Category:SCM extra
Target version:-
Resolution: Affected version:2.3.1

Description

I installed new version of Redmine on my Ubuntu server a couple days ago. I properly configured Apache for correct working Subversion with Redmine. I created public project. But when I try to commit some files in this project without entering username (it is simply empty) in TortoiseSVN dialog on local machine I get the following error:

Error: Commit failed (details follow):
Error: Server sent unexpected return value (500 Internal Server Error) in response to
Error: MKACTIVITY request for '/svn/mmm/!svn/act/008182d9-97ee-2740-9a75-5c734c292d4c' ".

The following string in error.log of Apache:

Use of uninitialized value $salt in concatenation (.) or string at line 471 Redmine.pm.

This line from Redmine.pm is:

my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest);

If I uncheck "Public" to this project everything is ok. In this case TortoiseSVN let me authenticate repeatedly in SVN from one dialog window (if I enter empty or incorrect credentials)
What is the problem?

catch_empty_auth_fields.patch Magnifier (491 Bytes) Florian Schmidt, 2015-05-19 13:34

History

#1 Updated by Johannes Wienke almost 8 years ago

This bug still exists in recent redmine versions and can also be triggered with git.

In case you use a .netrc file for authentication and omit the login fragment for the host, you end up in the exact same situations.

From a brief look at the Redmine.pm source code, I see two things:
  1. authen_handler needs to ensure that $r->user is not empty
  2. is_member needs to shield against empty values

#2 Updated by Wim Bertels over 7 years ago

Feedback, redmine version 1.4.4

Anonymous checkouts of public projects over http(s):
  • svn: ok
  • git: nok
    • client error message
      error: RPC failed; result=22, HTTP code = 500
      fatal: The remote end hung up unexpectedly
      
    • server error message
      Use of uninitialized value $salt in concatenation (.) or string at /usr/lib/perl5/Apache/Redmine.pm line 358
      

#3 Updated by Florian Schmidt over 7 years ago

I ran into the same issue recently.

While the bug could be fixed by catching unintialized return values in is_member(), I agree with what Johannes said: authen_handler() should already ensure that $r->user is not empty, and furthermore, it should probably also ensure $redmine_pass isn't empty, either. This is also strongly suggested by the authors of this O'Reilly book:

If the user has not yet authenticated, or pressed the submit button without filling out the dialog completely, one or both of these fields may be empty. In this case, we have to force the user to (re)authenticate

I just assumed they knew what they were talking about, and applied their approach to authen_handler in Redmine.pm, and attached a patch. This fixes the crashing of Redmine.pm, the resulting 500 Internal Server Error (on Apache), and simply re-requests credentials.

Caveat: I have a bit of experience with Perl, but no experience whatsoever with writing mod_perl modules. The patch seems quite straightforward, though.

Also available in: Atom PDF