#2901 closed defect (invalid)
Apache crashes when used with modpython and LDAP authentication
| Reported by: | Emmanuel Blot | Owned by: | Emmanuel Blot |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | web frontend/mod_python | Version: | devel |
| Severity: | major | Keywords: | ldap |
| Cc: | francois.pesce@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Since the introduction of the WSGI support in [2957], Apache server crashes when the following environment is used:
- modpython (3.1.x, 3.2.x series)
- python (2.3.x, 2.4.x)
- LDAP authentication support (mod_auth_ldap, unrelated to the LdapPlugin)
The crash of the Apache thread occurs when the user authenticates, i.e. when she submits her password at the …/login URL.
The root cause is the LDAP authentication module:
It defines an extra environment variable AUTHENTICATE_UID, which may takes an invalid (null ?) value.
This value is retrieved in modpython/apache.py:build_cgi_env(req) and added to the CGI environment variable.
This dictionnary is then duplicated in trac/web/modpython_frontend.py:ModPythonGateway::__init__ using environ.duplicate() call.
When the duplicate() method attempts to duplicate the value of the AUTHENTICATE_UID key, it produces an invalid call which ends up in calling the libc strlen() function with an invalid parameter, and eventually crashes the current Apache thread.
I attach a patch against [3025] which discards this invalid key, but I guess the real fix up should be done in the modpython Apache module.
Attachments (2)
Change History (9)
by , 19 years ago
| Attachment: | modpython.diff added |
|---|
comment:1 by , 19 years ago
Bug report submitted to Apache2 project: http://issues.apache.org/bugzilla/show_bug.cgi?id=39045
by , 19 years ago
| Attachment: | patch-for-mod_auth_ldap.patch added |
|---|
Patch to avoid NULL value for env in mod_auth_ldap
comment:2 by , 19 years ago
| Cc: | added |
|---|
If the problem comes from a NULL value in AUTHENTICATE_* environment variable, as I read in the apache bug report, this little patch may fix it.
follow-up: 4 comment:3 by , 18 years ago
| Component: | general → mod_python frontend |
|---|---|
| Keywords: | ldap added |
| Milestone: | → 0.11 |
| Owner: | changed from to |
manu, can you take a look to check if attachment:modpython.diff is still relevant, and if yes, apply the patch?
comment:4 by , 18 years ago
Replying to cboos:
manu, can you take a look to check if attachment:modpython.diff is still relevant, and if yes, apply the patch?
Sure. I will check it on monday, I don't use Apache @ home.
However, I wonder the actual cost of this patch: it is really a good idea to add a kludge in Trac core to circumvent an issue in an external component (mod_python) that triggers an error with a specific configuration (LDAP)?
comment:5 by , 17 years ago
I had this setup working for a week or so with Trac 10.4 before I switched to using TracCASPlugin for authentication.
I used these modules + configuration values, with a Win2003 AD server, and it worked fine:
LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so ... <Location /path/to/project> Order Allow,Deny Allow from all AuthType Basic AuthName "Active Directory" AuthBasicProvider "ldap" AuthLDAPURL "ldap://server/OU=Users,DC=domain,DC=tld?samAccountName" Require valid-user AuthLDAPBindDN "binduser@domain.tld" AuthLDAPBindPassword "*********" AuthzLDAPAuthoritative Off </Location>
comment:6 by , 15 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
This appears to be fixed in apache, see https://issues.apache.org/bugzilla/show_bug.cgi?id=39045
I don't see any reason to apply the patch to Trac.
comment:7 by , 15 years ago
| Milestone: | next-minor-0.12.x |
|---|
Quick patch for
trac/web/modpython_frontend.py