#2901 closed defect (invalid)
Apache crashes when used with modpython and LDAP authentication
Reported by: | Emmanuel Blot | Owned by: | Emmanuel Blot |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | web frontend/mod_python | Version: | devel |
Severity: | major | Keywords: | ldap |
Cc: | francois.pesce@… | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
Since the introduction of the WSGI support in [2957], Apache server crashes when the following environment is used:
- modpython (3.1.x, 3.2.x series)
- python (2.3.x, 2.4.x)
- LDAP authentication support (mod_auth_ldap, unrelated to the LdapPlugin)
The crash of the Apache thread occurs when the user authenticates, i.e. when she submits her password at the …/login URL.
The root cause is the LDAP authentication module:
It defines an extra environment variable AUTHENTICATE_UID
, which may takes an invalid (null ?) value.
This value is retrieved in modpython/apache.py:build_cgi_env(req)
and added to the CGI environment variable.
This dictionnary is then duplicated in trac/web/modpython_frontend.py:ModPythonGateway::__init__
using environ.duplicate()
call.
When the duplicate()
method attempts to duplicate the value of the AUTHENTICATE_UID
key, it produces an invalid call which ends up in calling the libc strlen()
function with an invalid parameter, and eventually crashes the current Apache thread.
I attach a patch against [3025] which discards this invalid key, but I guess the real fix up should be done in the modpython Apache module.
Attachments (2)
Change History (9)
by , 19 years ago
Attachment: | modpython.diff added |
---|
comment:1 by , 19 years ago
Bug report submitted to Apache2 project: http://issues.apache.org/bugzilla/show_bug.cgi?id=39045
by , 19 years ago
Attachment: | patch-for-mod_auth_ldap.patch added |
---|
Patch to avoid NULL value for env in mod_auth_ldap
comment:2 by , 19 years ago
Cc: | added |
---|
If the problem comes from a NULL value in AUTHENTICATE_* environment variable, as I read in the apache bug report, this little patch may fix it.
follow-up: 4 comment:3 by , 18 years ago
Component: | general → mod_python frontend |
---|---|
Keywords: | ldap added |
Milestone: | → 0.11 |
Owner: | changed from | to
manu, can you take a look to check if attachment:modpython.diff is still relevant, and if yes, apply the patch?
comment:4 by , 18 years ago
Replying to cboos:
manu, can you take a look to check if attachment:modpython.diff is still relevant, and if yes, apply the patch?
Sure. I will check it on monday, I don't use Apache @ home.
However, I wonder the actual cost of this patch: it is really a good idea to add a kludge in Trac core to circumvent an issue in an external component (mod_python) that triggers an error with a specific configuration (LDAP)?
comment:5 by , 17 years ago
I had this setup working for a week or so with Trac 10.4 before I switched to using TracCASPlugin for authentication.
I used these modules + configuration values, with a Win2003 AD server, and it worked fine:
LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so ... <Location /path/to/project> Order Allow,Deny Allow from all AuthType Basic AuthName "Active Directory" AuthBasicProvider "ldap" AuthLDAPURL "ldap://server/OU=Users,DC=domain,DC=tld?samAccountName" Require valid-user AuthLDAPBindDN "binduser@domain.tld" AuthLDAPBindPassword "*********" AuthzLDAPAuthoritative Off </Location>
comment:6 by , 15 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
This appears to be fixed in apache, see https://issues.apache.org/bugzilla/show_bug.cgi?id=39045
I don't see any reason to apply the patch to Trac.
comment:7 by , 15 years ago
Milestone: | next-minor-0.12.x |
---|
Quick patch for
trac/web/modpython_frontend.py