Edgewall Software

Opened 16 years ago

Closed 12 years ago

Last modified 12 years ago

#2901 closed defect (invalid)

Apache crashes when used with modpython and LDAP authentication

Reported by: Emmanuel Blot Owned by: Emmanuel Blot
Priority: normal Milestone:
Component: web frontend/mod_python Version: devel
Severity: major Keywords: ldap
Cc: francois.pesce@… Branch:
Release Notes:
API Changes:
Internal Changes:


Since the introduction of the WSGI support in [2957], Apache server crashes when the following environment is used:

  • modpython (3.1.x, 3.2.x series)
  • python (2.3.x, 2.4.x)
  • LDAP authentication support (mod_auth_ldap, unrelated to the LdapPlugin)

The crash of the Apache thread occurs when the user authenticates, i.e. when she submits her password at the …/login URL.

The root cause is the LDAP authentication module:
It defines an extra environment variable AUTHENTICATE_UID, which may takes an invalid (null ?) value.

This value is retrieved in modpython/apache.py:build_cgi_env(req) and added to the CGI environment variable.
This dictionnary is then duplicated in trac/web/modpython_frontend.py:ModPythonGateway::__init__ using environ.duplicate() call.

When the duplicate() method attempts to duplicate the value of the AUTHENTICATE_UID key, it produces an invalid call which ends up in calling the libc strlen() function with an invalid parameter, and eventually crashes the current Apache thread.

I attach a patch against [3025] which discards this invalid key, but I guess the real fix up should be done in the modpython Apache module.

Attachments (2)

modpython.diff (913 bytes ) - added by Emmanuel Blot 16 years ago.
Quick patch for trac/web/modpython_frontend.py
patch-for-mod_auth_ldap.patch (484 bytes ) - added by francois.pesce@… 16 years ago.
Patch to avoid NULL value for env in mod_auth_ldap

Download all attachments as: .zip

Change History (9)

by Emmanuel Blot, 16 years ago

Attachment: modpython.diff added

Quick patch for trac/web/modpython_frontend.py

comment:1 by Emmanuel Blot, 16 years ago

Bug report submitted to Apache2 project: http://issues.apache.org/bugzilla/show_bug.cgi?id=39045

by francois.pesce@…, 16 years ago

Patch to avoid NULL value for env in mod_auth_ldap

comment:2 by francois.pesce@…, 16 years ago

Cc: francois.pesce@… added

If the problem comes from a NULL value in AUTHENTICATE_* environment variable, as I read in the apache bug report, this little patch may fix it.

comment:3 by Christian Boos, 15 years ago

Component: generalmod_python frontend
Keywords: ldap added
Milestone: 0.11
Owner: changed from Jonas Borgström to Emmanuel Blot

manu, can you take a look to check if attachment:modpython.diff is still relevant, and if yes, apply the patch?

in reply to:  3 comment:4 by Emmanuel Blot, 15 years ago

Replying to cboos:

manu, can you take a look to check if attachment:modpython.diff is still relevant, and if yes, apply the patch?

Sure. I will check it on monday, I don't use Apache @ home.

However, I wonder the actual cost of this patch: it is really a good idea to add a kludge in Trac core to circumvent an issue in an external component (mod_python) that triggers an error with a specific configuration (LDAP)?

comment:5 by techcon1@…, 14 years ago

I had this setup working for a week or so with Trac 10.4 before I switched to using TracCASPlugin for authentication.

I used these modules + configuration values, with a Win2003 AD server, and it worked fine:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
<Location /path/to/project>
	Order Allow,Deny
	Allow from all
	AuthType Basic
	AuthName "Active Directory"
	AuthBasicProvider "ldap"
	AuthLDAPURL "ldap://server/OU=Users,DC=domain,DC=tld?samAccountName"
	Require valid-user
	AuthLDAPBindDN "binduser@domain.tld"
	AuthLDAPBindPassword "*********"
	AuthzLDAPAuthoritative Off

comment:6 by John Hampton, 12 years ago

Resolution: invalid
Status: newclosed

This appears to be fixed in apache, see https://issues.apache.org/bugzilla/show_bug.cgi?id=39045

I don't see any reason to apply the patch to Trac.

comment:7 by Christian Boos, 12 years ago

Milestone: next-minor-0.12.x

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Emmanuel Blot.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Emmanuel Blot to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.