Edgewall Software

Ticket #2570 (closed defect: fixed)

Opened 3 years ago

Last modified 6 months ago

internal error ("IntegrityError") when logging in after apache restart

Reported by: ssalmine@… Owned by: cmlenz
Priority: normal Milestone: 0.11
Component: general Version: 0.10.3
Severity: normal Keywords: debian php mhash mod_python mod_wsgi
Cc:

Description

Got following internal error when doing this:

  1. setup trac
  2. trying to login (pressing the login button)
  3. that didn't work - no login configured, so added basicauth to apache, and restarted it
  4. pressed login again

After trying again with new browser sessions things worked fine. 

Traceback (most recent call last):
  File "/usr/lib/python2.3/site-packages/trac/web/modpython_frontend.py", line 206, in handler
    dispatch_request(mpr.path_info, mpr, env)
  File "/usr/lib/python2.3/site-packages/trac/web/main.py", line 139, in dispatch_request
    dispatcher.dispatch(req)
  File "/usr/lib/python2.3/site-packages/trac/web/main.py", line 107, in dispatch
    resp = chosen_handler.process_request(req)
  File "/usr/lib/python2.3/site-packages/trac/web/auth.py", line 81, in process_request
    self._do_login(req)
  File "/usr/lib/python2.3/site-packages/trac/web/auth.py", line 117, in _do_login
    "VALUES (%s, %s, %s, %s)", (cookie, remote_user,
  File "/usr/lib/python2.3/site-packages/sqlite/main.py", line 255, in execute
    self.rs = self.con.db.execute(SQL % parms)
IntegrityError: columns cookie, ipnr, name are not unique

Attachments

hex_entropy_sha.diff (462 bytes) - added by cmlenz 6 months ago.
Patch to use SHA instead of MD5 in hex_entropy

Change History

Changed 2 years ago by sid

  • keywords needinfo added

So the error was generated after (4), but then it worked when you cleared your browser session cache?

Changed 19 months ago by prasana

  • version changed from 0.9 to 0.10.3

I am seeing a similar error - and didn't see any tickets that address it;

Traceback (most recent call last):

File "/var/lib/python-support/python2.4/trac/web/main.py", line 387, in dispatch_request

dispatcher.dispatch(req)

File "/var/lib/python-support/python2.4/trac/web/main.py", line 191, in dispatch

chosen_handler = self._pre_process_request(req, chosen_handler)

File "/var/lib/python-support/python2.4/trac/web/main.py", line 263, in _pre_process_request

chosen_handler = f.pre_process_request(req, chosen_handler)

File "/var/lib/python-support/python2.4/trac/versioncontrol/api.py", line 73, in pre_process_request

self.get_repository(req.authname) # triggers a sync if applicable

File "/var/lib/python-support/python2.4/trac/versioncontrol/api.py", line 101, in get_repository

repos = self._connector.get_repository(rtype, rdir, authname)

File "/var/lib/python-support/python2.4/trac/versioncontrol/svn_fs.py", line 260, in get_repository

crepos = CachedRepository?(self.env.get_db_cnx(), repos, None, self.log)

File "/var/lib/python-support/python2.4/trac/versioncontrol/cache.py", line 34, in init

self.sync()

File "/var/lib/python-support/python2.4/trac/versioncontrol/cache.py", line 100, in sync

(str(current_rev), path, kind, action,

File "/var/lib/python-support/python2.4/trac/db/util.py", line 50, in execute

return self.cursor.execute(sql_escape_percent(sql), args)

File "/var/lib/python-support/python2.4/trac/db/sqlite_backend.py", line 56, in execute

args or [])

File "/var/lib/python-support/python2.4/trac/db/sqlite_backend.py", line 48, in _rollback_on_error

return function(self, *args, **kwargs)

IntegrityError?: columns rev, path, change_type are not unique

Changed 19 months ago by prasana

needed a resync and that fixed the problem. fyi

Changed 15 months ago by sid

Did the resync fix your problem as well (original author)?

Changed 15 months ago by ssalmine

Sorry, can't recall.

Changed 15 months ago by sid

  • keywords needinfo removed
  • status changed from new to closed
  • resolution set to worksforme

Ahh, but it works then.

Changed 6 months ago by cmlenz

  • status changed from closed to reopened
  • resolution worksforme deleted

The error that was fixed by the resync was completely different, I don't think this issue is fixed as we're seeing it here with completely uptodate 0.11-stable.

Changed 6 months ago by cboos

  • milestone set to 0.11.1

So 0.11.1 or do you have a fix in mind for 0.11?

Changed 6 months ago by cmlenz

Marked #7096 as duplicate of this ticket.

I'll be looking into a fix because it annoys people here (including myself), don't know yet whether it would be possible to get into 0.11.

Changed 6 months ago by cmlenz

  • owner changed from jonas to cmlenz
  • status changed from reopened to new

Changed 6 months ago by cmlenz

  • status changed from new to assigned

Changed 6 months ago by cmlenz

I've added some logging to trac.web.auth, and this is what I saw: 

Removing login session with cookie <Morsel: trac_auth='00000000000000003e8bb9186df7a077'> for u'chris' 
Logging in 'chris' from '192.168.28.131' 
Generated random cookie value '0000000000000000750362a32dfadffd' for 'chris' 
Removing login session with cookie <Morsel: trac_auth='0000000000000000750362a32dfadffd'> for u'chris' 
Logging in 'chris' from '192.168.28.131' 
Generated random cookie value '0000000000000000750362a32dfadffd' for 'chris'

Note the duplicate "random" cookie values. Something's seriously wrong with the randomness here. I also don't understand why the first two bytes are 0. Running trac.util.hex_entropy from the Python shell on the same machine gives results where the first two bytes are not all 0.

This is on Debian Etch with Python 2.4.4 and mod_wsgi.

Changed 6 months ago by cmlenz

Oh btw, I removed the timestamps from the above output, but the two "Generated random cookie" messages are actually 6 seconds apart.

Changed 6 months ago by cmlenz

  • keywords debian php mhash mod_python mod_wsgi added

Okay, I found the culprit here: apparently there's some kind of silent conflict between the Python md5 module and PHP's mhash library. References:

Apparently the same problem exists with mod_wsgi:

It all boils down to a bug in Debian:

So… I'd suggest simply switching to sha for hex_entropy. It's a bit slower, but we're using it on very short random strings, so I think the difference should be negligible, especially as it's only used to generate auth cookies, session IDs, and form tokens which happens at most twice per request, and for most requests, never.

I'd normally suggest that Debian should clean up after this mess, but this problem is (a) hard to track down, (b) might not even show up that often, while Trac is silently generating supposedly unique enough secrets that are in fact totally insecure, and (c) it's very hard to work around when you really need PHP and Python running under Apache, via mod_python or mod_wsgi.

Changed 6 months ago by cmlenz

Patch to use SHA instead of MD5 in hex_entropy

Changed 6 months ago by jonas

Given the size of the patch I think would be both safe and a good idea to apply it. Even if the underlying issue is a vendor specific problem.

Changed 6 months ago by cmlenz

  • status changed from assigned to closed
  • resolution set to fixed
  • milestone changed from 0.11.1 to 0.11

Applied in [7192].

Add/Change #2570 (internal error ("IntegrityError") when logging in after apache restart)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
to The owner will change from cmlenz. Next status will be 'closed'
 
Note: See TracTickets for help on using tickets.