Apache crashes when used with modpython and LDAP authentication

[eblot]

Since the introduction of the WSGI support in [2957], Apache server crashes when the following environment is used:

• modpython (3.1.x, 3.2.x series)
• python (2.3.x, 2.4.x)
• LDAP authentication support (mod_auth_ldap, unrelated to the LdapPlugin)

The crash of the Apache thread occurs when the user authenticates, i.e. when she submits her password at the .../login URL.

The root cause is the LDAP authentication module:
It defines an extra environment variable AUTHENTICATE_UID, which may takes an invalid (null ?) value.

This value is retrieved in modpython/apache.py:build_cgi_env(req) and added to the CGI environment variable.
This dictionnary is then duplicated in trac/web/modpython_frontend.py:ModPythonGateway::__init__ using environ.duplicate() call.

When the duplicate() method attempts to duplicate the value of the AUTHENTICATE_UID key, it produces an invalid call which ends up in calling the libc strlen() function with an invalid parameter, and eventually crashes the current Apache thread.

I attach a patch against [3025] which discards this invalid key, but I guess the real fix up should be done in the modpython Apache module.

[eblot]

Quick patch for trac/web/modpython_frontend.py

[eblot]

Bug report submitted to Apache2 project: http://issues.apache.org/bugzilla/show_bug.cgi?id=39045

[francois.pesce@…]

Patch to avoid NULL value for env in mod_auth_ldap

[francois.pesce@…]

If the problem comes from a NULL value in AUTHENTICATE_* environment variable, as I read in the apache bug report, this little patch may fix it.

[cboos]

manu, can you take a look to check if attachment:modpython.diff is still relevant, and if yes, apply the patch?

[eblot]

Replying to cboos:

manu, can you take a look to check if attachment:modpython.diff is still relevant, and if yes, apply the patch?

Sure. I will check it on monday, I don't use Apache @ home.

However, I wonder the actual cost of this patch: it is really a good idea to add a kludge in Trac core to circumvent an issue in an external component (mod_python) that triggers an error with a specific configuration (LDAP)?

[techcon1@…]

I had this setup working for a week or so with Trac 10.4 before I switched to using TracCASPlugin for authentication.

I used these modules + configuration values, with a Win2003 AD server, and it worked fine:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
...
<Location /path/to/project>
	Order Allow,Deny
	Allow from all
	AuthType Basic
	AuthName "Active Directory"
	AuthBasicProvider "ldap"
	AuthLDAPURL "ldap://server/OU=Users,DC=domain,DC=tld?samAccountName"
	Require valid-user
	AuthLDAPBindDN "binduser@domain.tld"
	AuthLDAPBindPassword "*********"
	AuthzLDAPAuthoritative Off
</Location>