[tor-bugs] #10690 [Trac]: Trac error on password change

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 21 20:57:47 UTC 2014 

#10690: Trac error on password change
-------------------------------------------------+-------------------------
 Reporter:  GITNE                                |          Owner:  erinn
     Type:  defect                               |         Status:  new
 Priority:  critical                             |      Milestone:
Component:  Trac                                 |        Version:
 Keywords:  trac password change SQL error       |  Actual Points:
  python security                                |         Points:
Parent ID:                                       |
-------------------------------------------------+-------------------------
 Trac causes this error when trying to change my password:

 {{{
 Traceback (most recent call last):
   File "/usr/lib/python2.7/dist-packages/trac/web/api.py", line 514, in
 send_error
     data, 'text/html')
   File "/usr/lib/python2.7/dist-packages/trac/web/chrome.py", line 976, in
 render_template
     data = self.populate_data(req, data)
   File "/usr/lib/python2.7/dist-packages/trac/web/chrome.py", line 882, in
 populate_data
     'context': web_context(req) if req else None,
   File "/usr/lib/python2.7/dist-packages/trac/web/chrome.py", line 292, in
 web_context
     perm = req.perm
   File "/usr/lib/python2.7/dist-packages/trac/web/api.py", line 316, in
 __getattr__
     value = self.callbacks[name](self)
   File "/usr/lib/python2.7/dist-packages/trac/web/main.py", line 264, in
 _get_perm
     return PermissionCache(self.env, self.authenticate(req))
   File "/usr/lib/python2.7/dist-packages/trac/web/main.py", line 135, in
 authenticate
     authname = authenticator.authenticate(req)
   File "build/bdist.linux-x86_64/egg/acct_mgr/util.py", line 82, in wrap
     return func(self, *args, **kwds)
   File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 374, in
 authenticate
     return auth.LoginModule.authenticate(self, req)
   File "/usr/lib/python2.7/dist-packages/trac/web/auth.py", line 91, in
 authenticate
     req.incookie['trac_auth'])
   File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 448, in
 _get_name_for_cookie
     name = auth.LoginModule._get_name_for_cookie(self, req, cookie)
   File "/usr/lib/python2.7/dist-packages/trac/web/auth.py", line 238, in
 _get_name_for_cookie
     name = self._cookie_to_name(req, cookie)
   File "/usr/lib/python2.7/dist-packages/trac/web/auth.py", line 234, in
 _cookie_to_name
     for name, in self.env.db_query(sql, args):
   File "/usr/lib/python2.7/dist-packages/trac/db/api.py", line 122, in
 execute
     return db.execute(query, params)
   File "/usr/lib/python2.7/dist-packages/trac/db/util.py", line 121, in
 execute
     cursor.execute(query, params)
   File "/usr/lib/python2.7/dist-packages/trac/db/util.py", line 65, in
 execute
     return self.cursor.execute(sql_escape_percent(sql), args)
 InternalError: current transaction is aborted, commands ignored until end
 of transaction block
 }}}

 Supposedly, some characters in the new password are trickling down to the
 SQL level where the SQL statement responsible for setting the password has
 not been authored correctly. This may pose a potential '''security'''
 hole.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10690>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list