[tor-bugs] #10690 [Trac]: Trac error on password change
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 21 20:57:47 UTC 2014
#10690: Trac error on password change
-------------------------------------------------+-------------------------
Reporter: GITNE | Owner: erinn
Type: defect | Status: new
Priority: critical | Milestone:
Component: Trac | Version:
Keywords: trac password change SQL error | Actual Points:
python security | Points:
Parent ID: |
-------------------------------------------------+-------------------------
Trac causes this error when trying to change my password:
{{{
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/trac/web/api.py", line 514, in
send_error
data, 'text/html')
File "/usr/lib/python2.7/dist-packages/trac/web/chrome.py", line 976, in
render_template
data = self.populate_data(req, data)
File "/usr/lib/python2.7/dist-packages/trac/web/chrome.py", line 882, in
populate_data
'context': web_context(req) if req else None,
File "/usr/lib/python2.7/dist-packages/trac/web/chrome.py", line 292, in
web_context
perm = req.perm
File "/usr/lib/python2.7/dist-packages/trac/web/api.py", line 316, in
__getattr__
value = self.callbacks[name](self)
File "/usr/lib/python2.7/dist-packages/trac/web/main.py", line 264, in
_get_perm
return PermissionCache(self.env, self.authenticate(req))
File "/usr/lib/python2.7/dist-packages/trac/web/main.py", line 135, in
authenticate
authname = authenticator.authenticate(req)
File "build/bdist.linux-x86_64/egg/acct_mgr/util.py", line 82, in wrap
return func(self, *args, **kwds)
File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 374, in
authenticate
return auth.LoginModule.authenticate(self, req)
File "/usr/lib/python2.7/dist-packages/trac/web/auth.py", line 91, in
authenticate
req.incookie['trac_auth'])
File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 448, in
_get_name_for_cookie
name = auth.LoginModule._get_name_for_cookie(self, req, cookie)
File "/usr/lib/python2.7/dist-packages/trac/web/auth.py", line 238, in
_get_name_for_cookie
name = self._cookie_to_name(req, cookie)
File "/usr/lib/python2.7/dist-packages/trac/web/auth.py", line 234, in
_cookie_to_name
for name, in self.env.db_query(sql, args):
File "/usr/lib/python2.7/dist-packages/trac/db/api.py", line 122, in
execute
return db.execute(query, params)
File "/usr/lib/python2.7/dist-packages/trac/db/util.py", line 121, in
execute
cursor.execute(query, params)
File "/usr/lib/python2.7/dist-packages/trac/db/util.py", line 65, in
execute
return self.cursor.execute(sql_escape_percent(sql), args)
InternalError: current transaction is aborted, commands ignored until end
of transaction block
}}}
Supposedly, some characters in the new password are trickling down to the
SQL level where the SQL statement responsible for setting the password has
not been authored correctly. This may pose a potential '''security'''
hole.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10690>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list