Defect #16948

Broken anonymous repository access for public projects with Apache 2.4 (redmine.pm)

Added by Christian G√ľnther over 3 years ago. Updated about 2 years ago.

Status:ClosedStart date:
Priority:HighDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:SCM extra
Target version:2.6.9
Resolution:Fixed Affected version:2.5.1

Description

Hi there. I recently upgraded my redmine from 2.3 to 2.5.1. Now i have the same problem described in this stackoverflow post:

http://stackoverflow.com/questions/22638972/debug-apache-2-4-perlauthenhandler

Detailed: When my project is not public everything works fine (authentication with subsequent git clone). But when my project is public (Authentication required is disabled) than i get the internal server error message 500. In my error log on the server the following message appears:

"AH00027: No authentication done but request not allowed without authentication for $PATH. Authentication not configured?" 

Before upgrading it was possible for me to clone a public repository without authentication. Why it is currently disabled?

Environment:
  Redmine version                2.5.1.stable
  Ruby version                   2.0.0-p457 (2014-03-03) [x86_64-linux-gnu]
  Rails version                  3.2.17
  Environment                    production
  Database adapter               Mysql2
SCM:
  Subversion                     1.8.8
  Git                            1.9.1
  Filesystem                     
Redmine plugins:
  redmine_embedded               0.0.2
  redmine_http_auth              0.3.0-dev
  redmine_mylyn_connector        2.8.2.stable
  redmine_scm                    0.4.2
  redmine_webdav                 0.6.0

0001-Set-user-to-empty-string-in-Redmine.pm-for-anonymous.patch Magnifier (913 Bytes) Holger Just, 2015-11-24 14:50

Associated revisions

Revision 14883
Added by Jean-Philippe Lang about 2 years ago

Redmine.pm errors when cloning public project (#16948).

History

#1 Updated by Martin Denizet (redmine.org team member) over 3 years ago

I experienced the same problem with Ubuntu 14.04 (Apache 2.4).
Though the patch which consists in removing the "if" for anonymous access worked, I was not able to get Git Smart HTTP to work.

#2 Updated by Suppasit Chuwatsawat over 3 years ago

I have the same problem as Christian and Martin.
Does anybody solve this problem yet?

#3 Updated by nicholas tanner over 3 years ago

Same troubles here on different instances (all Ubuntu 14.04 64 Bit,) and also on a freshly installed test instance..

#4 Updated by Mark Anderson about 3 years ago

Am stuck here too - Ubuntu 14/Apache 2.4 combo, 2.5.1 Redmine

Can anyone clarify this - do I remove the whole "if" construct or somehow modify it? removing it means NO handler will be set - is that the hack?

thanks folks!

Martin Denizet (redmine.org team member) wrote:

I experienced the same problem with Ubuntu 14.04 (Apache 2.4).
Though the patch which consists in removing the "if" for anonymous access worked, I was not able to get Git Smart HTTP to work.

#5 Updated by Martin Denizet (redmine.org team member) about 3 years ago

As far as I understand, the error occurs because there is no handler under certain settings. Removing the "if" removes the problem because then there is a handler every time.
I tried to make it work on my Ubuntu test VM hacking the Redmine.pm. I could not get Git Smart HTTP to work with Redmine.pm.
I would get a 404 error when trying to clone.
I will try again later if I have time.

#6 Updated by Jorge S. over 2 years ago

I have this also happening in 3.0.2

2 Projects, no one of them public. I get "abort: HTTP Error 500: Internal Server Error" when trying to clone.

If under Settings -> Authentication I set "Authentication required", then I would be prompted for credentials in the clone command.

#7 Updated by Cyber Gen over 2 years ago

I have discovered that when authentication fails, no matter if it's a public or private project, I always get a 500 error.

I do see a difference in the apache log. When authentication is correct I see no lines in the log. When authentication fails I see this

[Sat Aug 08 13:23:38.727989 2015] [authn_file:error] [pid 8989:tid 139932576245504] [client 192.168.192.100:52376] AH01619: AuthUserFile not specified in the configuration

I beleive this to be a bug in the Redmine.pm file that doesn't return authentication when authentication fails.

#8 Updated by Cyber Gen over 2 years ago

I beleive I have found a bug in the Redmine.pm file.

In sub access_handler if authentication fails then OK is always return even though no access is allowed to the project. It is somewhere in that region that the bug is located.

#9 Updated by Jonathan Tee over 2 years ago

same error with Redmine 3.1 :-(

@Gen: AH01619: AuthUserFile not specified in the configuration
add

 AuthUserFile /dev/null

#10 Updated by Holger Just about 2 years ago

Using a StackOverflow answer, we at Planio have developed and tested a patch for this issue against current trunk, which I attached here.

The basic idea is that we forcefully set the username to an empty string if we directly return with an OK. This results in Apache understanding that we have verified the empty username.

#11 Updated by Jean-Philippe Lang about 2 years ago

  • Subject changed from broken anonymous repository access for public projects (redmine.pm) to Broken anonymous repository access for public projects (redmine.pm)
  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang
  • Target version set to 3.1.3
  • Resolution set to Fixed

Thanks, I'm committing the patch but I don't see any changes to Redmine.pm between 2.3 and 2.5.1 that could cause this error.

Tests for the perl module include a git clone on a public project without authentication (source:trunk/test/extra/redmine_pm/repository_git_test_pm.rb), and it passes. Maybe it's related to the Apache version, the tests run on Apache 2.2.

#12 Updated by Holger Just about 2 years ago

On Apache 2.2, this change is not necessary. It only becomes an issue on Apache 2.4 where they rather deeply changed how authentication works.

#13 Updated by Jean-Philippe Lang about 2 years ago

  • Subject changed from Broken anonymous repository access for public projects (redmine.pm) to Broken anonymous repository access for public projects with Apache 2.4 (redmine.pm)

Thanks for the clarification.

#14 Updated by Jean-Philippe Lang about 2 years ago

  • Target version changed from 3.1.3 to 2.6.9

#15 Updated by Jean-Philippe Lang about 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF