Public project and Redmine.pm "Use of use of uninitialized value $salt" error for empty username access via TortoiseSVN
I installed new version of Redmine on my Ubuntu server a couple days ago. I properly configured Apache for correct working Subversion with Redmine. I created public project. But when I try to commit some files in this project without entering username (it is simply empty) in TortoiseSVN dialog on local machine I get the following error:
Error: Commit failed (details follow):
Error: Server sent unexpected return value (500 Internal Server Error) in response to
Error: MKACTIVITY request for '/svn/mmm/!svn/act/008182d9-97ee-2740-9a75-5c734c292d4c' ".
The following string in error.log of Apache:
Use of uninitialized value $salt in concatenation (.) or string at line 471 Redmine.pm.
This line from Redmine.pm is:
my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest);
If I uncheck "Public" to this project everything is ok. In this case TortoiseSVN let me authenticate repeatedly in SVN from one dialog window (if I enter empty or incorrect credentials)
What is the problem?
#1 Updated by Johannes Wienke about 8 years ago
This bug still exists in recent redmine versions and can also be triggered with git.
In case you use a
.netrc file for authentication and omit the
login fragment for the host, you end up in the exact same situations.
Redmine.pmsource code, I see two things:
authen_handlerneeds to ensure that
$r->useris not empty
is_memberneeds to shield against empty values
#2 Updated by Wim Bertels over 7 years ago
Feedback, redmine version 1.4.4Anonymous checkouts of public projects over http(s):
- svn: ok
- git: nok
- client error message
error: RPC failed; result=22, HTTP code = 500 fatal: The remote end hung up unexpectedly
- server error message
Use of uninitialized value $salt in concatenation (.) or string at /usr/lib/perl5/Apache/Redmine.pm line 358
- client error message
#3 Updated by Florian Schmidt over 7 years ago
- File catch_empty_auth_fields.patch added
I ran into the same issue recently.
While the bug could be fixed by catching unintialized return values in
is_member(), I agree with what Johannes said:
authen_handler() should already ensure that
$r->user is not empty, and furthermore, it should probably also ensure
$redmine_pass isn't empty, either. This is also strongly suggested by the authors of this O'Reilly book:
If the user has not yet authenticated, or pressed the submit button without filling out the dialog completely, one or both of these fields may be empty. In this case, we have to force the user to (re)authenticate
I just assumed they knew what they were talking about, and applied their approach to
authen_handler in Redmine.pm, and attached a patch. This fixes the crashing of Redmine.pm, the resulting 500 Internal Server Error (on Apache), and simply re-requests credentials.
Caveat: I have a bit of experience with Perl, but no experience whatsoever with writing mod_perl modules. The patch seems quite straightforward, though.