Defect #14446


Public project and "Use of use of uninitialized value $salt" error for empty username access via TortoiseSVN

Added by Иван Бухтияров about 11 years ago. Updated about 9 years ago.

SCM extra
Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected version:


I installed new version of Redmine on my Ubuntu server a couple days ago. I properly configured Apache for correct working Subversion with Redmine. I created public project. But when I try to commit some files in this project without entering username (it is simply empty) in TortoiseSVN dialog on local machine I get the following error:

Error: Commit failed (details follow):
Error: Server sent unexpected return value (500 Internal Server Error) in response to
Error: MKACTIVITY request for '/svn/mmm/!svn/act/008182d9-97ee-2740-9a75-5c734c292d4c' ".

The following string in error.log of Apache:

Use of uninitialized value $salt in concatenation (.) or string at line 471

This line from is:

my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest);

If I uncheck "Public" to this project everything is ok. In this case TortoiseSVN let me authenticate repeatedly in SVN from one dialog window (if I enter empty or incorrect credentials)
What is the problem?


catch_empty_auth_fields.patch (491 Bytes) catch_empty_auth_fields.patch Florian Schmidt, 2015-05-19 13:34
Actions #1

Updated by Johannes Wienke over 9 years ago

This bug still exists in recent redmine versions and can also be triggered with git.

In case you use a .netrc file for authentication and omit the login fragment for the host, you end up in the exact same situations.

From a brief look at the source code, I see two things:
  1. authen_handler needs to ensure that $r->user is not empty
  2. is_member needs to shield against empty values
Actions #2

Updated by Wim Bertels about 9 years ago

Feedback, redmine version 1.4.4

Anonymous checkouts of public projects over http(s):
  • svn: ok
  • git: nok
    • client error message
      error: RPC failed; result=22, HTTP code = 500
      fatal: The remote end hung up unexpectedly
    • server error message
      Use of uninitialized value $salt in concatenation (.) or string at /usr/lib/perl5/Apache/ line 358
Actions #3

Updated by Florian Schmidt about 9 years ago

I ran into the same issue recently.

While the bug could be fixed by catching unintialized return values in is_member(), I agree with what Johannes said: authen_handler() should already ensure that $r->user is not empty, and furthermore, it should probably also ensure $redmine_pass isn't empty, either. This is also strongly suggested by the authors of this O'Reilly book:

If the user has not yet authenticated, or pressed the submit button without filling out the dialog completely, one or both of these fields may be empty. In this case, we have to force the user to (re)authenticate

I just assumed they knew what they were talking about, and applied their approach to authen_handler in, and attached a patch. This fixes the crashing of, the resulting 500 Internal Server Error (on Apache), and simply re-requests credentials.

Caveat: I have a bit of experience with Perl, but no experience whatsoever with writing mod_perl modules. The patch seems quite straightforward, though.


Also available in: Atom PDF