Closed Bug 328108 Opened 19 years ago Closed 19 years ago

Unable to login on a fresh Bugzilla install using the login form on the home page

Categories

(Bugzilla :: Installation & Upgrading, defect)

Product:
Bugzilla
Component:
Installation & Upgrading
Version:
2.20.1
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Bugzilla 2.20

People

(Reporter: goobix, Assigned: LpSolit)

References

Details

(Keywords: regression)

Attachments

(2 files)

patch for 2.22 and tip, v1
1.08 KB, patch
myk
: review+
Details | Diff | Splinter Review
backport for 2.20.1, v1
824 bytes, patch
myk
: review+
Details | Diff | Splinter Review
Regression from bug 325079: The security patch modified the login form to use 'urlbase' for the login form. The checksetup.pl message, right after performing a clean install, says: vladd@bugzilla.org is now set up as an administrator account. Now that you have installed Bugzilla, you should visit the 'Parameters' page (linked in the footer of the Administrator account) to ensure it is set up as you wish - this includes setting the 'urlbase' option to the correct url. So I try to login with the admin account in order to set urlbase, but I'm redirected to http://you-havent-visited-editparams.cgi-yet/
Bug 325079 has several patches, some of them marked as obsolete. Nevertheless, they contain good ideas; probably we should select one of them as an alternative to using urlbase so early, in a pre-login stage. This impacts the 2.20 branch, so probably we'll want to release 2.20 again after fixing this one.
LpSolit noted that you can still login via the "Log In" link, but most people will probably try to login directly from the homepage, see that it's broken, and give up.
Assignee: administration → installation
Component: Administration → Installation & Upgrading
Flags: blocking2.22?
Flags: blocking2.20.2?
Version: unspecified → 2.20.1
i met this, too. not-override-upgrade though. i went editparam.cgi and it worked.
The right fix is to have an empty urlbase by default. This way, you at least have relative URLs till urlbase is fixed and so would still work, even with the login form on the homepage (I haven't tested though, but I'm pretty sure this would work). As it only affects the very first time you log in and that you can still either use the "Log In" link in the footer or go to editparams.cgi directly by entering it in the address bar, I don't think we need an emergency release. But I agree with vladd that we should release in the very near future, e.g. together with 2.22rc2/final. Our QA tests couldn't detect that because we don't do clean installs every time we run a test.
Flags: blocking2.22?
Flags: blocking2.22+
Flags: blocking2.20.2?
Flags: blocking2.20.2+
Note that there is actually a check for urlbase which doesn't let you clear the field. So probably we should hack this check.
Keywords: regression
Summary: Unable to login on a fresh Bugzilla install → Unable to login on a fresh Bugzilla install using the login form on the home page
Rather than using an invalid URL by default, better is to use no URL at all.
Assignee: installation → LpSolit
Status: NEW → ASSIGNED
Attachment #212664 - Flags: review?(vladd)
Attachment #212666 - Flags: review?(vladd)
Comment on attachment 212664 [details] [diff] [review] patch for 2.22 and tip, v1 >- if ($url !~ m:^http.*/$:) { >+ if ($url && $url !~ m:^http.*/$:) { urlbase should be mandatory; it's used in the emails as well.
(In reply to comment #8) > urlbase should be mandatory; it's used in the emails as well. > I don't think random URLs are better than no URL at all. At least, this doesn't break URLs which use Param('urlbase'), including emails.
> I don't think random URLs are better than no URL at all. At least, this doesn't > break URLs which use Param('urlbase'), including emails. oh, i agree that urlbase should be empty by default, however i feel that once you're editing the parameters leaving urlbase empty should throw an error. note that fixing bug 263340 would also help :)
(In reply to comment #10) > oh, i agree that urlbase should be empty by default, however i feel that once > you're editing the parameters leaving urlbase empty should throw an error. I thought about that too... but checking the "Reset" checkbox would throw this error because it would try to clear it.
Comment on attachment 212664 [details] [diff] [review] patch for 2.22 and tip, v1 vladd isn't around today, requestion wicked too...
Attachment #212664 - Flags: review?(wicked)
Attachment #212666 - Flags: review?(wicked)
(In reply to comment #12) > vladd isn't around today, requestion wicked too... I created a new word: requestion! requesting + question = requestion. :-D
Comment on attachment 212664 [details] [diff] [review] patch for 2.22 and tip, v1 This is adequate to fix the regression, but we should really ask the admin to provide a urlbase in checksetup.pl if it's required. Letting them load a page with many settings but then not letting them submit any change unless they make a specific change is bad, frustrating UI.
Attachment #212664 - Flags: review+
Attachment #212664 - Flags: review?(wicked)
Attachment #212664 - Flags: review?(vladd)
Attachment #212666 - Flags: review+
Attachment #212666 - Flags: review?(wicked)
Attachment #212666 - Flags: review?(vladd)
Flags: approval?
Flags: approval2.22?
Flags: approval2.20?
Flags: approval?
Flags: approval2.22?
Flags: approval2.22+
Flags: approval2.20?
Flags: approval2.20+
Flags: approval+
tip: Checking in Bugzilla/Config/Common.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Common.pm,v <-- Common.pm new revision: 1.4; previous revision: 1.3 done Checking in Bugzilla/Config/Core.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Core.pm,v <-- Core.pm new revision: 1.3; previous revision: 1.2 done 2.22rc1: Checking in Bugzilla/Config/Common.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Common.pm,v <-- Common.pm new revision: 1.2.2.1; previous revision: 1.2 done Checking in Bugzilla/Config/Core.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config/Core.pm,v <-- Core.pm new revision: 1.1.2.1; previous revision: 1.1 done 2.20.1: Checking in defparams.pl; /cvsroot/mozilla/webtools/bugzilla/Attic/defparams.pl,v <-- defparams.pl new revision: 1.160.2.5; previous revision: 1.160.2.4 done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
What are we doing about emails? The phoney URL we used on this originally was specifically because people ignore the directions, and it makes it obvious what they need to do to fix it. Now they'll get emails with unusable URLs in them and have no clue what to do about it. And you do realize that by committing this we've just reintroduced the security bug under the conditions that the admin hasn't set the param yet? I haven't backed this out yet, but it should be strongly considered.
Status: RESOLVED → REOPENED
Flags: approval2.22+
Flags: approval2.20+
Flags: approval+
Resolution: FIXED → ---
What we really need to do instead of backing this out is just make the admin enter the urlbase during the checksetup.pl script. I suppose that's another bug (we already have one on that, right?) but it'll be a priority now since without it we still have our security bug... I really hate to have to add stuff to the answers hash for scripted setup on branches though... stable branch means we don't change APIs, and that's a packager API...
Keywords: relnote
Ya know what, let's leave this. We should be able to expect the admin to do setup properly before telling people they should log in.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Flags: approval2.22+
Flags: approval2.20+
Flags: approval+
Resolution: --- → FIXED
*** Bug 334860 has been marked as a duplicate of this bug. ***
*** Bug 334860 has been marked as a duplicate of this bug. ***
*** Bug 334860 has been marked as a duplicate of this bug. ***
Flags: testcase?
Testopia testcase available at: http://landfill.bugzilla.org/bugzillaqa/tr_show_case.cgi?case_id=29
Status: RESOLVED → VERIFIED
Flags: testcase? → testcase+
Keywords: relnote
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: