Bug 28140 – UMC-Server Abstürze

Bug 28140 - UMC-Server Abstürze


Summary:	UMC-Server Abstürze

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 3.0
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 3.1
Assigned To:	Florian Best
QA Contact:	Alexander Kläser

URL:
Keywords:	interim-1

Duplicates:	27883 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-08-03 11:42 CEST by Jascha Geerds
Modified:	2012-12-12 21:10 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Troubleshooting
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jascha Geerds

2012-08-03 11:42:59 CEST

Wird ein Request via 'umc-command' mit Ctrl-C abgebrochen, so stürzt der Server ab. Siehe:

# ps aux | grep '[u]nivention-management-console-server'
root     15063  9.6  1.2  22028 12820 ?        S    09:38   0:00 /usr/bin/python2.6 /usr/sbin/univention-management-console-server start

# umc-command -U Administrator -P univention "schoolwizards/schools/create" -o name=test
02.08.12 10:43:06.850  DEBUG_INIT
^CTraceback (most recent call last):
  File "/usr/sbin/umc-command", line 270, in <module>
    notifier.loop()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 220, in step
    fds = __poll.poll( timeout )
KeyboardInterrupt

# ps aux | grep '[u]nivention-management-console-server'

Comment 1 Florian Best

2012-08-14 10:07:17 CEST

Der Clienttraceback hilft nicht viel weiter, hier ist der Serverseitige Traceback:

Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 144, in _receive
    self.__states[ socket ].processor.shutdown()
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/session.py", line 218, in shutdown
    self.__processes[ module_name ].request( req )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/client.py", line 254, in request
    if self._resend( sock ):
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/client.py", line 193, in _resend
    bytessent = sock.send( data )
socket.error: [Errno 107] Der Socket ist nicht verbunden

Comment 2 Florian Best

2012-08-14 10:28:59 CEST

Es werden 3 errnos abgefangen, ansonsten wird die Exception weitergereicht, wenn sie nicht EAGAIN ist.

Patchvorschlag:
Index: src/univention/management/console/protocol/client.py
===================================================================
--- src/univention/management/console/protocol/client.py        (Revision 34811)
+++ src/univention/management/console/protocol/client.py        (Arbeitskopie)
@@ -198,11 +198,12 @@
                                        else:
                                                del self.__resend_queue[sock][0]
                                except socket.error, e:
-                                       if e.errno in ( errno.ECONNABORTED, errno.EISCONN, errno.ENOEXEC ):
+                                       if e.errno in ( errno.ECONNABORTED, errno.EISCONN, errno.ENOEXEC, errno.ENOTCONN ):
                                                # Error may happen if module process died and server tries to send request at the same time
                                                # ECONNABORTED: connection reset by peer
                                                # EISCONN: socket not connected
                                                # ENOEXEC: bad file descriptor
+                                               # ENOTCONN: socket not connected
                                                CORE.info( 'Client: _resend: socket is damaged: %s' % str( e ) )
                                                self.signal_emit( 'closed' )
                                                return False

Comment 3 Florian Best

2012-08-14 13:04:08 CEST

(In reply to comment #2)
> Patchvorschlag:
> …
Da muss True returned werden. eher: 
-                                       if e[0] != 11:
-                                               raise
-                                       return True
+                                       if e.errno in (errno.ENOTCONN, errno.EAGAIN):
+                                               return True
+                                       raise
-------------------------------------------------------------------
2 Weitere Abstürze des UMC-Servers könne so verursacht werden:
Angabe eines nicht iterierbaren Datentyp (z.b. integer) bei der Abfrage von ucr variablen.
# umc-get -U Administrator -P univention ucr -e -o '1'

Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 163, in _receive
    self._handle( state, msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 217, in _handle
    for value in msg.options:
TypeError: 'int' object is not iterable

------------------------------------------------------------
AUTH request ohne username oder passwort parameter, oder wenn request.options kein dict ist.

# ln -s /usr/sbin/univention-management-console-client /usr/sbin/umc-auth
# umc-auth -U Administrator -P univention
Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 163, in _receive
    self._handle( state, msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 211, in _handle
    state.authenticate( msg.body[ 'username' ], msg.body[ 'password' ] )
KeyError: 'username'

Comment 4 Florian Best

2012-08-14 13:57:07 CEST

Weiterer Absturz durch syntax/verification

# umc-get -U Administrator -P univention syntax/verification -e -o '1'

Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 163, in _receive
    self._handle( state, msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 270, in _handle
    state.processor.request( msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/session.py", line 241, in request
    self.handle_request_get( msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/session.py", line 349, in handle_request_get
    syntax_name = msg.options.get( 'syntax' )
AttributeError: 'int' object has no attribute 'get'

Comment 5 Florian Best

2012-08-14 14:00:00 CEST

Absturz durch /SET

# umc-set -U Administrator -P univention / -e -o '1'
Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 163, in _receive
    self._handle( state, msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 270, in _handle
    state.processor.request( msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/session.py", line 243, in request
    self.handle_request_set( msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/session.py", line 384, in handle_request_set
    for key, value in msg.options.items():
AttributeError: 'int' object has no attribute 'items'

Comment 6 Florian Best

2012-08-14 15:21:50 CEST

Dasselbe auch in /upload:
# umc-upload -U Administrator -P univention '' -e -o '[1]'

Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 163, in _receive
    self._handle( state, msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/server.py", line 270, in _handle
    state.processor.request( msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/session.py", line 249, in request
    self.handle_request_upload( msg )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/session.py", line 476, in handle_request_upload
    tmpfilename = file_obj[ 'tmpfile' ]
TypeError: 'int' object is unsubscriptable

Comment 7 Florian Best

2012-08-21 08:07:52 CEST

*** Bug 27883 has been marked as a duplicate of this bug. ***

Comment 8 Florian Best

2012-08-21 08:11:11 CEST

Aus Bug #27883 (In reply to comment #2)
> Dadurch steht hier nur noch dieser Punkt aus:
> > * eventuell ist der uploader noch angreifbar für einen Request mit htmlcode im
> > parameter "filename"
Um den "filename"+"name"-Parameter sollte noch ein html-escape gebaut werden.

Comment 9 Florian Best

2012-08-21 09:56:36 CEST

Fixed in:
 univention-management-console (5.0.16-1) unstable; urgency=low
 .
   * fixed crashing of UMC-Server when client socket disconnects; Bug #28140
   * added validation of various requests which leads to crashing of UMC
        Server; Bug #28140
   * filename and name parameter for UMCP UPLOAD are now html encoded; Bug #27883
   * added catching of TypeError in IntegerSanitizer; Bug #27720

für die QA:
Die folgenden Befehle sollten den Server nicht mehr zum Absturz bringen:
umc-get -U Administrator -P univention ucr -e -o '1'
umc-get -U Administrator -P univention ucr -e -o '[1]'
umc-set -U Administrator -P univention '' -e -o '1'
umc-get -U Administrator -P univention syntax/verification -e -o '1'
umc-upload -U Administrator -P univention / -e -o '[1]'
umc-upload -U Administrator -P univention /  -e -o '[{}]'
ln -s /usr/sbin/univention-management-console-client /usr/sbin/umc-auth
umc-auth -U Administrator -P univention

Außerdem muss geprüft werden, was passiert, wenn umc-command schnell abgebrochen wird (ich weiß nicht, warum Exceptions mit anderen enums durchgereicht werden, aber nicht weiter abgefangen werden, macht für mich wenig Sinn).

Die Upload parameter "name" + "filename" sollten html-kodiert sein:
touch '/var/tmp/univention-management-console-frontend/<>"'
umc-upload -U Administrator -P univention /  -e -o '[{"tmpfile":"/var/tmp/univention-management-console-frontend/<>\"", "name":"<>\"", "filename":"<>\""}]'

Comment 10 Alexander Kläser

2012-09-17 17:27:43 CEST

FYI, in client.py: # EAGAIN: ?

  os.strerror(errno.EAGAIN) → 'Resource temporarily unavailable'

Changelog → OK

(In reply to comment #9)
> ...
> für die QA:
> Die folgenden Befehle sollten den Server nicht mehr zum Absturz bringen:
> umc-get -U Administrator -P univention ucr -e -o '1'
> umc-get -U Administrator -P univention ucr -e -o '[1]'
> umc-set -U Administrator -P univention '' -e -o '1'
> umc-get -U Administrator -P univention syntax/verification -e -o '1'
> umc-upload -U Administrator -P univention / -e -o '[1]'
> umc-upload -U Administrator -P univention /  -e -o '[{}]'
> ln -s /usr/sbin/univention-management-console-client /usr/sbin/umc-auth
> umc-auth -U Administrator -P univention

→ OK

> Außerdem muss geprüft werden, was passiert, wenn umc-command schnell
> abgebrochen wird (ich weiß nicht, warum Exceptions mit anderen enums
> durchgereicht werden, aber nicht weiter abgefangen werden, macht für mich wenig
> Sinn).

→ OK
 
> Die Upload parameter "name" + "filename" sollten html-kodiert sein:
> touch '/var/tmp/univention-management-console-frontend/<>"'
> umc-upload -U Administrator -P univention /  -e -o
> '[{"tmpfile":"/var/tmp/univention-management-console-frontend/<>\"",
> "name":"<>\"", "filename":"<>\""}]'

→ Wie besprochen, bitte die Zeichen "<" und ">" im UMC-Webserver durch "_" ersetzen anstelle der HTML-Kodierung, da diese potentiell zu Seiteneffekten in den Modulen führen kann.

Comment 11 Florian Best

2012-09-17 17:40:50 CEST

univention-management-console (5.0.23-1)
univention-management-console-frontend (2.0.61-1)

Comment 12 Alexander Kläser

2012-09-18 14:06:58 CEST

(In reply to comment #10)
> ...
> → Wie besprochen, bitte die Zeichen "<" und ">" im UMC-Webserver durch "_"
> ersetzen anstelle der HTML-Kodierung, da diese potentiell zu Seiteneffekten in
> den Modulen führen kann.

→ OK, die HTML-kodierten Zeichen sind jetzt nicht mehr da, "<" und ">" werden durch den Web-Server umgewandelt.

Comment 13 Stefan Gohmann

2012-12-12 21:10:44 CET

UCS 3.1-0 has been released: 
 http://forum.univention.de/viewtopic.php?f=54&t=2125

If this error occurs again, please use "Clone This Bug".