Item772: Rare race condition in registration - damaged .htpasswd file
Priority: Normal
Current State: Closed
Released In:
Target Release: patch
Applies To: Engine
Component:
Branches:
This bug is copied over from
TWikibug:Item6147 and seems likely to be relevant for us.
Tim has maybe some code from an extension we can look at
-- Kenneth Lavrsen
The registration process has a race condition. Today the .htpasswd file of twiki.org got cut in half, stopping at K entries. We had two registrations at exactly the same time (names obfuscated) :
| 10 Dec 2008 - 10:29 | MattOne | register | Main.MattOne | matt@example.com | 1.2.3.4 |
| 10 Dec 2008 - 10:29 | MartinTwo | register | Main.MartinTwo | martin@example.com | 5.6.7.8 |
We need to add locking to the .htpasswd file update to prevent this (very rare) race condition.
(Fortunately I did a backup just 30 min earlier, so nothing was lost except for one user's passwd entry.)
-- TWiki:Main/PeterThoeny - 10 Dec 2008
FWIW, this was evident by inspection when I wrote X509Plugin.
It does the necessary locking, so you can take the code from there. (However, note that X509 stores a bit more in the file than the standared authentication code does.)
-- TWiki:Main.TimotheLitt - 11 Jan 2009
--
KennethLavrsen - 15 Jan 2009
There has been recent work on this - i forget the bug number - and I'm pretty sure it can be closed.
--
CrawfordCurrie - 29 Jun 2010
Agree - it is a duplicate that has been addressed both in 1.0.9 and again recently for 1.1.0 where we have hardened the code even further.
--
KennethLavrsen - 29 Jun 2010