Regression #13757: Circular dependency issue in ``auth.inc``/``authgui.inc`` - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Regression #13757

closed

Circular dependency issue in ``auth.inc``/``authgui.inc``

Added by Jim Pingle almost 2 years ago. Updated almost 2 years ago.

Status:

Resolved

Priority:

Very High

Assignee:

Jim Pingle

Category:

Authentication

Target version:

2.7.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

23.01

Release Notes:

Force Exclusion

Affected Version:

Affected Architecture:

Description

Some parts of auth.inc use a check for a function before doing some GUI-specific checks:

if (function_exists("display_error_form")) {

This function is defined in authgui.inc, but authgui.inc includes auth.inc before this function is defined.

I don't see how this could be working correctly unless something happened to include auth.inc twice.

The checks here used to work but perhaps something is behaving more appropriately in PHP 8.x which makes it (correctly) fail.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle almost 2 years ago

Looks like this may have broken in 746f30e3ce1ff39c226a73bf87c86dd370ef239c with the added includes changing the order in which things were initially loaded.

Moving the authgui.inc include up to the top of guiconfig.inc fixes the behavior, but it's still awkward.

Actions

Copy link

Updated by Jim Pingle almost 2 years ago

Status changed from New to Feedback
% Done changed from 0 to 100

Applied in changeset 2a24c162e0a8e69d176c54b5a7be09b23cb233f8.

Actions

Copy link

Updated by Jim Pingle almost 2 years ago

Status changed from Feedback to In Progress
% Done changed from 100 to 0

That fix attempt ended up not incomplete, it could break CSRF in certain cases.

Still experimenting and checking into alternative solutions.

Actions

Copy link

Updated by Jim Pingle almost 2 years ago

Draft MR: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/984

At the moment the least disruptive way to correct the behavior is to hardcode the CSRF timeout so it is not read from the configuration, which allows us to reorder includes so that authgui.inc can load auth.inc first.

I'm still looking into alternate solution that will allow reading in the CSRF timeout value from the configuration but it's a tricky chicken-and-egg scenario it ends up in because loading config.inc loads in numerous other includes, but we can't load authgui before initializing CSRF because it can output things that need CSRF protection.

Actions

Copy link