Trac Cookie Revocation
Last week there was some spam posted to the WordPress core bug tracker. The accounts involved can easily have their access to WordPress.org blocked and their passwords changed to invalidate the cookies used to access the WordPress.org forums. This also stops them from logging into the bug tracker again. However, the trac_auth
cookie — the cookie that Trac uses to authenticate a browser to a particular user account after valid login details are provided — is not tied to a user’s password; instead the cookie stores a random string that can be verified against the auth_cookie
table in the Trac database. This means that until this cookie expires, when the user closes their browser or 10 days after initial sign-on, the spammer is able to remain authenticated to their WordPress.org profile on core.trac.wordpress.org and can continue to post their spam on the bug tracker.
So, because I was curious (and I had to find something to do other than revision for a machine learning test on Tuesday), I decided to write a short Trac plugin to allow a TRAC_ADMIN
user to revoke user cookies. The plugin registers a new administration panel and provides the HTML template for its display. The new panel is just a simple form with a single input for entering the target’s username. After the form is submitted the plugin handles the POST request to delete the row in the auth_cookie
table which matches the given name. On future requests to the Trac instance the value stored in the user’s trac_auth
cookie will no longer match an entry in the database and so the user will not be authenticated.
The code can be found on github. Currently the master branch and the 0.1 tag can be run with Trac versions greater than 0.12 whilst the develop branch contains a small update to make use of enhancements to the Trac database API in the unreleased Trac 0.13.
I found the process of writing a Trac plugin to be quite interesting and fun. Using my (basic) python knowledge again was a good experience too. I already have a project lined up which requires a Trac plugin to be developed, so this was also a nice, easy way to set up the necessary development environment in advance and get myself acquainted with the API.