id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
11061	Malformed POST request cause TypeError in AdminSite.login()	Vladimir Dmitriev	nobody	"I found that any visitor can cause a !TypeError on Django site with enabled contrib.admin application. This can be done by sending malformed authentication POST request without username parameter but with LOGIN_FORM_KEY. This will cause following exception in !AdminSite.login() function:

{{{
Traceback (most recent call last):

 File ""/usr/local/lib/python2.5/site-packages/django/core/handlers/base.py"", line 86, in get_response
   response = callback(request, *callback_args, **callback_kwargs)

 File ""/usr/local/lib/python2.5/site-packages/django/contrib/admin/sites.py"", line 141, in root
   return self.login(request)

 File ""/usr/local/lib/python2.5/site-packages/django/views/decorators/cache.py"", line 44, in _wrapped_view_func
   response = view_func(request, *args, **kwargs)

 File ""/usr/local/lib/python2.5/site-packages/django/contrib/admin/sites.py"", line 244, in login
   if u'@' in username:

TypeError: argument of type 'NoneType' is not iterable
}}}

Although there is no security threat with this error, it makes Django incompatible with !McAfee SECURE service. !McAfee performs a sort of stress testing by generating a lot of random requests with different URLs and form parameters which cause ~20 Django error messages to appear in mailbox each day.


I've created tiny patch with fix and test. Affected versions: both trunk and 1.0.2"		closed	contrib.admin	dev		fixed	admin login	vldmit@…	Ready for checkin	1	0	0	0	0	0