Context Navigation

← Previous Ticket
Next Ticket →

#22808 closed Bug (fixed)

ModelMultipleChoiceField does not properly check if value is valid

Reported by:	mattias.lindvall@…	Owned by:	Niclas Olofsson
Component:	Forms	Version:	1.6
Severity:	Normal	Keywords:	modelform, afraid-to-commit
Cc:	maxime.turcotte@…	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	yes	UI/UX:	no

Description

ModelMultipleChoiceField does try to check if value is valid by doing a query here: https://github.com/django/django/blob/stable/1.6.x/django/forms/models.py#L1185

However, it only cathes ValueError, assuming that filter() is capable of even using the value.
If the value is a weird data type like list or dict, the call to filter throws TypeError.
ModelMultipleChoiceField.clean should catch TypeError, in addition to ValueError, on line 1187.

Here is gist with a complete minimal app that demonstrates how this can happen: https://gist.github.com/thnee/8e7c6b22f350582efe57/
Specifically the file: 4. views.py.

It is tested with 1.6.5, using 100% default settings in a clean test project.

Change History (9)

comment:1 by Maxime Turcotte, 11 years ago

Cc:	maxime.turcotte@… added

comment:2 by Maxime Turcotte, 11 years ago

Easy pickings:	set
Version:	1.5 → 1.6

comment:3 by Daniele Procida, 11 years ago

Keywords:	afraid-to-commit added

comment:4 by Baptiste Mispelon, 11 years ago

Triage Stage:	Unreviewed → Accepted

Hi,

Looking at django/forms/fields.py, it seems that there is precedent for catching (ValueError, TypeError) so I think it makes sense.

The same error seems to be present in ModelChoiceField so both should be fixed as part of this ticket.

Thanks.

comment:5 by anonymous, 11 years ago

Created pull request: https://github.com/django/django/pull/2813

comment:6 by Tim Graham, 11 years ago

Needs tests:	set

It needs a test (or tests). Please uncheck "Needs tests" if you can update it, thanks.

comment:7 by Niclas Olofsson, 11 years ago

Owner:	changed from nobody to Niclas Olofsson
Status:	new → assigned

Working on this during EP14 sprints.

Last edited 11 years ago by Niclas Olofsson (previous) (diff)

comment:8 by Niclas Olofsson, 11 years ago

Has patch:	set
Needs tests:	unset

New PR with the existing patch applied and including test cases.
https://github.com/django/django/pull/2964

comment:9 by Tim Graham <timograham@…>, 11 years ago

Resolution:	→ fixed
Status:	assigned → closed

In cdc25ac4747bf5a6cdc2e70461c2d43c54529d35:

Fixed #22808 -- Made ModelMultipleChoiceField validation more robust to invalid data types..

Thanks Mattias Lindvall for the report and inital patch.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues