Opened 6 years ago

Closed 6 years ago

#11061 closed (fixed)

Malformed POST request cause TypeError in AdminSite.login()

Reported by: vvd Owned by: nobody
Component: contrib.admin Version: master
Severity: Keywords: admin login
Cc: vldmit@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I found that any visitor can cause a TypeError on Django site with enabled contrib.admin application. This can be done by sending malformed authentication POST request without username parameter but with LOGIN_FORM_KEY. This will cause following exception in AdminSite.login() function:

Traceback (most recent call last):

 File "/usr/local/lib/python2.5/site-packages/django/core/handlers/base.py", line 86, in get_response
   response = callback(request, *callback_args, **callback_kwargs)

 File "/usr/local/lib/python2.5/site-packages/django/contrib/admin/sites.py", line 141, in root
   return self.login(request)

 File "/usr/local/lib/python2.5/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
   response = view_func(request, *args, **kwargs)

 File "/usr/local/lib/python2.5/site-packages/django/contrib/admin/sites.py", line 244, in login
   if u'@' in username:

TypeError: argument of type 'NoneType' is not iterable

Although there is no security threat with this error, it makes Django incompatible with McAfee SECURE service. McAfee performs a sort of stress testing by generating a lot of random requests with different URLs and form parameters which cause ~20 Django error messages to appear in mailbox each day.

I've created tiny patch with fix and test. Affected versions: both trunk and 1.0.2

Attachments (1)

adminsite.patch (1.9 KB) - added by vvd 6 years ago.

Download all attachments as: .zip

Change History (3)

Changed 6 years ago by vvd

comment:1 Changed 6 years ago by SmileyChris

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Ready for checkin

comment:2 Changed 6 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r11493, thanks.

Note: See TracTickets for help on using tickets.
Back to Top