Opened 16 years ago
Closed 15 years ago
#11061 closed (fixed)
Malformed POST request cause TypeError in AdminSite.login()
Reported by: | Vladimir Dmitriev | Owned by: | nobody |
---|---|---|---|
Component: | contrib.admin | Version: | dev |
Severity: | Keywords: | admin login | |
Cc: | vldmit@… | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I found that any visitor can cause a TypeError on Django site with enabled contrib.admin application. This can be done by sending malformed authentication POST request without username parameter but with LOGIN_FORM_KEY. This will cause following exception in AdminSite.login() function:
Traceback (most recent call last): File "/usr/local/lib/python2.5/site-packages/django/core/handlers/base.py", line 86, in get_response response = callback(request, *callback_args, **callback_kwargs) File "/usr/local/lib/python2.5/site-packages/django/contrib/admin/sites.py", line 141, in root return self.login(request) File "/usr/local/lib/python2.5/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func response = view_func(request, *args, **kwargs) File "/usr/local/lib/python2.5/site-packages/django/contrib/admin/sites.py", line 244, in login if u'@' in username: TypeError: argument of type 'NoneType' is not iterable
Although there is no security threat with this error, it makes Django incompatible with McAfee SECURE service. McAfee performs a sort of stress testing by generating a lot of random requests with different URLs and form parameters which cause ~20 Django error messages to appear in mailbox each day.
I've created tiny patch with fix and test. Affected versions: both trunk and 1.0.2
Attachments (1)
Change History (3)
by , 16 years ago
Attachment: | adminsite.patch added |
---|
comment:1 by , 16 years ago
Triage Stage: | Unreviewed → Ready for checkin |
---|
comment:2 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Fixed in r11493, thanks.