Code

Opened 5 years ago

Closed 5 years ago

#12154 closed (duplicate)

ModelChoiceField cleanup raises uncaught ValueError

Reported by: patrys Owned by: nobody
Component: Forms Version: 1.1
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

If a user submits a non-integer value for a ModelChoiceField, Django tries to stick it into SQL and dies while trying to convert it to int().

Using an input fuzzer to test the forms resulted in me getting tens of "500 internal server error" emails.

Traceback (most recent call last):

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/forms/forms.py", line 120, in is_valid
   return self.is_bound and not bool(self.errors)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/forms/forms.py", line 111, in _get_errors
   self.full_clean()

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/forms/forms.py", line 240, in full_clean
   value = field.clean(value)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/forms/models.py", line 993, in clean
   value = self.queryset.get(**{key: value})

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/query.py", line 299, in get
   clone = self.filter(*args, **kwargs)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/query.py", line 498, in filter
   return self._filter_or_exclude(False, *args, **kwargs)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/query.py", line 516, in _filter_or_exclude
   clone.query.add_q(Q(*args, **kwargs))

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/sql/query.py", line 1675, in add_q
   can_reuse=used_aliases)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/sql/query.py", line 1614, in add_filter
   connector)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/sql/where.py", line 56, in add
   obj, params = obj.process(lookup_type, value)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/sql/where.py", line 269, in process
   params = self.field.get_db_prep_lookup(lookup_type, value)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/fields/__init__.py", line 210, in get_db_prep_lookup
   return [self.get_db_prep_value(value)]

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/fields/__init__.py", line 361, in get_db_prep_value
   return int(value)

ValueError: invalid literal for int() with base 10: '1234567890x'

Attachments (0)

Change History (1)

comment:1 Changed 5 years ago by mauve

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #9209

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.