Context Navigation

← Previous Ticket
Next Ticket →

Opened 15 years ago

Closed 15 years ago

#12154 closed (duplicate)

ModelChoiceField cleanup raises uncaught ValueError

Reported by:	Patryk Zawadzki	Owned by:	nobody
Component:	Forms	Version:	1.1
Severity:		Keywords:
Cc:		Triage Stage:	Unreviewed
Has patch:	no	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

If a user submits a non-integer value for a ModelChoiceField, Django tries to stick it into SQL and dies while trying to convert it to int().

Using an input fuzzer to test the forms resulted in me getting tens of "500 internal server error" emails.

Traceback (most recent call last):

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/forms/forms.py", line 120, in is_valid
   return self.is_bound and not bool(self.errors)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/forms/forms.py", line 111, in _get_errors
   self.full_clean()

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/forms/forms.py", line 240, in full_clean
   value = field.clean(value)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/forms/models.py", line 993, in clean
   value = self.queryset.get(**{key: value})

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/query.py", line 299, in get
   clone = self.filter(*args, **kwargs)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/query.py", line 498, in filter
   return self._filter_or_exclude(False, *args, **kwargs)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/query.py", line 516, in _filter_or_exclude
   clone.query.add_q(Q(*args, **kwargs))

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/sql/query.py", line 1675, in add_q
   can_reuse=used_aliases)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/sql/query.py", line 1614, in add_filter
   connector)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/sql/where.py", line 56, in add
   obj, params = obj.process(lookup_type, value)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/sql/where.py", line 269, in process
   params = self.field.get_db_prep_lookup(lookup_type, value)

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/fields/__init__.py", line 210, in get_db_prep_lookup
   return [self.get_db_prep_value(value)]

 File "/usr/lib/python2.6/site-packages/Django-1.1-py2.6.egg/django/db/models/fields/__init__.py", line 361, in get_db_prep_value
   return int(value)

ValueError: invalid literal for int() with base 10: '1234567890x'

Change History (1)

comment:1 by mauve, 15 years ago

Resolution:	→ duplicate
Status:	new → closed

Duplicate of #9209

Note: See TracTickets for help on using tickets.

Download in other formats: