id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux
24319 UUIDField do not properly clean (validate) value in get_db_prep_value David Fischer nobody "'''Use case''': Using user's input to retrieve a model from database.
'''Issue''': The UUIDField doesn't properly *clean* the input value, meaning the ORM will query the database even the query values aren't cleaned.
'''System''': Ubuntu 14.04 LTS + PostgresSQL 9.3
'''Good''': User.objects.get(pk='ssss') -> ValueError
'''Bad''': Media.objects.get(pk='ssss') -> DataError
{{{
class Media(models.Model):
pk = models.UUIDField()
}}}
{{{
>>> User.objects.get(pk='ssss')
Traceback (most recent call last):
File """", line 1, in
File ""venv/src/django/django/db/models/manager.py"", line 127, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File ""venv/src/django/django/db/models/query.py"", line 320, in get
clone = self.filter(*args, **kwargs)
File ""venv/src/django/django/db/models/query.py"", line 671, in filter
return self._filter_or_exclude(False, *args, **kwargs)
File ""venv/src/django/django/db/models/query.py"", line 689, in _filter_or_exclude
clone.query.add_q(Q(*args, **kwargs))
File ""venv/src/django/django/db/models/sql/query.py"", line 1284, in add_q
clause, require_inner = self._add_q(where_part, self.used_aliases)
File ""venv/src/django/django/db/models/sql/query.py"", line 1311, in _add_q
current_negated=current_negated, connector=connector, allow_joins=allow_joins)
File ""venv/src/django/django/db/models/sql/query.py"", line 1183, in build_filter
condition = self.build_lookup(lookups, col, value)
File ""venv/src/django/django/db/models/sql/query.py"", line 1079, in build_lookup
return final_lookup(lhs, rhs)
File ""venv/src/django/django/db/models/lookups.py"", line 96, in __init__
self.rhs = self.get_prep_lookup()
File ""venv/src/django/django/db/models/lookups.py"", line 134, in get_prep_lookup
return self.lhs.output_field.get_prep_lookup(self.lookup_name, self.rhs)
File ""venv/src/django/django/db/models/fields/__init__.py"", line 716, in get_prep_lookup
return self.get_prep_value(value)
File ""venv/src/django/django/db/models/fields/__init__.py"", line 974, in get_prep_value
return int(value)
ValueError: invalid literal for int() with base 10: 'ssss'
}}}
{{{
>>> Media.objects.get(pk='ssss')
Traceback (most recent call last):
File """", line 1, in
File ""venv/src/django/django/db/models/manager.py"", line 127, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File ""venv/src/django/django/db/models/query.py"", line 326, in get
num = len(clone)
File ""venv/src/django/django/db/models/query.py"", line 145, in __len__
self._fetch_all()
File ""venv/src/django/django/db/models/query.py"", line 955, in _fetch_all
self._result_cache = list(self.iterator())
File ""venv/src/django/django/db/models/query.py"", line 239, in iterator
results = compiler.execute_sql()
File ""venv/src/django/django/db/models/sql/compiler.py"", line 826, in execute_sql
cursor.execute(sql, params)
File ""venv/src/django/django/db/backends/utils.py"", line 80, in execute
return super(CursorDebugWrapper, self).execute(sql, params)
File ""venv/src/django/django/db/backends/utils.py"", line 65, in execute
return self.cursor.execute(sql, params)
File ""venv/src/django/django/db/utils.py"", line 95, in __exit__
six.reraise(dj_exc_type, dj_exc_value, traceback)
File ""venv/src/django/django/utils/six.py"", line 658, in reraise
raise value.with_traceback(tb)
File ""venv/src/django/django/db/backends/utils.py"", line 65, in execute
return self.cursor.execute(sql, params)
django.db.utils.DataError: invalid input syntax for uuid: ""ssss""
LINE 1: ...oudncode_media"" WHERE ""cloudncode_media"".""uuid"" = 'ssss' LIM...
}}}" Bug closed Database layer (models, ORM) 1.8alpha1 Release blocker fixed clean,uuid Ready for checkin 1 0 0 0 0 0