Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#28202 closed Bug (fixed)

FieldListFilter.get_queryset() crashes if the queryset filtering raises ValueError

Reported by: CM Lubinski Owned by: Paulo
Component: contrib.admin Version: 1.11
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Malicious GET parameter can cause Django to crash in the admin screens.

Reproduction recipe:

  1. Setup Django 1.11.1, Postgres (I'm not sure the db matters) using Python 3.5 (though this may apply to other versions).
  2. Create an admin account & login.
  3. Hit /admin/auth/user/?groups__id__exact=sleep(10). See the error

Result will be similar to:

dev-api_1           | ERROR 2017-05-12 22:29:34,469 django.request       Internal Server Error: /admin/auth/user/
dev-api_1           | Traceback (most recent call last):
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/core/handlers/exception.py", line 41, in inner
dev-api_1           |     response = get_response(request)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/core/handlers/base.py", line 187, in _get_response
dev-api_1           |     response = self.process_exception_by_middleware(e, request)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/core/handlers/base.py", line 185, in _get_response
dev-api_1           |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/options.py", line 551, in wrapper
dev-api_1           |     return self.admin_site.admin_view(view)(*args, **kwargs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py", line 149, in _wrapped_view
dev-api_1           |     response = view_func(request, *args, **kwargs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
dev-api_1           |     response = view_func(request, *args, **kwargs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/sites.py", line 224, in inner
dev-api_1           |     return view(request, *args, **kwargs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py", line 67, in _wrapper
dev-api_1           |     return bound_func(*args, **kwargs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py", line 149, in _wrapped_view
dev-api_1           |     response = view_func(request, *args, **kwargs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py", line 63, in bound_func
dev-api_1           |     return func.__get__(self, type(self))(*args2, **kwargs2)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/options.py", line 1542, in changelist_view
dev-api_1           |     self.list_max_show_all, self.list_editable, self,
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/views/main.py", line 78, in __init__
dev-api_1           |     self.queryset = self.get_queryset(request)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/views/main.py", line 322, in get_queryset
dev-api_1           |     new_qs = filter_spec.queryset(request, qs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/filters.py", line 137, in queryset
dev-api_1           |     return queryset.filter(**self.used_parameters)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/query.py", line 782, in filter
dev-api_1           |     return self._filter_or_exclude(False, *args, **kwargs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/query.py", line 800, in _filter_or_exclude
dev-api_1           |     clone.query.add_q(Q(*args, **kwargs))
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py", line 1261, in add_q
dev-api_1           |     clause, _ = self._add_q(q_object, self.used_aliases)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py", line 1287, in _add_q
dev-api_1           |     allow_joins=allow_joins, split_subq=split_subq,
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py", line 1221, in build_filter
dev-api_1           |     condition = self.build_lookup(lookups, col, value)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py", line 1115, in build_lookup
dev-api_1           |     return final_lookup(lhs, rhs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/lookups.py", line 24, in __init__
dev-api_1           |     self.rhs = self.get_prep_lookup()
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/lookups.py", line 74, in get_prep_lookup
dev-api_1           |     return self.lhs.output_field.get_prep_value(self.rhs)
dev-api_1           |   File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/fields/__init__.py", line 962, in get_prep_value
dev-api_1           |     return int(value)
dev-api_1           | ValueError: invalid literal for int() with base 10: 'sleep(10)'

Change History (6)

comment:1 Changed 3 years ago by Ajoy Oommen

Triage Stage: UnreviewedAccepted

Not just sleep(10), the URL will fail on any non-number after ?groups__id__exact=.

comment:2 Changed 3 years ago by Paulo

Owner: changed from nobody to Paulo
Status: newassigned

Confirmed.
To reproduce, make sure there's a one or more groups in the db.

comment:3 Changed 3 years ago by Paulo

Has patch: set

comment:4 Changed 3 years ago by Tim Graham

Summary: 500 when using malicious GET parameter in adminFieldListFilter.get_queryset() crashes if the queryset filtering raises ValueError

comment:5 Changed 3 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 4ad2f862:

Fixed #28202 -- Fixed FieldListFilter.get_queryset() crash on invalid input.

comment:6 Changed 3 years ago by Tim Graham <timograham@…>

In a070794:

[1.11.x] Fixed #28202 -- Fixed FieldListFilter.get_queryset() crash on invalid input.

Backport of 4ad2f862844d35404e4798b3227517625210a72e from master

Note: See TracTickets for help on using tickets.
Back to Top