#28202 closed Bug (fixed)
FieldListFilter.get_queryset() crashes if the queryset filtering raises ValueError
Reported by: | CM Lubinski | Owned by: | Paulo |
---|---|---|---|
Component: | contrib.admin | Version: | 1.11 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Malicious GET parameter can cause Django to crash in the admin screens.
Reproduction recipe:
- Setup Django 1.11.1, Postgres (I'm not sure the db matters) using Python 3.5 (though this may apply to other versions).
- Create an admin account & login.
- Hit
/admin/auth/user/?groups__id__exact=sleep(10)
. See the error
Result will be similar to:
dev-api_1 | ERROR 2017-05-12 22:29:34,469 django.request Internal Server Error: /admin/auth/user/ dev-api_1 | Traceback (most recent call last): dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/core/handlers/exception.py", line 41, in inner dev-api_1 | response = get_response(request) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/core/handlers/base.py", line 187, in _get_response dev-api_1 | response = self.process_exception_by_middleware(e, request) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/core/handlers/base.py", line 185, in _get_response dev-api_1 | response = wrapped_callback(request, *callback_args, **callback_kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/options.py", line 551, in wrapper dev-api_1 | return self.admin_site.admin_view(view)(*args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py", line 149, in _wrapped_view dev-api_1 | response = view_func(request, *args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func dev-api_1 | response = view_func(request, *args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/sites.py", line 224, in inner dev-api_1 | return view(request, *args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py", line 67, in _wrapper dev-api_1 | return bound_func(*args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py", line 149, in _wrapped_view dev-api_1 | response = view_func(request, *args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/utils/decorators.py", line 63, in bound_func dev-api_1 | return func.__get__(self, type(self))(*args2, **kwargs2) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/options.py", line 1542, in changelist_view dev-api_1 | self.list_max_show_all, self.list_editable, self, dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/views/main.py", line 78, in __init__ dev-api_1 | self.queryset = self.get_queryset(request) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/views/main.py", line 322, in get_queryset dev-api_1 | new_qs = filter_spec.queryset(request, qs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/contrib/admin/filters.py", line 137, in queryset dev-api_1 | return queryset.filter(**self.used_parameters) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/query.py", line 782, in filter dev-api_1 | return self._filter_or_exclude(False, *args, **kwargs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/query.py", line 800, in _filter_or_exclude dev-api_1 | clone.query.add_q(Q(*args, **kwargs)) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py", line 1261, in add_q dev-api_1 | clause, _ = self._add_q(q_object, self.used_aliases) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py", line 1287, in _add_q dev-api_1 | allow_joins=allow_joins, split_subq=split_subq, dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py", line 1221, in build_filter dev-api_1 | condition = self.build_lookup(lookups, col, value) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/sql/query.py", line 1115, in build_lookup dev-api_1 | return final_lookup(lhs, rhs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/lookups.py", line 24, in __init__ dev-api_1 | self.rhs = self.get_prep_lookup() dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/lookups.py", line 74, in get_prep_lookup dev-api_1 | return self.lhs.output_field.get_prep_value(self.rhs) dev-api_1 | File "/usr/src/app/.venv-dev/lib/python3.5/site-packages/django/db/models/fields/__init__.py", line 962, in get_prep_value dev-api_1 | return int(value) dev-api_1 | ValueError: invalid literal for int() with base 10: 'sleep(10)'
Change History (6)
comment:1 by , 8 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 8 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Confirmed.
To reproduce, make sure there's a one or more groups in the db.
comment:4 by , 8 years ago
Summary: | 500 when using malicious GET parameter in admin → FieldListFilter.get_queryset() crashes if the queryset filtering raises ValueError |
---|
Note:
See TracTickets
for help on using tickets.
Not just
sleep(10)
, the URL will fail on any non-number after?groups__id__exact=
.